From patchwork Wed Aug 18 05:08:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12442621 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26275C19F3B for ; Wed, 18 Aug 2021 05:08:55 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id AAAD56103A for ; Wed, 18 Aug 2021 05:08:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org AAAD56103A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id D43AF8D0003; Wed, 18 Aug 2021 01:08:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C9F608D0001; Wed, 18 Aug 2021 01:08:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 96C198D0003; Wed, 18 Aug 2021 01:08:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0196.hostedemail.com [216.40.44.196]) by kanga.kvack.org (Postfix) with ESMTP id 76DBC8D0001 for ; Wed, 18 Aug 2021 01:08:47 -0400 (EDT) Received: from smtpin33.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 33F092489B for ; Wed, 18 Aug 2021 05:08:47 +0000 (UTC) X-FDA: 78487021494.33.2A1A822 Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by imf14.hostedemail.com (Postfix) with ESMTP id E4DCB6005FD5 for ; Wed, 18 Aug 2021 05:08:46 +0000 (UTC) Received: by mail-pj1-f43.google.com with SMTP id 28-20020a17090a031cb0290178dcd8a4d1so4555799pje.0 for ; Tue, 17 Aug 2021 22:08:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Kwe+7x098AFAsp6HObDqzLfsA9AaOtdAmm10Ri6lneY=; b=MDQc7Qo02bOhSp6zRlMQC4IeCrHYouMZFpUhtC90CCzr8ee4bgtADw7WJnMmR8Wmde URG7TOK86bHRsFlzUqsgTNi0YyrLB7weLtwkv8Ak+ccKHi9pCgKNnt90yC+fdoK+wZkC TJ0BzO5ZuVEzNajnEbXLjfq0UK/kjxlV6xIVs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Kwe+7x098AFAsp6HObDqzLfsA9AaOtdAmm10Ri6lneY=; b=GZtDjv7/Occ/et7eR/y554JTFsC7E726m+tU4J9+3YbYk7Nc6Hp6XEWkgdzjKs4VoH dibAFQzK7EA5tE2tCFBdX1LyMeF2xm6FQcsrZs7i6Ghz931jYhpfjuUN+0jfLIwaz5v6 uLGPx58AS0H9QQqRVeCsl6/F8KrtJd6BEyO7kjwEd+qIANGGT5Qif7SzhkxciseQ/4aL Ro5hYF+oIOFNsSpgjyVD5dw0PZapHe+eEKoj1o6Eu2OI/abBxMxYxvF3LpnwgV7qaVai 92zeWK1eXUtRh2ZA4gWjWwQ7gynXs564zqTw4TsJLkJSyGLrRTBJXo/cGmfHoyF1CA6w wmpQ== X-Gm-Message-State: AOAM532hPNkeMM6ap/lRhYU4D0emdJcy6GzAX1d9833wuqJo1XRQZ1UK jPJK7XLdfnDWYlWbaA28KgaLkw== X-Google-Smtp-Source: ABdhPJzy6VMfPK5oBN2vdQiwzq502wZ6o1gktGF4zz2dRHmXGhIoIyhC+5rofIDWNjaIiYrrtPc8GA== X-Received: by 2002:a17:90a:f3cc:: with SMTP id ha12mr7432352pjb.195.1629263326119; Tue, 17 Aug 2021 22:08:46 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a6sm3604432pjs.40.2021.08.17.22.08.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Aug 2021 22:08:43 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Miguel Ojeda , Nathan Chancellor , Nick Desaulniers , clang-built-linux@googlegroups.com, Andrew Morton , Daniel Micay , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Dennis Zhou , Tejun Heo , Masahiro Yamada , Michal Marek , linux-mm@kvack.org, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/5] Compiler Attributes: Add __alloc_size() for better bounds checking Date: Tue, 17 Aug 2021 22:08:37 -0700 Message-Id: <20210818050841.2226600-2-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210818050841.2226600-1-keescook@chromium.org> References: <20210818050841.2226600-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2380; h=from:subject; bh=Z77R0+fHluP6o4NcvIwdkfyyrw0mnaqgtPexTL+jzKw=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhHJXXXWv8HAUEH70BjLM8r9L44FwLbXyX7U2SbMJG cW7X2W2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYRyV1wAKCRCJcvTf3G3AJs7vD/ 9D6DcToe9pHFn5VltA0eOO5yqBac9LT4thRelqAQ6laxUduO5B+8FOxZL1OSulQlHAssoA3PddQ2rY mVpL4OrFcFpbtY2UXGJ/x/aqyeSOQ9uqc98i8zR47nEaK8YS6Gj5t7MqZvza+An/3E0WFvpeYSr4/P C109T9G+TfMaEsTELu5ATpiYLUzpDfADQsOuHv8ArEwVqwmZKZ4Uypjg6BZ5K7SyiLRaxytnIK5BKg uvC9PDWqZf8t2bpKtUpMipLPG1jEJqzfUOYTbXStV5WOYALSkvEOW+DZbDVYb+LkX6Pclzw4hSr2zZ nMKVnI+7XYK8ZE0/JBfW1KGNsgBfuRh7HYEgbypFfqzhX98Io6pNdGs0gecrX6MWNRDKFXS5JDgzmI nlCUKfV+akKM7wnefg8W5jF68bNPS3imqX4Qs6vrh4mF+0mHsK3t8Gxei0V19G0KU1BQYa2uFFhTtd ZYKAJCRrLu6r5YYTsW9eaPk9EYHpBnOMd6jASQ6WdPQFMsyzMb7x2JzXNNx9Q1v3ZnJL83pxj4g5L0 Bai0QE6rMeDH4kkazpjhSSOdOoZeUYJrcTNmlQD0MSJMK0LDVtjsvvmzdjwwPZQu9fJvsGuoAKk5Za +sS3ucLwhHMw7F1zksA5eG5+qFMGvKGBpn9fFleWOuKlJMxDM/tV5rrm7ukA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=MDQc7Qo0; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf14.