Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <71dfb645-430a-07d8-62c9-a95a8fdd5ed1@prevas.dk>
Date:   Tue, 18 Oct 2022 12:43:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.11.0
Subject: Re: [PATCH] driver core: Add __alloc_size hint to devm allocators
Content-Language: en-US
To:     Kees Cook <keescook@chromium.org>
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Jason Gunthorpe <jgg@ziepe.ca>, Nishanth Menon <nm@ti.com>,
        Michael Kelley <mikelley@microsoft.com>,
        Dan Williams <dan.j.williams@intel.com>,
        Won Chung <wonchung@google.com>,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
        linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
References: <20221018073430.never.551-kees@kernel.org>
 <d199c2af-06af-8a50-a6a1-00eefa0b67b4@prevas.dk>
 <202210180310.A13EAA7@keescook>
From:   Rasmus Villemoes <rasmus.villemoes@prevas.dk>
In-Reply-To: <202210180310.A13EAA7@keescook>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?ak5lL3RvVyt2cUdWY3VvcUVCbkRyYlo3MDMrMk1jUWdwSjdBcDZVcDF4dy9w?=
 =?utf-8?B?dm5VaThYVStoTjNnTkMrWnRVb2dONVF6aWRzQlRjSU9JRFdVYWVBZ1B6N2c3?=
 =?utf-8?B?bU1mSVpSVlZRMjBuWGIwakRDb0pycmVha1pxaWtYMVpnRFhnNmwrWE9qd0JM?=
 =?utf-8?B?b2J4SmhXR09LTTBFZ3NiMkxIVzI2eXRpamxSNFdhbUFZNGt4aU1Fc21MTHFk?=
 =?utf-8?B?OTYwaWJzMlVFaFFOKzk5VG5lMFdGdXJUSHRkcEl3QWRtMHoybnkxWXR1RE9N?=
 =?utf-8?B?MWk4VEEvejZxTklTcmJTaktIdjlBdUtIcXJZRmZqdUgxU3Bmdm1pOEZDaFlT?=
 =?utf-8?B?dWVrbVNjMUcybEtJMXA1eHh2cnFRSlNNRlhWYjFHN0YwTkdmV3Z4ZDRmK1l3?=
 =?utf-8?B?UmRLNStrbFQwdHFWZVdoalNTUUJEWGZGQUplaldUOVNJYmM0VWpsUUtZRERM?=
 =?utf-8?B?L0NYOUFwY3VBaGdrdnRVL3FMR0VUTDFOQkVzYStuU0hveDdURHFrcnErUHl0?=
 =?utf-8?B?WW1MK0UrNFgzN2laWkp5cm5tL0VoTWhxZFFQQXRnMFpYSldZQ3lrcjJnc2hN?=
 =?utf-8?B?a3J0T3E5MlRMcEFLR3JoQnNDQzZpZGtCUHF1SGFLMlBydG93YXIzYjJKNkpl?=
 =?utf-8?B?am4vNExXQ3lidEJhTE9rekxTRko1ZG1HSlhHYzFOY210N01uTmkyTnVkQmZz?=
 =?utf-8?B?c0lkRlRmNjZkNXQwMkpRckNucGJ4NmZONEZUMnk3eW1NNXdwSERLZzNVdHlP?=
 =?utf-8?B?Rm5JQUIxQUVvdmZIdVZuVm93N25vRVcyL1NRcndSOE9NSGorR0VIQWlQK3pH?=
 =?utf-8?B?bTJERjcyK3hxbmppbVYzc2pzSmYyQk9jbEM0ZVZ6cENlb1l6bk92Qkh6UXA4?=
 =?utf-8?B?YzVVdkczU0xUWHNRQVNCK2tDL1hwTnNkV3VCRm1pYWtVUDEvWnBnTkRhYm5l?=
 =?utf-8?B?V2NqWm1JaUxpQWhrbnhnSThKd0h0TkZBYWJmQ05keHV6WmVwS1M1bjdTUDIv?=
 =?utf-8?B?RldwK3VGSDZoNW1Ob2tTQTRkVkJkWjMxUXh1ZlZzVmRkRDJRSHFKOU5nVm1E?=
 =?utf-8?B?T0ZjYkRQazluclVFWTVxWmNiK0J0K2ovWmtJZ3dRUWZ2VW1oT2MvK2o1T3hu?=
 =?utf-8?B?QnEvdSthZi9TU2RSdHNpY2NjT2xHN3BSN1hxd0ZWblFmWlFCSUJFZm1CUDlX?=
 =?utf-8?B?Z3U5ZzBmZlZLOFJwWTMwOW9OUmpjU3hZWGdHMHpUV1dOZGM1V2xmK0ErNEJ6?=
 =?utf-8?B?UWVKYmFlL25GWld6aTR1Zklkek42eVp5NHEvRzQzelhRZmNBYWFzNkFKMXJP?=
 =?utf-8?B?anZ1SkM3QkxMWDd1Zm4vYzlvYmU4dS9ub1VaSEcvRk43UU1zWHFZek5sNkla?=
 =?utf-8?B?dEUyeldtVi9lUmVRV1lTY0dDQ1hncG1MaE41cHVsRWp0dkJGRDFJanlxS0l2?=
 =?utf-8?B?aDI3cVdlSmtOeko5M2RTMVFpMC9NNmxXd0J2TWYxb2xkNUdwZlduaytQcURz?=
 =?utf-8?B?N3BJdHlIL1FpMWNidTNyOVdFR3NNbFh4elcxbFFqS0s0M3MzMkluMEJ3eDV0?=
 =?utf-8?B?TzZKd2JjcWcrUVlsQ0Rwa1RhV3pzNVd3blBiVTRaOTVFRktPaFB6bGpWc2NL?=
 =?utf-8?B?L0d5ZVZvenZ4bTZZYkFBMU14WGNmSWtIT0xtTGF3Y21YL1Y0UTU5SHpqT1Mx?=
 =?utf-8?B?MmJtRUNSQ0xnWHdZbzF1Z1NxTXFraVRMS0U5NCtCWlRjcEtKc2M0UUgyVGo4?=
 =?utf-8?B?SlRVc0loQmdkWklHMzA0REh2VnpsVVJ3U3RQaHJ1em5FMTZtN3hqZ2tpRmVV?=
