From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4E7FC6FA82 for ; Wed, 28 Sep 2022 07:26:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 67F498E012D; Wed, 28 Sep 2022 03:26:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 62E838E0120; Wed, 28 Sep 2022 03:26:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4F7F98E012D; Wed, 28 Sep 2022 03:26:33 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 3E3048E0120 for ; Wed, 28 Sep 2022 03:26:33 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 0FDCD1A070A for ; Wed, 28 Sep 2022 07:26:33 +0000 (UTC) X-FDA: 79960661466.14.AD403BF Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) by imf09.hostedemail.com (Postfix) with ESMTP id 84B08140004 for ; Wed, 28 Sep 2022 07:26:31 +0000 (UTC) Received: by mail-qv1-f51.google.com with SMTP id i15so7655769qvp.5 for ; Wed, 28 Sep 2022 00:26:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date; bh=qLaRR+atoHoSJaoPeYCH+z3TJyk6r6Xbl1EdBW345pA=; b=7tNRYueEFyWaSqSxl8towXXaVTm0XaDuhy7PgFkt1jNH6dc/PbDHyuMsezzexAK2iu DKzUd5konwQc5Qp+1NxHqKuz2lH++Dqeu6GPsAwcMkgamEdJe0yFipwoeAAiLusHOsjX MqQfwstch+Za+pOtKOYp5P8rWGOaFsts5Fvx7qSmDfOl9I3tMzM3QW3oSOk69TN0SVdw JJw4X4CSlfIIYVQzJ/J+e2ScoFfSSBd+bbL34brScRDhNcZ/apPr4y1z+wfWLqDYuc3j EgchmED53AW3zZKvLT+3Up5x91l1YaVICfy/+eGnjaVlZgsxg0sLKUQDAuImQuqtnRdb zwCA== X-Gm-Message-State: ACrzQf1wUSRc67nJm+BYp3sD4+9p9nViJMeWbJ7ozwtvvPXT/d6heII3 Y8+LfOKXOXEk23YtKv52Nbma3I8S7wgQAQ== X-Google-Smtp-Source: AMsMyM6ce1lF83TnmHQK184FPs2OqZZpnAnQq+Ww96AuuLQ+q9Fu/PIS850md2p67qi8cM0RwStu3w== X-Received: by 2002:a05:6214:e4c:b0:4ac:f069:da4 with SMTP id o12-20020a0562140e4c00b004acf0690da4mr24620803qvc.80.1664349990559; Wed, 28 Sep 2022 00:26:30 -0700 (PDT) Received: from mail-yw1-f176.google.com (mail-yw1-f176.google.com. [209.85.128.176]) by smtp.gmail.com with ESMTPSA id l19-20020ac84593000000b003437a694049sm2362039qtn.96.2022.09.28.00.26.27 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Sep 2022 00:26:28 -0700 (PDT) Received: by mail-yw1-f176.google.com with SMTP id 00721157ae682-3321c2a8d4cso122199227b3.5 for ; Wed, 28 Sep 2022 00:26:27 -0700 (PDT) X-Received: by 2002:a81:758a:0:b0:345:450b:6668 with SMTP id q132-20020a81758a000000b00345450b6668mr28433710ywc.316.1664349987412; Wed, 28 Sep 2022 00:26:27 -0700 (PDT) MIME-Version: 1.0 References: <20220923202822.2667581-1-keescook@chromium.org> <20220923202822.2667581-2-keescook@chromium.org> In-Reply-To: <20220923202822.2667581-2-keescook@chromium.org> From: Geert Uytterhoeven Date: Wed, 28 Sep 2022 09:26:15 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 01/16] slab: Remove __malloc attribute from realloc functions To: Kees Cook Cc: Vlastimil Babka , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Marco Elver , linux-mm@kvack.org, "Ruhl, Michael J" , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Greg Kroah-Hartman , Nick Desaulniers , Alex Elder , Josef Bacik , David Sterba , Sumit Semwal , =?UTF-8?Q?Christian_K=C3=B6nig?