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.43 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Stat-Signature: 4ijpcah4fbn3w7o34mntk84f3p8jzgu5 X-Rspamd-Queue-Id: E4DCB6005FD5 X-Rspamd-Server: rspam05 X-HE-Tag: 1629263326-197629 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: GCC and Clang can use the alloc_size attribute to better inform the results of __builtin_object_size() (for compile-time constant values). Clang can additionally use alloc_size to informt the results of __builtin_dynamic_object_size() (for run-time values). Additionally disables -Wno-alloc-size-larger-than since the allocators already reject SIZE_MAX, and the compile-time warnings aren't helpful. Cc: Miguel Ojeda Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: clang-built-linux@googlegroups.com Signed-off-by: Kees Cook --- Makefile | 6 +++++- include/linux/compiler_attributes.h | 6 ++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 1b238ce86ed4..3b6fb740584e 100644 --- a/Makefile +++ b/Makefile @@ -1076,9 +1076,13 @@ KBUILD_CFLAGS += $(call cc-disable-warning, stringop-overflow) # Another good warning that we'll want to enable eventually KBUILD_CFLAGS += $(call cc-disable-warning, restrict) -# Enabled with W=2, disabled by default as noisy ifdef CONFIG_CC_IS_GCC +# Enabled with W=2, disabled by default as noisy KBUILD_CFLAGS += -Wno-maybe-uninitialized + +# The allocators already balk at large sizes, so silence the compiler +# warnings for bounds checks involving those possible values. +KBUILD_CFLAGS += -Wno-alloc-size-larger-than endif # disable invalid "can't wrap" optimizations for signed / pointers diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h index 67c5667f8042..203b0ac62d15 100644 --- a/include/linux/compiler_attributes.h +++ b/include/linux/compiler_attributes.h @@ -54,6 +54,12 @@ #define __aligned(x) __attribute__((__aligned__(x))) #define __aligned_largest __attribute__((__aligned__)) +/* + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-alloc_005fsize-function-attribute + * clang: https://clang.llvm.org/docs/AttributeReference.html#alloc-size + */ +#define __alloc_size(x, ...) __attribute__((__alloc_size__(x, ## __VA_ARGS__))) + /* * Note: users of __always_inline currently do not write "inline" themselves, * which seems to be required by gcc to apply the attribute according From patchwork Wed Aug 18 05:08:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12442619 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6351FC43214 for ; Wed, 18 Aug 2021 05:08:52 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 07DC7610A0 for ; Wed, 18 Aug 2021 05:08:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 07DC7610A0 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 96CC68D0006; Wed, 18 Aug 2021 01:08:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8AC8F8D0005; Wed, 18 Aug 2021 01:08:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6ABDE8D0003; Wed, 18 Aug 2021 01:08:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0207.hostedemail.com [216.40.44.207]) by kanga.kvack.org (Postfix) with ESMTP id 459068D0001 for ; Wed, 18 Aug 2021 01:08:47 -0400 (EDT) Received: from smtpin35.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id DE976181B04AD for ; Wed, 18 Aug 2021 05:08:46 +0000 (UTC) X-FDA: 78487021452.35.2E29239 Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by imf18.hostedemail.com (Postfix) with ESMTP id 99DFC4004097 for ; Wed, 18 Aug 2021 05:08:46 +0000 (UTC) Received: by mail-pf1-f172.google.com with SMTP id y11so948491pfl.13 for ; Tue, 17 Aug 2021 22:08:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=PJoa4iKvyV5ZjcOKo8KLgCpzhWd1dLdAE7oHmS24kmI=; b=XoqR3saVnkwQdaMbo8v29/zLHplfZcejHyGEtGR80f/yvY/cgcEmJVBX6LB1twfOmR C57Wb9w3oBqxKggPS8I6LTjLP1Mg8N4TVD1yqljUPvsHHNnkxYnR3c6SZh+ZoDw4JYVr bSxIGT0JG05gMBr+nZxEAEA67uQJIh6d2QyNE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PJoa4iKvyV5ZjcOKo8KLgCpzhWd1dLdAE7oHmS24kmI=; b=sEWXKCaqtCsATnU3rPpGMEp80SJ7tRyIjIfUVSWYDRbf2ey8LMw3LLNaj791EcpOBL Nh7/ddCgndUIWGW4i3nVFzJIRGSLSt3rMKUIlgjzM0TjhZRgcQIp4dKDV78CxMOMzivU /KuDCznDG+O9gFKrlqwxw5wwBasfiq116GDHDHEbhQvrvK5uAD1/GFSX1g+FEdVecJQB 1s7zfvc1gugBKCxavFSt7r0gOfKZPisXPhVuQNOKTOVWRo1MS4fShmLUQ7OIUaXt/SFE 6lEnORXmjI8l5+R76bKVSvjkbRqBJpjPqgfSnlafpQ19w1zqZcd5L5ZhSUjxstc9LlQ8 8I4g== X-Gm-Message-State: AOAM533ebVc3h2B93D89h+3Q0pb5eYmNqw1ItQIloj3BzhoIKaNuieZJ G3Ra6JifsA6hMS2s566y8gIjAQ== X-Google-Smtp-Source: ABdhPJwKgzp5vA4w6wkQdQaDJ9fAJpJsvxtDCO2cLAcpiN0uM8Y2YDiktkkEfIpYFuEAoycRcGb4Kw== X-Received: by 2002:aa7:8058:0:b029:332:9da3:102d with SMTP id y24-20020aa780580000b02903329da3102dmr7352676pfm.21.1629263325814; Tue, 17 Aug 2021 22:08:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j6sm5037394pgq.0.2021.08.17.22.08.