From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=bxBi=OA=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1C906C433F5
	for <linux-mm@archiver.kernel.org>; Fri, 10 Sep 2021 19:18:04 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 954E0611CE
	for <linux-mm@archiver.kernel.org>; Fri, 10 Sep 2021 19:18:03 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 954E0611CE
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id B5A856B0071; Fri, 10 Sep 2021 15:18:02 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B0A416B0072; Fri, 10 Sep 2021 15:18:02 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9AA6C6B0073; Fri, 10 Sep 2021 15:18:02 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0136.hostedemail.com [216.40.44.136])
	by kanga.kvack.org (Postfix) with ESMTP id 8AA756B0071
	for <linux-mm@kvack.org>; Fri, 10 Sep 2021 15:18:02 -0400 (EDT)
Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 1F51E18343F4F
	for <linux-mm@kvack.org>; Fri, 10 Sep 2021 19:18:02 +0000 (UTC)
X-FDA: 78572624004.25.6C26E3A
Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41])
	by imf02.hostedemail.com (Postfix) with ESMTP id BA2B27001A05
	for <linux-mm@kvack.org>; Fri, 10 Sep 2021 19:18:01 +0000 (UTC)
Received: by mail-lf1-f41.google.com with SMTP id n2so6190489lfk.0
        for <linux-mm@kvack.org>; Fri, 10 Sep 2021 12:18:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=QKo4Tdq4dmbNJOXszHMpLvxuG8B+UoHSQq7ZbUR792g=;
        b=Mr6cvJJlBTrCWCrY7vfg81gJvM5lpccs29n3iDnmmnXzX7JfqRV63CjG9qEvfj6fmc
         8+n/fSq+mBQB2vfi12kOGeo8yFanCMN4y0NPlfCyPP5heDaHIZN3eMlxWd7aCV+u+ySr
         VN5quD/divWymKPTsLcSedC3KD9heDjMhth04=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=QKo4Tdq4dmbNJOXszHMpLvxuG8B+UoHSQq7ZbUR792g=;
        b=fA9YYcR2n2tyOujRxYWZVv696dHR50prtiIF0DPleLxVY6oDBnGIXVWC5TbMzOObPC
         sBQrzHAKGXk56NES8kTiiJ2UIyndwl0wJ0do91eQ+YtK/Hned1itV4ZxG10xwYKPi+19
         UE1ad5h9yplfDVdXC/d22NVFTySlOqM/TLNm8hEe7jhD04y3TMjmPbk6Acbuw7dvUC7r
         6oOXLjL8LbKCsROg7SvW411ysgimmprXuAa0gE6267KvWHEQ7+ntypN+TeoXKB8isO4x
         7HZLRM1aNUILUbELwe2ptwLup5V78203amLPF2sdlbl1jMtevZkRkCSVPncttJZ4YYiJ
         G3wQ==
X-Gm-Message-State: AOAM533UK9vjc6FjHrJBh03kZFu+8lM6PQiosl4l+HwrExsMQK3ltPcX
	jG5B+g3T5EXrzVsDlB77hMu7rD/HcjO4F5dWHc4=
X-Google-Smtp-Source: ABdhPJwYlCzPp13y9F2I1pe8/Ncv0rQdw3cbodrNBm2f1NyRqk+VJtT/3y+5FVpzCrctRS+j+iPgaw==
X-Received: by 2002:a05:6512:2211:: with SMTP id h17mr5152129lfu.285.1631301479478;
        Fri, 10 Sep 2021 12:17:59 -0700 (PDT)
Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com. [209.85.167.50])
        by smtp.gmail.com with ESMTPSA id n6sm447198lfi.130.2021.09.10.12.17.56
        for <linux-mm@kvack.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Fri, 10 Sep 2021 12:17:57 -0700 (PDT)
Received: by mail-lf1-f50.google.com with SMTP id n2so6190236lfk.0
        for <linux-mm@kvack.org>; Fri, 10 Sep 2021 12:17:56 -0700 (PDT)
X-Received: by 2002:a05:6512:1112:: with SMTP id l18mr4994964lfg.402.1631301476401;
 Fri, 10 Sep 2021 12:17:56 -0700 (PDT)
MIME-Version: 1.0
References: <20210909200948.090d4e213ca34b5ad1325a7e@linux-foundation.org>
