Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4730482ybb;
        Tue, 7 Apr 2020 13:18:15 -0700 (PDT)
X-Google-Smtp-Source: APiQypLRDBUrg1rkAFdtgSxaXT/Hf4kWIhK34Lj4sNnK6+d3gYjvK2bqvsNU0JR5fWpaXRBYzvHs
X-Received: by 2002:a9d:5545:: with SMTP id h5mr3173292oti.323.1586290694859;
        Tue, 07 Apr 2020 13:18:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586290694; cv=none;
        d=google.com; s=arc-20160816;
        b=rRfL9tFKuDJf/kHXO9biGejKjTvIO+RMsyGYnrUZcWd9w6ITlqhCjpe4qQNTFdMecd
         gdkJ5e/tAOnxiu7q3MEOObRFv1/eef6Cd24P7fjA9yOM74wp4uReHT0xulnzAc6FRDqj
         IECQ7oRgMP2SFtASpCm7e62Jc40l1R29qlY3DWIgectsK8RdI2IO2/ynYpaix/Ah/vJJ
         3V6dzqs3CSzj2yY5jpJVGSMePI+5YrNw2dMXwvILudTwlZYmTOXluNc5rUSkR5yAlYIX
         aEoDn55/04e5cIvo7ufF7U4N+qa/jAOzaRrPGvEGTxHm/fpF6u/Sbr+9sU0oIxvFIID1
         sv8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=tqNU/lPOQShoDviss5cOicvqhvwtlk4dqmmrGpr1nC4=;
        b=boUQIAQkLlFDRHhUFSaOm/9GtBBl9rNnb5HaQa7941/BMeqUxo21W6sbgvunIRplKv
         YwJ16/r6cJAyXnynB2RLBCaKOnPeKpS5Xqmq2ghllJ0Xt4lYbWaX2pN56RLvc39ZhhCe
         aYUUDdhG9Gcvncibz7jpCdkrjgA8k3LYgTvZZG4yq5c7Zf3mdPfa0sCg6mVJHJU3zKz4
         skvlsbxzjEZEmz6R7HCTgFtN5jh+oMhdSMZk1tTVvZ4cJt8a3JVKV0VDZiM3YV1G1qU4
         hZO+i36s5XOyWKjAt4V/ckCpJazCmcgSr68tsmdwIrZGET39hwjHNjiftcQj9VTDG1hP
         h+sg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=AestyY1v;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k10si1630440otr.174.2020.04.07.13.18.01;
        Tue, 07 Apr 2020 13:18:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=AestyY1v;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727593AbgDGURK (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Tue, 7 Apr 2020 16:17:10 -0400
Received: from mail-lj1-f195.google.com ([209.85.208.195]:38985 "EHLO
        mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727461AbgDGURK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Apr 2020 16:17:10 -0400
Received: by mail-lj1-f195.google.com with SMTP id i20so5195266ljn.6
        for <linux-kernel@vger.kernel.org>; Tue, 07 Apr 2020 13:17:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=tqNU/lPOQShoDviss5cOicvqhvwtlk4dqmmrGpr1nC4=;
        b=AestyY1vTqwruS2SjIrVNUtcv5M8Rgu+CcoXa2Ec6+EMfNUym7BLVuLaqMEg4Qo83h
         Qnr6k3woR88ywv52t7EjGWsxUFiyzpMnJQ7/9g74RK12uuMuQBryg8i26qgkAh6zrbEf
         bvModrsMiA1tyaJ0cX/reQrpKDKOb9pKz3p18=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=tqNU/lPOQShoDviss5cOicvqhvwtlk4dqmmrGpr1nC4=;
        b=IHl8wC4A6Ciul5jMT3kat3IvtkD5Fx2t8ZOowm4ehcNSbHCrY6nlFv6R2cgQRV/1Bg
         N1z5nj3cNuO8bsNp/2I6ZzhFyF7O87jwzvG2f31TPDUTAV4Aincmg4hJyQ+kHKxEJeB3
         MtIyYbki6NkhubVke/GB4+Z7LRPXTrgBGyyAgADKcPao4QXmLlJ4VpjwGa71rY4LEWAE
         jYE3IQafedDgM/ed+0b0f/zV/naLvq/VA2jutVT29j+2YE0fYTicTg3/0XmVIfcF/6iP
         9KH1snQ9C8tB0SPIwqcs2fLxsnyTfEc+U6VCRDY0ypENGbYo2n7Zrd6/SKntfasnTF0y
         uLOg==
X-Gm-Message-State: AGi0PuYqEPAerfqpLoGmbyXF1RFCbgzNAMRmn0NzTnFerpAfTKd2XuVN
        7UkUUOel05BP6Ci/nQm3zLnmU9m8HGE=
X-Received: by 2002:a2e:6e15:: with SMTP id j21mr2790266ljc.42.1586290626452;