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Aug 2021 22:08:43 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Daniel Micay , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Vlastimil Babka , linux-mm@kvack.org, Miguel Ojeda , Nathan Chancellor , Nick Desaulniers , Dennis Zhou , Tejun Heo , Masahiro Yamada , Michal Marek , clang-built-linux@googlegroups.com, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 2/5] slab: Add __alloc_size attributes for better bounds checking Date: Tue, 17 Aug 2021 22:08:38 -0700 Message-Id: <20210818050841.2226600-3-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210818050841.2226600-1-keescook@chromium.org> References: <20210818050841.2226600-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7084; h=from:subject; bh=mOKi2doWtdNTuoRZf7uNcQVzIU50qiNF7t9u3Nn55qQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhHJXYMzR6/MsdNgjHLHDWQusu9UKxXGXBcBf1OYKK Sz9e4kaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYRyV2AAKCRCJcvTf3G3AJmNnD/ 4yTBX9z+fMGN8gDeZBU4fNrWeR2k4e14MeZzDbYV0BUqaiphoGMO9p570IWy3da8EoE65rBJYK1awp XvcnrLv86Vuzu6rHtLI4zcs4RRxNiF87TV2dbP8s1HWO06CHw45W9hJlWRbhRpJqElGhl9g1K5MKqs XidOG9M5i7z+sAs1BC+Uli1H+df+7CqijqxN7/2kqL2/ofwnVzpdVMf3paBst2Nh5fjiPmfRsf+tL2 0L3PfcWWT4+qLXaKE8dCaf69XkaLsMS3boQ30GBGLP4aClofiPF90eOBpqp2MnPNU1NADlJo+OmQ+W 4gmdLCmRi/+Tmtj6GQQgIJmJhsVA1AOUfeQdLjzuz4LbC5xa+7EbID0zlnXBWirdmrQeU2QFARrJSA g/3MwdNzqXo44qT5eFkC3n7j8gi0PYlfoOIFBX+hX9jAPFm56giDzgXIRTYp4gv53bsq6jhcquLpbs nEvse6BvVgBmwNKbKqJElqHbeV6+AkkctfP7+GHcytUqt4Vqp7IxAsxclM+5SwNuDb2SsCuc5CoHyo D42unWsvnFRPWkvTryy08B1bgojos+XmbygssJcfd3lBEAIknNjdAbNuouIw5chZTsKPTw/MACHxJF iqpKgOBq/btkAFocY2xjN0hDO/2MXd909gs1IViC61xu9yLty70IT9IrLw3Q== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: 99DFC4004097 Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=XoqR3saV; spf=pass (imf18.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.172 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam01 X-Stat-Signature: eb7dnrpuzxx8hoxdfcys5fm3mbtktrzt X-HE-Tag: 1629263326-478852 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: As already done in GrapheneOS, add the __alloc_size attribute for regular kmalloc interfaces, to provide additional hinting for better bounds checking, assisting CONFIG_FORTIFY_SOURCE and other compiler optimizations. Co-developed-by: Daniel Micay Signed-off-by: Daniel Micay Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Cc: Andrew Morton Cc: Vlastimil Babka Cc: linux-mm@kvack.org Signed-off-by: Kees Cook --- include/linux/slab.h | 50 +++++++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/include/linux/slab.h b/include/linux/slab.h index c0d46b6fa12a..b2181c176999 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -181,7 +181,7 @@ int kmem_cache_shrink(struct kmem_cache *); /* * Common kmalloc functions provided by all allocators */ -void * __must_check krealloc(const void *, size_t, gfp_t); +void * __must_check krealloc(const void *, size_t, gfp_t) __alloc_size(2); void kfree(const void *); void kfree_sensitive(const void *); size_t __ksize(const void *); @@ -425,7 +425,7 @@ static __always_inline unsigned int __kmalloc_index(size_t size, #define kmalloc_index(s) __kmalloc_index(s, true) #endif /* !CONFIG_SLOB */ -void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; +void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1) __assume_kmalloc_alignment __malloc; void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; void kmem_cache_free(struct kmem_cache *, void *); @@ -449,7 +449,8 @@ static __always_inline void kfree_bulk(size_t size, void **p) } #ifdef CONFIG_NUMA -void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; +void *__kmalloc_node(size_t size, gfp_t flags, int node) __alloc_size(1) + __assume_kmalloc_alignment __malloc; void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; #else static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) @@ -574,7 +575,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) * Try really hard to succeed the allocation but fail * eventually. */ -static __always_inline void *kmalloc(size_t size, gfp_t flags) +static __always_inline __alloc_size(1) void *kmalloc(size_t size, gfp_t flags) { if (__builtin_constant_p(size)) { #ifndef CONFIG_SLOB @@ -596,7 +597,8 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) return __kmalloc(size, flags); } -static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) +static __always_inline __alloc_size(1) void * +kmalloc_node(size_t size, gfp_t flags, int node) { #ifndef CONFIG_SLOB if (__builtin_constant_p(size) && @@ -620,7 +622,8 @@ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) * @size: element size. * @flags: the type of memory to allocate (see kmalloc). */ -static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags) +static inline __alloc_size(1, 2) void * +kmalloc_array(size_t n, size_t size, gfp_t flags) { size_t bytes; @@ -638,7 +641,7 @@ static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags) * @new_size: new size of a single member of the array * @flags: the type of memory to allocate (see kmalloc) */ -static __must_check inline void * +static __must_check inline __alloc_size(2, 3) void * krealloc_array(void *p, size_t new_n, size_t new_size, gfp_t flags) { size_t bytes; @@ -655,7 +658,8 @@ krealloc_array(void *p, size_t new_n, size_t new_size, gfp_t flags) * @size: element size. * @flags: the type of memory to allocate (see kmalloc). */ -static inline void *kcalloc(size_t n, size_t size, gfp_t flags) +static inline __alloc_size(1, 2) void * +kcalloc(size_t n, size_t size, gfp_t flags) { return kmalloc_array(n, size, flags | __GFP_ZERO); } @@ -684,7 +688,8 @@ static inline void *kmalloc_array_node(size_t n, size_t size, gfp_t flags, return __kmalloc_node(bytes, flags, node); } -static inline void *kcalloc_node(size_t n, size_t size, gfp_t flags, int node) +static inline __alloc_size(1, 2) void * +kcalloc_node(size_t n, size_t size, gfp_t flags, int node) { return kmalloc_array_node(n, size, flags | __GFP_ZERO, node); } @@ -716,7 +721,8 @@ static inline void *kmem_cache_zalloc(struct kmem_cache *k, gfp_t flags) * @size: how many bytes of memory are required. * @flags: the type of memory to allocate (see kmalloc). */ -static inline void *kzalloc(size_t size, gfp_t flags) +static inline __alloc_size(1) void * +kzalloc(size_t size, gfp_t flags) { return kmalloc(size, flags | __GFP_ZERO); } @@ -727,26 +733,31 @@ static inline void *kzalloc(size_t size, gfp_t flags) * @flags: the type of memory to allocate (see kmalloc). * @node: memory node from which to allocate */ -static inline void *kzalloc_node(size_t size, gfp_t flags, int node) +static inline __alloc_size(1) void * +kzalloc_node(size_t size, gfp_t flags, int node) { return kmalloc_node(size, flags | __GFP_ZERO, node); } -extern void *kvmalloc_node(size_t size, gfp_t flags, int node); -static inline void *kvmalloc(size_t size, gfp_t flags) +extern __alloc_size(1) void * +kvmalloc_node(size_t size, gfp_t flags, int node); +static inline __alloc_size(1) void *kvmalloc(size_t size, gfp_t flags) { return kvmalloc_node(size, flags, NUMA_NO_NODE); } -static inline void *kvzalloc_node(size_t size, gfp_t flags, int node) +static inline __alloc_size(1) void * +kvzalloc_node(size_t size, gfp_t flags, int node) { return kvmalloc_node(size, flags | __GFP_ZERO, node); } -static inline void *kvzalloc(size_t size, gfp_t flags) +static inline __alloc_size(1) void * +kvzalloc(size_t size, gfp_t flags) { return kvmalloc(size, flags | __GFP_ZERO); } -static inline void *kvmalloc_array(size_t n, size_t size, gfp_t flags) +static inline __alloc_size(1, 2) void * +kvmalloc_array(size_t n, size_t size, gfp_t flags) { size_t bytes; @@ -756,13 +767,14 @@ static inline void *kvmalloc_array(size_t n, size_t size, gfp_t flags) return kvmalloc(bytes, flags); } -static inline void *kvcalloc(size_t n, size_t size, gfp_t flags) +static inline __alloc_size(1, 2) void * +kvcalloc(size_t n, size_t size, gfp_t flags) { return kvmalloc_array(n, size, flags | __GFP_ZERO); } -extern void *kvrealloc(const void *p, size_t oldsize, size_t newsize, - gfp_t flags); +extern __alloc_size(3) void * +kvrealloc(const void *p, size_t oldsize, size_t newsize, gfp_t flags); extern void kvfree(const void *addr); extern void kvfree_sensitive(const void *addr, size_t len); From patchwork Wed Aug 18 05:08:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12442617 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F65AC41537 for ; Wed, 18 Aug 2021 05:08:50 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id BB2386108E for ; Wed, 18 Aug 2021 05:08:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org BB2386108E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 93EAC8D0002; Wed, 18 Aug 2021 01:08:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7E43B8D0001; Wed, 18 Aug 2021 01:08:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6AA196B0073; Wed, 18 Aug 2021 01:08:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0084.hostedemail.com [216.40.44.84]) by kanga.kvack.org (Postfix) with ESMTP id 4DE8E8D0001 for ; Wed, 18 Aug 2021 01:08:46 -0400 (EDT) Received: from smtpin33.