 <20210910031046.G76dQvPhV%akpm@linux-foundation.org> <CAHk-=wgfbSyW6QYd5rmhSHRoOQ=ZvV+jLn1U8U4nBDgBuaOAjQ@mail.gmail.com>
 <202109101138.53FCADF5C@keescook>
In-Reply-To: <202109101138.53FCADF5C@keescook>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Fri, 10 Sep 2021 12:17:40 -0700
X-Gmail-Original-Message-ID: <CAHk-=whHPPKunYcDmSAJ4--o7VddZW-SWmMqQkiYwA_kEyQVUQ@mail.gmail.com>
Message-ID: <CAHk-=whHPPKunYcDmSAJ4--o7VddZW-SWmMqQkiYwA_kEyQVUQ@mail.gmail.com>
Subject: Re: [patch 9/9] mm/vmalloc: add __alloc_size attributes for better
 bounds checking
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>, apw@canonical.com, 
	Christoph Lameter <cl@linux.com>, Daniel Micay <danielmicay@gmail.com>, Dennis Zhou <dennis@kernel.org>, 
	dwaipayanray1@gmail.com, Joonsoo Kim <iamjoonsoo.kim@lge.com>, 
	Joe Perches <joe@perches.com>, Linux-MM <linux-mm@kvack.org>, 
	Lukas Bulwahn <lukas.bulwahn@gmail.com>, mm-commits@vger.kernel.org, 
	Nathan Chancellor <nathan@kernel.org>, Nick Desaulniers <ndesaulniers@google.com>, 
	Miguel Ojeda <ojeda@kernel.org>, Pekka Enberg <penberg@kernel.org>, 
	David Rientjes <rientjes@google.com>, Tejun Heo <tj@kernel.org>, Vlastimil Babka <vbabka@suse.cz>
Content-Type: text/plain; charset="UTF-8"
Authentication-Results: imf02.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=google header.b=Mr6cvJJl;
	spf=pass (imf02.hostedemail.com: domain of torvalds@linuxfoundation.org designates 209.85.167.41 as permitted sender) smtp.mailfrom=torvalds@linuxfoundation.org;
	dmarc=none
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: BA2B27001A05
X-Stat-Signature: 7u3ywezbpx4gkzinuaa6qrgdpwatfo4b
X-HE-Tag: 1631301481-905106
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Sep 10, 2021 at 11:43 AM Kees Cook <keescook@chromium.org> wrote:
>
> I had originally set out to do that, but the problem with merging with
> __malloc is the bit in the docs about "and that the memory has undefined
> content". So we can't do that for kmalloc() in the face of GFP_ZERO, as
> well as a bunch of other helpers. I always get suspicious about "this
> will improve optimization because we depend on claiming something is
> 'undefined'". :|

Oh, I had entirely missed that historical subtlety of __malloc.

Yeah, that would have been absolutely horrible. But it's not actually
really true.

It seems that the gcc people actually realized the problem, and fixed
the documentation:

  "Attribute malloc indicates that a function is malloc-like, i.e.,
that the pointer P returned by the function cannot alias any other
pointer valid when the function returns, and moreover no pointers to
valid objects occur in any storage addressed by P. In addition, the
GCC predicts that a function with the attribute returns non-null in
most cases"

IOW, it is purely about aliasing guarantees. Basically the guarantee
is that the memory that a "malloc" function returns can not alias
(directly or indirectly) any other allocations.

See

    https://gcc.gnu.org/onlinedocs/gcc-11.2.0/gcc/Common-Function-Attributes.html#Common-Function-Attributes

So I think it's ok, and your reaction was entirely correct, but came
from looking at old documentation.

             Linus