 =?utf-8?B?cCtybDNJc0thc1FDVjBNbFM5Z21kbXJwTVFJeUgxSFhUTiswdjlNYVVQWHVY?=
 =?utf-8?B?bUpPL0t3WFNqc244TGN6bzlabytJak5yMVA4WXVoekRjc2Q1OS83aUVOTCs1?=
 =?utf-8?B?MUJFZDlXKzJFYTdGcFRRZGtEcFVCQ1FkZGtCWGNtRVZzVW5jd3hxNkxGYmtm?=
 =?utf-8?B?cDVqZ1drMzNlVTVWdTgrVE4rR1pDUGM4bGs4cTVWVnBrSzZvaStxNGRnV2VV?=
 =?utf-8?B?cFIzMzdjRE9BdHhpUXhiYXdxVkpjNjlKTmJHWmRqdEk5VWVLcWduNFBuRmUr?=
 =?utf-8?B?eEhFYXpubWd3ckpLUk02QjkwTDJDUStHbkF2VVBkSmtnYWtXcmZ0azdBNlMy?=
 =?utf-8?B?VVE9PQ==?=
X-OriginatorOrg: prevas.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: be5c422d-2682-49a0-313b-08dab0f58d2c
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Oct 2022 10:43:11.0024
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d350cf71-778d-4780-88f5-071a4cb1ed61
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: bYClegX/EEQVBYvdNMxEsiGZqhRefxOgUsOAyAxcXSFiSj3fXwQP4zef8Ybynz3J6rotkGNIHDNnCkyXZrEv0rD4bLUhagP/EHUQAbWYt1k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB7065
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 18/10/2022 12.15, Kees Cook wrote:
> On Tue, Oct 18, 2022 at 12:09:30PM +0200, Rasmus Villemoes wrote:
>> On 18/10/2022 09.34, Kees Cook wrote:
>>> Mark the devm_*alloc()-family of allocations with appropriate
>>> __alloc_size() hints so the compiler can attempt to reason about buffer
>>> lengths from allocations.
>>>
>>
>>> @@ -226,7 +226,8 @@ static inline void *devm_kcalloc(struct device *dev,
>>>  void devm_kfree(struct device *dev, const void *p);
>>>  char *devm_kstrdup(struct device *dev, const char *s, gfp_t gfp) __malloc;
>>>  const char *devm_kstrdup_const(struct device *dev, const char *s, gfp_t gfp);
>>> -void *devm_kmemdup(struct device *dev, const void *src, size_t len, gfp_t gfp);
>>> +void *devm_kmemdup(struct device *dev, const void *src, size_t len, gfp_t gfp)
>>> +	__alloc_size(3);
>>
>> I think it's wrong to apply the __malloc attribute to kmemdup() and
>> variants.
>>
>> 'malloc'
>>      This tells the compiler that a function is 'malloc'-like, i.e.,
>>      that the pointer P returned by the function cannot alias any other
>>      pointer valid when the function returns, and moreover no pointers
>>      to valid objects occur in any storage addressed by P.
> 
> Oh, ew, it defines rules about _contents_ as well. Thank you for
> pointing that out!
> 
> I suppose we can use __realloc_size for these cases then?

Probably, but it's gonna be mighty confusing for people reading the code.

I was never really a fan of including __malloc in __alloc_size in the
first place, this is the kind of confusion that comes from having one
attribute include another without having the developer forced to think
about whether both actually apply in a given situation.

And that malloc documentation (both the old and the fixed) even came up
in what I assume is the thread that led up to that

    Since anything marked with __alloc_size would also qualify for marking
    with __malloc, just include __malloc along with it to avoid redundant
    markings.  (Suggested by Linus Torvalds.)

in commit 86cffecd, namely
https://lore.kernel.org/mm-commits/202109101138.53FCADF5C@keescook/ .

Rasmus