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id ED9CA181A4A12 for ; Wed, 18 Aug 2021 05:08:45 +0000 (UTC) X-FDA: 78487021410.33.ACA83E7 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) by imf16.hostedemail.com (Postfix) with ESMTP id AE1DCF000AED for ; Wed, 18 Aug 2021 05:08:45 +0000 (UTC) Received: by mail-pj1-f54.google.com with SMTP id n13-20020a17090a4e0d00b0017946980d8dso8091237pjh.5 for ; Tue, 17 Aug 2021 22:08:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=odUz6n/RKpUPExqy4Plx6hZKFwyikJ7mCPOENAXpi1A=; b=QfgA3m29HNR+UjzDZsodpNevvOdZa5lbbZQ/mb5EWKYxlQdEnISqlfEjxNern4S2a9 S7BurM8h26UzgWveF3D65ey/dm5RtYQXFaOOIQoxkV0BGU/gFcvmRF0K5siiTaHrXnft VwJwA8xChjNFpBYbmazcQ+ZRR6ipCBIefvRqo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=odUz6n/RKpUPExqy4Plx6hZKFwyikJ7mCPOENAXpi1A=; b=SJBqO7M629mqETzsF436Q+0dZqJnMPSaZcvUru8kc/3JJr3xVoEdBLUOXsElWmbknl DYsH+Gma6d+esnqU/NpD7ZYGv/49znM9qv/yjG/Mgxo0AeaQrGJmWc5ZwHsQvdLwp0GJ PVLZayANnQAziYibpaj3+HLCS81YFQlKDcbgb+XB5y5xn+TSUvqtfILBsHyce0Rdj96m q0j4/Y07DioHHsieBbQr2heV/KTfWNMaLUltxFJWoT+z/BD7zp5wYuP8ZFaaF1tn7MA2 ismPg4pjVbLPDuIrFrPJbrztrdStV1hsKXQeTyCICMtYI9RLG30uUrMrTbCQIUWVvqAc juWg== X-Gm-Message-State: AOAM531ceEnFc5bXnGIoyNjTYfQjpiwAztly3eR8YOo4CUoUZrTTXx4j tgW3p299xg//APE02k3nc9rYzQ== X-Google-Smtp-Source: ABdhPJxfXuDZLZRombNv/+en+T6nGULgteS8blFkT70oeDjABA/FdXgNxjqNJVAt7tQSazIK9z7gNg== X-Received: by 2002:a17:90a:bd87:: with SMTP id z7mr7384174pjr.163.1629263324923; Tue, 17 Aug 2021 22:08:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id b10sm4425381pfi.122.2021.08.17.22.08.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Aug 2021 22:08:43 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Daniel Micay , Andrew Morton , linux-mm@kvack.org, Miguel Ojeda , Nathan Chancellor , Nick Desaulniers , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Dennis Zhou , Tejun Heo , Masahiro Yamada , Michal Marek , clang-built-linux@googlegroups.com, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 3/5] mm/page_alloc: Add __alloc_size attributes for better bounds checking Date: Tue, 17 Aug 2021 22:08:39 -0700 Message-Id: <20210818050841.2226600-4-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210818050841.2226600-1-keescook@chromium.org> References: <20210818050841.2226600-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1375; h=from:subject; bh=cp0O8NJngs9amnriLD+6h+/L/ha0ko1xnZRmO7UAZwQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhHJXYxDq6T8pm0e3owI/dczoEgQdLOkB19YGYAKIr XNQYfSuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYRyV2AAKCRCJcvTf3G3AJi3mEA Caf9xRewJicK7Djb8O1KuuuUsMzmapMH/i8WIOm/xR6TNmV/o9Rctjak4Yy8/DQEnYWERnzuJMazvR hUF7XU6j2B/hKSVHwy6Uo83WnrAaUNwA+I+PCXbcZm51to2scEh4u1mmz93c1s7P0CEEZp1mLy9JRE HrdfZ8ZzT5RngtrH6P+sD4456p/tnCI28R9SXFt/qoke6KZmbUFTLu4FSIRexjEY6IIcped2xKvWTi 54kupXtmBj5sTQWElu2ixPtov/wAymO275s66hJOnus7rv1ff+OwTvSTvGOyFe0kDhrDiXJKs2HuWs XEvxdOq1U0kML4Cpg4M+keh7fruNGlDr2+yDbDQ9fc4MvCaRVLJqFjao4dBmVji/PgMqB8MWR2I3YU ErShjZWeHSBrttD1kuPcyqhRHqQL2Ji0I+GufYvMP5cS5o7o8Cqkhcs54OShP6Jd0gveJyisFuT24L 8hHLvD14FlRpuHQ5QWeTeBTmdxxpqcspr+3RKkgAXmju/WIjNLHkzkg6rzyEELKnS8eryi5bqbIF5P tC0FIBAmqeiiMJhaGevB+Rj2YjSc1pEFcIPcUHTlZ5PAaDfBBvNhgFqosNy7b9XQYZsv2dquDN8I6k R9sdrdJ/ybYIj4TWIuLE+0jfsJs+lgR31VHnXTNXI/C9QqYbdDj+hCbsfWxg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: AE1DCF000AED Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=QfgA3m29; spf=pass (imf16.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.54 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam01 X-Stat-Signature: thtqrn6diktg6pehk8h5bz7i4zkoqffi X-HE-Tag: 1629263325-571967 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: As already done in GrapheneOS, add the __alloc_size attribute for appropriate page allocator interfaces, to provide additional hinting for better bounds checking, assisting CONFIG_FORTIFY_SOURCE and other compiler optimizations. Co-developed-by: Daniel Micay Signed-off-by: Daniel Micay Cc: Andrew Morton Cc: linux-mm@kvack.org Signed-off-by: Kees Cook --- include/linux/gfp.