        Tue, 07 Apr 2020 13:17:06 -0700 (PDT)
Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com. [209.85.167.45])
        by smtp.gmail.com with ESMTPSA id 4sm12198367lja.56.2020.04.07.13.17.04
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 07 Apr 2020 13:17:04 -0700 (PDT)
Received: by mail-lf1-f45.google.com with SMTP id m2so3399999lfo.6
        for <linux-kernel@vger.kernel.org>; Tue, 07 Apr 2020 13:17:04 -0700 (PDT)
X-Received: by 2002:a19:9109:: with SMTP id t9mr2511760lfd.10.1586290623763;
 Tue, 07 Apr 2020 13:17:03 -0700 (PDT)
MIME-Version: 1.0
References: <20200406185827.22249-1-longman@redhat.com> <c2c8adf48be7cb18bbdf0aef7d21e2defe3d2183.camel@perches.com>
In-Reply-To: <c2c8adf48be7cb18bbdf0aef7d21e2defe3d2183.camel@perches.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue, 7 Apr 2020 13:16:47 -0700
X-Gmail-Original-Message-ID: <CAHk-=wg_mkSc-pH8ntGHR=no9DOLRQyxdtU20p55DrM1su6QzA@mail.gmail.com>
Message-ID: <CAHk-=wg_mkSc-pH8ntGHR=no9DOLRQyxdtU20p55DrM1su6QzA@mail.gmail.com>
Subject: Re: [PATCH v2] mm: Add kvfree_sensitive() for freeing sensitive data objects
To:     Joe Perches <joe@perches.com>
Cc:     Waiman Long <longman@redhat.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        David Howells <dhowells@redhat.com>,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Linux-MM <linux-mm@kvack.org>, keyrings@vger.kernel.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Matthew Wilcox <willy@infradead.org>,
        David Rientjes <rientjes@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Apr 6, 2020 at 12:40 PM Joe Perches <joe@perches.com> wrote:
>
> 2.1.44 changed kfree(void *) to kfree(const void *) but
> I didn't find a particular reason why.

Because "free()" should always have been const (and volatile, for that
matter, but the kernel doesn't care since we eschew volatile data
structures).

It's a bug in the C library standard.

Think of it this way: free() doesn't really change the data, it kills
the lifetime of it. You can't access it afterwards - you can neither
read it nor write it validly. That is a completely different - and
independent - operation from writing to it.

And  more importantly, it's perfectly fine to have a const data
structure (or a volatile one) that you free. The allocation may have
done something like this:

   struct mystruct {
       const struct dictionary *dictionary;
       ...
   };

and it was allocated and initialized before it was assigned to that
"dictionary" pointer. That's _good_ code.

So it wasn't const before the allocation, but it turned const
afterwards, and freeing it doesn't change that, it just kills the
lifetime entirely.

So "free()" should take a const pointer without complaining, and saying

   free(mystruct->dictionary);
   free(mystruct);

is a sensible an correct thing to do. Warning about - or requiring
that dictionary pointer to be cast to be freed - is fundamentally
wrong.

We're not bound by the fact that the C standard library got their
rules wrong, so we can fix it in the kernel.

             Linus