= , Jesse Brandeburg , Daniel Micay , Yonghong Song , Miguel Ojeda , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, linux-fsdevel@vger.kernel.org, intel-wired-lan@lists.osuosl.org, dev@openvswitch.org, x86@kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1664349991; a=rsa-sha256; cv=none; b=R0MBePSnT/GLNdG2UT8Ncal3mk8v3NM9HF4FrWrSvK7PtN4lV+V4lscgLXMk3RxtWNOrur B6MWLIDjU160P5iLB08Fjl/ip81roTZwnuD2m7ooL0u65FOaI9d7QvIZi949qoZSm0v1Lz sCr8oFXw3Eeq0cGWBbYkhFCMveSeQ0A= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=none; spf=pass (imf09.hostedemail.com: domain of geert.uytterhoeven@gmail.com designates 209.85.219.51 as permitted sender) smtp.mailfrom=geert.uytterhoeven@gmail.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1664349991; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qLaRR+atoHoSJaoPeYCH+z3TJyk6r6Xbl1EdBW345pA=; b=ZH3bgfxklUzaqP4p7qJq2dv8tueFoXsLDiRmsouMOR4QUf2+JtuzPmzSBNuvJ8jgRsInJF kLmEXwx/g9zy9Jgg759gte5FV4fV8pczeudASoRhvwYADjeevlnRi+jCtiXNHvMBfwC5al KBdu7THFJMcMW8cIG323QU2tS/LsQfE= X-Stat-Signature: y6jcj9kkjrgtwyarbgn8y86aqbbgzx15 X-Rspamd-Queue-Id: 84B08140004 X-Rspam-User: Authentication-Results: imf09.hostedemail.com; dkim=none; spf=pass (imf09.hostedemail.com: domain of geert.uytterhoeven@gmail.com designates 209.85.219.51 as permitted sender) smtp.mailfrom=geert.uytterhoeven@gmail.com; dmarc=none X-Rspamd-Server: rspam08 X-HE-Tag: 1664349991-643846 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi Kees, On Fri, Sep 23, 2022 at 10:35 PM Kees Cook wrote: > The __malloc attribute should not be applied to "realloc" functions, as > the returned pointer may alias the storage of the prior pointer. Instead > of splitting __malloc from __alloc_size, which would be a huge amount of > churn, just create __realloc_size for the few cases where it is needed. > > Additionally removes the conditional test for __alloc_size__, which is > always defined now. > > Cc: Christoph Lameter > Cc: Pekka Enberg > Cc: David Rientjes > Cc: Joonsoo Kim > Cc: Andrew Morton > Cc: Vlastimil Babka > Cc: Roman Gushchin > Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> > Cc: Marco Elver > Cc: linux-mm@kvack.org > Signed-off-by: Kees Cook Thanks for your patch, which is now commit 63caa04ec60583b1 ("slab: Remove __malloc attribute from realloc functions") in next-20220927. Noreply@ellerman.id.au reported all gcc8-based builds to fail (e.g. [1], more at [2]): In file included from : ./include/linux/percpu.h: In function =E2=80=98__alloc_reserved_percpu= =E2=80=99: ././include/linux/compiler_types.h:279:30: error: expected declaration specifiers before =E2=80=98__alloc_size__=E2=80=99 #define __alloc_size(x, ...) __alloc_size__(x, ## __VA_ARGS__) __mallo= c ^~~~~~~~~~~~~~ ./include/linux/percpu.h:120:74: note: in expansion of macro =E2=80=98_= _alloc_size=E2=80=99 [...] It's building fine with e.g. gcc-9 (which is my usual m68k cross-compiler). Reverting this commit on next-20220927 fixes the issue. [1] http://kisskb.ellerman.id.au/kisskb/buildresult/14803908/ [2] http://kisskb.ellerman.id.au/kisskb/head/1bd8b75fe6adeaa89d02968bdd811f= fe708cf839/ > --- > include/linux/compiler_types.h | 13 +++++-------- > include/linux/slab.h | 12 ++++++------ > mm/slab_common.c | 4 ++-- > 3 files changed, 13 insertions(+), 16 deletions(-) > > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_type= s.h > index 4f2a819fd60a..f141a6f6b9f6 100644 > --- a/include/linux/compiler_types.h > +++ b/include/linux/compiler_types.h > @@ -271,15 +271,12 @@ struct ftrace_likely_data { > > /* > * Any place that could be marked with the "alloc_size" attribute is als= o > - * a place to be marked with the "malloc" attribute. Do this as part of = the > - * __alloc_size macro to avoid redundant attributes and to avoid missing= a > - * __malloc marking. > + * a place to be marked with the "malloc" attribute, except those that m= ay > + * be performing a _reallocation_, as that may alias the existing pointe= r. > + * For these, use __realloc_size(). > */ > -#ifdef __alloc_size__ > -# define __alloc_size(x, ...) __alloc_size__(x, ## __VA_ARGS__) __mallo= c > -#else > -# define __alloc_size(x, ...) __malloc > -#endif > +#define __alloc_size(x, ...) __alloc_size__(x, ## __VA_ARGS__) __mallo= c > +#define __realloc_size(x, ...) __alloc_size__(x, ## __VA_ARGS__) > > #ifndef asm_volatile_goto > #define asm_volatile_goto(x...) asm goto(x) > diff --git a/include/linux/slab.h b/include/linux/slab.h > index 0fefdf528e0d..41bd036e7551 100644 > --- a/include/linux/slab.h > +++ b/include/linux/slab.h > @@ -184,7 +184,7 @@ int kmem_cache_shrink(struct kmem_cache *s); > /* > * Common kmalloc functions provided by all allocators > */ > -void * __must_check krealloc(const void *objp, size_t new_size, gfp_t fl= ags) __alloc_size(2); > +void * __must_check krealloc(const void *objp, size_t new_size, gfp_t fl= ags) __realloc_size(2); > void kfree(const void *objp); > void kfree_sensitive(const void *objp); > size_t __ksize(const void *objp); > @@ -647,10 +647,10 @@ static inline __alloc_size(1, 2) void *kmalloc_arra= y(size_t n, size_t size, gfp_ > * @new_size: new size of a single member of the array > * @flags: the type of memory to allocate (see kmalloc) > */ > -static inline __alloc_size(2, 3) void * __must_check krealloc_array(void= *p, > - size_= t new_n, > - size_= t new_size, > - gfp_t= flags) > +static inline __realloc_size(2, 3) void * __must_check krealloc_array(vo= id *p, > + siz= e_t new_n, > + siz= e_t new_size, > + gfp= _t flags) > { > size_t bytes; > > @@ -774,7 +774,7 @@ static inline __alloc_size(1, 2) void *kvcalloc(size_= t n, size_t size, gfp_t fla > } > > extern void *kvrealloc(const void *p, size_t oldsize, size_t newsize, gf= p_t flags) > - __alloc_size(3); > + __realloc_size(3); > extern void kvfree(const void *addr); > extern void kvfree_sensitive(const void *addr, size_t len); > > diff --git a/mm/slab_common.c b/mm/slab_common.c > index 17996649cfe3..457671ace7eb 100644 > --- a/mm/slab_common.c > +++ b/mm/slab_common.c > @@ -1134,8 +1134,8 @@ module_init(slab_proc_init); > > #endif /* CONFIG_SLAB || CONFIG_SLUB_DEBUG */ > > -static __always_inline void *__do_krealloc(const void *p, size_t new_siz= e, > - gfp_t flags) > +static __always_inline __realloc_size(2) void * > +__do_krealloc(const void *p, size_t new_size, gfp_t flags) > { > void *ret; > size_t ks; > -- > 2.34.1 > -- Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k= .org In personal conversations with technical people, I call myself a hacker. Bu= t when I'm talking to journalists I just say "programmer" or something like t= hat. -- Linus Torvalds