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/gfp.h b/include/linux/gfp.h index 3745efd21cf6..94e57c752308 100644 --- a/include/linux/gfp.h +++ b/include/linux/gfp.h @@ -618,9 +618,9 @@ static inline struct folio *folio_alloc(gfp_t gfp, unsigned int order) extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); extern unsigned long get_zeroed_page(gfp_t gfp_mask); -void *alloc_pages_exact(size_t size, gfp_t gfp_mask); +void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __alloc_size(1); void free_pages_exact(void *virt, size_t size); -void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); +void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __alloc_size(1); #define __get_free_page(gfp_mask) \ __get_free_pages((gfp_mask), 0) From patchwork Wed Aug 18 05:08:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12442613 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1563DC4338F for ; Wed, 18 Aug 2021 05:08:47 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 9891C6103A for ; Wed, 18 Aug 2021 05:08:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 9891C6103A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 2DCB86B006C; Wed, 18 Aug 2021 01:08:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 23D918D0001; Wed, 18 Aug 2021 01:08:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 12BF86B0073; Wed, 18 Aug 2021 01:08:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0209.hostedemail.com [216.40.44.209]) by kanga.kvack.org (Postfix) with ESMTP id F0A616B006C for ; Wed, 18 Aug 2021 01:08:45 -0400 (EDT) Received: from smtpin06.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 84695181B04AD for ; Wed, 18 Aug 2021 05:08:45 +0000 (UTC) X-FDA: 78487021410.06.80D0FD5 Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by imf12.hostedemail.com (Postfix) with ESMTP id 411B21004EE5 for ; Wed, 18 Aug 2021 05:08:45 +0000 (UTC) Received: by mail-pj1-f44.google.com with SMTP id hv22-20020a17090ae416b0290178c579e424so1536147pjb.3 for ; Tue, 17 Aug 2021 22:08:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=L74a0g3OkBh38ZbWTWhzU9iYTGh84NVXbR3tMlDhDzA=; b=VoyLbqvgkeBK3s454PKfXrujQkaO8YCZzfEaRA2GyiUcpN1TJnjrvLnUA6U3DTwvHV 0Ys0jZJyHXB4alRXdKvUxiRso64wJPdy6zEYBLNKxoCQdQD8i+tubBD/6OTl4b+f9+OV IAqGDBIIRzwCBxcb7ESVBQGr+0sWjockpToVo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=L74a0g3OkBh38ZbWTWhzU9iYTGh84NVXbR3tMlDhDzA=; b=WlV1zUQT/jWS4R+1TOJDmUfZRLHAZ64X/UmBd6g/aKik5UwOPDLBCnOW5FaV+GXGf2 ep5M1YdR7If7rLP3VE6ZxHF8TmLlwJ06Z1PjeUEnw3OQiBkz9XodSOL19P7lSCznm/+b 0po7xNyyPxVtBo2QEVHuOww+u32n9KMi14P/u+kEfZz23BG19sBriHSSGMfV3pYS+umg 1wh2Km6Bn+hyZTwZ1gu7yYJGjld1XsZ3c4Uy1d6Fd/FUpNqQpxwU3zr5HUJcISbHwXXE HjSSzD3VbZh4Ae53WwQxR63YBZZ8POaMboURvjpaz26dX1DxKxjbB6AVuC6Fcnv0tgFc qiQg== X-Gm-Message-State: AOAM532EkskJ/jDJFEBKPb36wsaWo72SklcgjbfAo1DageASYq2spt9q ECwiG4IW2LXCjHHu3jL2WwZFLg== X-Google-Smtp-Source: ABdhPJz5s4Wmz9dks92kj/ZztgnowsQotGHMNoaeyBq3IEi/9t+qTx3NfPgPSwibP7e3JjCPogSSQA== X-Received: by 2002:a17:90a:420c:: with SMTP id o12mr7336775pjg.101.1629263324383; Tue, 17 Aug 2021 22:08:44 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y3sm5280769pgc.67.2021.08.17.22.08.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Aug 2021 22:08:43 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Daniel Micay , Dennis Zhou , Tejun Heo , Christoph Lameter , linux-mm@kvack.org, Andrew Morton , Miguel Ojeda , Nathan Chancellor , Nick Desaulniers , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Masahiro Yamada , Michal Marek , clang-built-linux@googlegroups.com, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 4/5] percpu: Add __alloc_size attributes for better bounds checking Date: Tue, 17 Aug 2021 22:08:40 -0700 Message-Id: <20210818050841.2226600-5-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210818050841.2226600-1-keescook@chromium.org> References: <20210818050841.2226600-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1834; h=from:subject; bh=AKWCsy+JTouHpICDr1/00oSv9FpxEYB59HC7kt38kf8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhHJXYZ7sr0DkI4785A86/V1s6T0JSWbDIAWTqa4IF o+5sgRyJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYRyV2AAKCRCJcvTf3G3AJl81D/ 9vI9JuIir2OOD9eLSzFPss/uOq6+mj5CUm3OhDzeeKcY17QuKv8oZHV/r5p657bW2OcfeR+11HCPEq 3tFGsUIJBkGa16Q5uTm/DieR3q04KNo5M2AGU+XoQMeTmQycXxOOzTL4FLNzsvDgyeIvKuy6LKnAPK DWu6IttP6pgUPRKdSSfRSHHCQeD6CuR3m10veketQgEmTRWLqGPcGdEA9sOVhwlW0htfsprMSKUaDc f0SM0OOKwjPd22H9LkxplH3npRzVY+5xnMfxOcKZoot02ORxcmUILGtHUY9ePhB+pbm7A2VeNXZFlN 7nvLv/XTt7uqlm1eLNNZ4jTzLs9EZFAKQ7jTxeDytxH/N6CSoAmSylYNQyOWca+5t3RYmG6zCjrOO5 5U7G9wyTfDSS5DqJXkjb6DRFujbBqDg5jcBjCoCWqiGVAkiTnpu7NgoLR6zrsDsImoWrSWiCVuwua1 BJtEexhJLfjIJ9AhNPUCEcGCHnpTujcSfmd87HQt4V/6xvXPg57q9gY7Mrf1Nb0JwGquIqLT9YZlnx YMxItzlYJwB9VD8fq13icyty1atksKU4j0CNj0iLHOD2bqqLTTax+bcbfNV5rE9LdnVZx9QxDAlQvL JVOSkAac4aqRz/QlcLsLdDf5rkeWwn2zz2kilbDBVRc7qFw1qEFD76tf3fTQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Queue-Id: 411B21004EE5 Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=VoyLbqvg; spf=pass (imf12.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.44 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam01 X-Stat-Signature: mf6ecn9cw1racs8gcnr495kmcqo93hpa X-HE-Tag: 1629263325-719217 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: As already done in GrapheneOS, add the __alloc_size attribute for appropriate percpu allocator interfaces, to provide additional hinting for better bounds checking, assisting CONFIG_FORTIFY_SOURCE and other compiler optimizations. Co-developed-by: Daniel Micay Signed-off-by: Daniel Micay Cc: Dennis Zhou Cc: Tejun Heo Cc: Christoph Lameter Cc: linux-mm@kvack.org Signed-off-by: Kees Cook --- include/linux/percpu.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/linux/percpu.h b/include/linux/percpu.h index 5e76af742c80..98a9371133f8 100644 --- a/include/linux/percpu.h +++ b/include/linux/percpu.h @@ -123,7 +123,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, pcpu_fc_populate_pte_fn_t populate_pte_fn); #endif -extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); +extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __alloc_size(1); extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); extern bool is_kernel_percpu_address(unsigned long addr); @@ -131,8 +131,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); extern void __init setup_per_cpu_areas(void); #endif -extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); -extern void __percpu *__alloc_percpu(size_t size, size_t align); +extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __alloc_size(1); +extern void __percpu *__alloc_percpu(size_t size, size_t align) __alloc_size(1); extern void free_percpu(void __percpu *__pdata); extern phys_addr_t per_cpu_ptr_to_phys(void *addr); From patchwork Wed Aug 18 05:08:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 12442623 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B45FC19F3C for ; Wed, 18 Aug 2021 05:08:57 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 917466103A for ; Wed, 18 Aug 2021 05:08:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 917466103A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 6FB398D0005; Wed, 18 Aug 2021 01:08:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6AC988D0001; Wed, 18 Aug 2021 01:08:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 54BA28D0005; Wed, 18 Aug 2021 01:08:48 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0226.hostedemail.com [216.40.44.226]) by kanga.kvack.org (Postfix) with ESMTP id 38CA88D0001 for ; Wed, 18 Aug 2021 01:08:48 -0400 (EDT) Received: from smtpin10.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id DDA2A824999B for ; Wed, 18 Aug 2021 05:08:47 +0000 (UTC) X-FDA: 78487021494.10.52A8E83 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by imf17.hostedemail.com (Postfix) with ESMTP id A09DBF00348B for ; Wed, 18 Aug 2021 05:08:47 +0000 (UTC) Received: by mail-pl1-f169.google.com with SMTP id n12so1076913plf.4 for ; Tue, 17 Aug 2021 22:08:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=FK2fIWn19YrP32oTsI8kiLBJYwRvpS1FTekYTCayugc=; b=m1B7uYDMpDUCE9+R/JaIy7VxsbIG2eNTIT+fHb4u4fBE9H+u1PR56oYkUL087UoT+M DoBCwzptwPo08auHY/WjzVvC/Q9cQRvfT0NqWGTkvReAqw+AIskTM4Ip5Ng2F8Zun774 29fWvW3grg+DRUZp4UHrch1DrUYhmdDSGKQrc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FK2fIWn19YrP32oTsI8kiLBJYwRvpS1FTekYTCayugc=; b=eG7ECA0DAjgNozf4DtW3Hd7eTwaJLHXAHWdkViSXp49qvQzcYhFzNe5R20l9TuRNgP NNQ3D6xJqOKzEvJIonQCpsziNKpnJDy1BUlELJJOXDlNXm0bgGKSzhUaWevfNbaSV+nI cSZhad3BahLcZS+1fm+GKInVkHjvayUVtFg0sC3Kn1FHeQPfz1W1oAkQ7ZsM6jQFraVj AXJ0eGStgPe5FEFUy0Tv+QUOAe4qoGJAiiMpozZ4v6H3GJ6BVKqW20RR+/unuKF1Jp45 otuaqh/fB0nb4Q8GNR1He7PlfVHfkmstQ83PjOMENgsxCCE5SjR2sw7b7eQ3DkrP8t9B NT8g== X-Gm-Message-State: AOAM5320YRuXYWsdz/glbraPi3bPOVvZZ6uHhec7tev8NyabI/VAgER2 0G0THtZaalYrZ/0Egwzxu/Q3fQ== X-Google-Smtp-Source: ABdhPJw3TZNVOkyIiaV8rbXlMH7bQVdkoRyiSUgXA9s5bV0IQPqLsxWhNFyH8vNjJf3GqmWHB2GDEQ== X-Received: by 2002:a17:90b:3718:: with SMTP id mg24mr7652580pjb.158.1629263326717; Tue, 17 Aug 2021 22:08:46 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id r13sm5247632pgl.90.2021.08.17.22.08.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Aug 2021 22:08:46 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Daniel Micay , Andrew Morton , linux-mm@kvack.org, Miguel Ojeda , Nathan Chancellor , Nick Desaulniers , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Dennis Zhou , Tejun Heo , Masahiro Yamada , Michal Marek , clang-built-linux@googlegroups.com, linux-kbuild@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 5/5] mm/vmalloc: Add __alloc_size attributes for better bounds checking Date: Tue, 17 Aug 2021 22:08:41 -0700 Message-Id: <20210818050841.2226600-6-keescook@chromium.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210818050841.2226600-1-keescook@chromium.org> References: <20210818050841.2226600-1-keescook@chromium.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2480; h=from:subject; bh=5f6ICgvlEcDnZ5CvExQnS354eTx1Re0AZwmMZI84A5o=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBhHJXYNOcKk3pb/hdH0pQG61sgMsvM2uPEmpliSWFO auEpIquJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYRyV2AAKCRCJcvTf3G3AJpBhD/ 94RVCDqdDBUbvyrRsg2UwLDN/C/AanhfxGGXoFQZ/Db9AFoP/OQgdhSrh3zfuYH5gL2IfgXtNFQUjH RC+mh0rpeaoG103VtZkh7CxQ6hpcp5Nh4ZgINyIyqdA/3FbngtFC4/JVpleRFrTfqJMKmH5chVM4gC oiBvWIl48k3ExCNccwHsIB4LkhzM2+lLljU2Db9VlLYkcyHK+R47iclOlGK59zI0eNMCV3witO4xYe 9W4bUHcJwGCjCj8ERqtUHGmAG/v6/68E8ga3l/k0SFgC0bbSNbK74t3U0f9SzxDwqV/j8icex3NlKS HzoS6dqNNzf7ANraAm7X0yMYh9OmqdZ6s29xHnSx0P0RGXH2xeB94kciWFVkM6ekX5JSgGfYbheoPC 0GvTs1Q5lar5b+TvABSBB3kdmUJSBW0/puxXf6vFXqOGqGJWCRN4aKkWIJo9Adiq1XfwBPkkbQmyFW Kg+zOhC9BNCApxIfqz/sQ+1BRDF4dqsrohVBpzRlRj6m/67Sg66cTNe2rrItoD1qssJZ8WaadlWbxu qljdjB59uZtvtjlATr5GsPXup7shDyk8B8iNPX2p1w4/6wTeNOHlyy08jWPuXVA0vvTcRc6aZ24e8h XnhJNM1zn93N07XxrnL1mpUka9jN86XbzikHemhZiZP+GZKVZMqYdvssGqxA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=m1B7uYDM; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf17.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.169 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Stat-Signature: e19onza3dbrc158a6nbi87ambhqmi9uk X-Rspamd-Queue-Id: A09DBF00348B X-Rspamd-Server: rspam05 X-HE-Tag: 1629263327-615475 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: As already done in GrapheneOS, add the __alloc_size attribute for appropriate vmalloc allocator interfaces, to provide additional hinting for better bounds checking, assisting CONFIG_FORTIFY_SOURCE and other compiler optimizations. Co-developed-by: Daniel Micay Signed-off-by: Daniel Micay Cc: Andrew Morton Cc: linux-mm@kvack.org Signed-off-by: Kees Cook --- include/linux/vmalloc.h | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h index 2644425b6dce..f4ede07e1dae 100644 --- a/include/linux/vmalloc.h +++ b/include/linux/vmalloc.h @@ -136,21 +136,21 @@ static inline void vmalloc_init(void) static inline unsigned long vmalloc_nr_pages(void) { return 0; } #endif -extern void *vmalloc(unsigned long size); -extern void *vzalloc(unsigned long size); -extern void *vmalloc_user(unsigned long size); -extern void *vmalloc_node(unsigned long size, int node); -extern void *vzalloc_node(unsigned long size, int node); -extern void *vmalloc_32(unsigned long size); -extern void *vmalloc_32_user(unsigned long size); -extern void *__vmalloc(unsigned long size, gfp_t gfp_mask); +extern void *vmalloc(unsigned long size) __alloc_size(1); +extern void *vzalloc(unsigned long size) __alloc_size(1); +extern void *vmalloc_user(unsigned long size) __alloc_size(1); +extern void *vmalloc_node(unsigned long size, int node) __alloc_size(1); +extern void *vzalloc_node(unsigned long size, int node) __alloc_size(1); +extern void *vmalloc_32(unsigned long size) __alloc_size(1); +extern void *vmalloc_32_user(unsigned long size) __alloc_size(1); +extern void *__vmalloc(unsigned long size, gfp_t gfp_mask) __alloc_size(1); extern void *__vmalloc_node_range(unsigned long size, unsigned long align, unsigned long start, unsigned long end, gfp_t gfp_mask, pgprot_t prot, unsigned long vm_flags, int node, - const void *caller); + const void *caller) __alloc_size(1); void *__vmalloc_node(unsigned long size, unsigned long align, gfp_t gfp_mask, - int node, const void *caller); -void *vmalloc_no_huge(unsigned long size); + int node, const void *caller) __alloc_size(1); +void *vmalloc_no_huge(unsigned long size) __alloc_size(1); extern void vfree(const void *addr); extern void vfree_atomic(const void *addr);