Message ID | 20220922031013.2150682-1-keescook@chromium.org (mailing list archive) |
---|---|
Headers |
Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from <linux-media-owner@vger.kernel.org>) id 1obCbo-005X5h-Gs; Thu, 22 Sep 2022 03:10:42 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231145AbiIVDKc (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Wed, 21 Sep 2022 23:10:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44702 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229913AbiIVDK1 (ORCPT <rfc822;linux-media@vger.kernel.org>); Wed, 21 Sep 2022 23:10:27 -0400 Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EEF956DAC2 for <linux-media@vger.kernel.org>; Wed, 21 Sep 2022 20:10:23 -0700 (PDT) Received: by mail-pg1-x535.google.com with SMTP id v4so7825233pgi.10 for <linux-media@vger.kernel.org>; Wed, 21 Sep 2022 20:10:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=Vn16rLGrbDDjaKey8W5tBl33Bv/zSWk+J99kOTcbUQE=; b=AE85R2lewHV6WpJoVOU7vYZV1LEmLLSYclgKQnUnY2xKVDNii5Fo/BkTgD3yH2NCT3 SVad2gPnMgif6X0cTuEEQWajnZUigllF8Swz/AIt7V/3KOVHG8p4eV2QEjA7+Ig8Tbzm hCWNqHwmKS+0LzUeaR2ah/lhPJclhFqcjfbic= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=Vn16rLGrbDDjaKey8W5tBl33Bv/zSWk+J99kOTcbUQE=; b=I26WcIDgPlVQ8dd9vUXtovUB3wj/U9KbFWsOl3Rf9p/HvWsG3Ha0JGxY87sNT1i/+K mgSqcyFYUIvdwLIWyNwbiRHmFPyvsBjrYpAuPtrXqmwrm1B8OBJdGK9Rwbjh6KSECqOO GLJUbjFmQWo5EE8W3WeOtI+QLnphxgNaQ2/fUtYKz4qzpTNCi0C6UrELnLIHL21XLBJs EKjTNGj86dCXjj7IbCRHjJI7IFwG7ymNF5uQlcynwEGbQsayUFg1S8IyNo06xN/sSl42 xPPtIGSLLgeGwzceO0yPGVIOsNmkcgdoQNZp05g+DJ68ta83WjjJrBV8H81dOP2Zrnhz jevw== X-Gm-Message-State: ACrzQf0k5ICw41GNNRWhlY81CvAXECjGs0JYCXmrk6ND03c9vOPMe+/2 e6P2eUiy7nVGcaBmJFrsWPBHeQ== X-Google-Smtp-Source: AMsMyM5kbtfQXBGy+UgqYmJ89cy++RVO/0JPV5R9E0qA9P5D2h03X/wzrRsUp18SKmZq4kCTVEHctQ== X-Received: by 2002:a05:6a00:2314:b0:546:ce91:89a3 with SMTP id h20-20020a056a00231400b00546ce9189a3mr1393996pfh.77.1663816223317; Wed, 21 Sep 2022 20:10:23 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q21-20020a170902bd9500b001785fa792f4sm2713016pls.243.2022.09.21.20.10.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Sep 2022 20:10:22 -0700 (PDT) From: Kees Cook <keescook@chromium.org> To: Vlastimil Babka <vbabka@suse.cz> Cc: Kees Cook <keescook@chromium.org>, Pekka Enberg <penberg@kernel.org>, David Rientjes <rientjes@google.com>, Joonsoo Kim <iamjoonsoo.kim@lge.com>, Andrew Morton <akpm@linux-foundation.org>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Nick Desaulniers <ndesaulniers@google.com>, Alex Elder <elder@kernel.org>, Josef Bacik <josef@toxicpanda.com>, David Sterba <dsterba@suse.com>, Sumit Semwal <sumit.semwal@linaro.org>, =?utf-8?q?Christian_K=C3=B6nig?= <christian.koenig@amd.com>, Jesse Brandeburg <jesse.brandeburg@intel.com>, Daniel Micay <danielmicay@gmail.com>, Yonghong Song <yhs@fb.com>, Marco Elver <elver@google.com>, Miguel Ojeda <ojeda@kernel.org>, Jacob Shin <jacob.shin@amd.com>, linux-kernel@vger.kernel.org, linux-mm@kvack.org, netdev@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, linux-fsdevel@vger.kernel.org, intel-wired-lan@lists.osuosl.org, dev@openvswitch.org, x86@kernel.org, linux-wireless@vger.kernel.org, llvm@lists.linux.dev, linux-hardening@vger.kernel.org Subject: [PATCH 00/12] slab: Introduce kmalloc_size_roundup() Date: Wed, 21 Sep 2022 20:10:01 -0700 Message-Id: <20220922031013.2150682-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Developer-Signature: v=1; a=openpgp-sha256; l=4981; h=from:subject; bh=s4SaVhOuX1ncHIDJErOKK4BV4PgBIHpDN/h97+EEvV8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjK9ISNp90ZWOfSod9OsDV3Pgtvy1E13pzv3DCmYbF tf0g8d2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYyvSEgAKCRCJcvTf3G3AJkzwD/ wIy7miKIK9lOw6XzF5heENIATw2uhYlNzjs0acveP+ZCyoyc5I/WgCfqRAXAmHiXedbujzGw2FDqqT syY2emsesoSNP3gS/GOKo8RJDSOQC9cSQtEjb+mjbPF7Fkzqn/ZGRwMTbs9UaBsTj9Tj2fL7NNiO9p dwoQsa5XdmYV2vD0OlPuGJimN4Jz3oRQSNVQkawd+40awqnlGD9yQqU64uaLr5mwdGgPkIuw3aLLFd 5YiPwZw6bM1vgbnqBIuIHr/Z7XwM9EEapPwfqVdg/9dcOavsB633n1itcgsIqIDBioJGxOM0Ts7T86 4Jlikvby9AVebqTHq4+YuA+QwXaCQlzI8PxvKGF5ANAjeoheIYOhRCZTs4Dpe3aQtWFnO3FqVYLrzT cc2coPLbTlqbCxnMzWO5XK6k+LQJYAS5r5kCiddkkzITSqNSDkHLgAWrVT+WoO8GDM5wBJEy4K4BDX /s7uUaLCb4fXbubShHzmjelGTOPkp/YtKLrJhFLmk8oztScmMVc7cus/HhSCEpn2aXj3zHgtLJzUfw SN01q4wcwhmS6xqLuWl/PHEsTyaH69+g+rznvzhR64VGsg0V8g68wKeLcHDL9rQRALeFd3MBdV5n9s KFNBVsIrnbnnS1eImonqd1xuYH0pPRl+0Ng4aVcGGvP/yynpBokeriuTdCqA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -2.5 (--) X-LSpam-Report: No, score=-2.5 required=5.0 tests=BAYES_00=-1.9,DKIMWL_WL_HIGH=0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1 autolearn=ham autolearn_force=no |
Series |
slab: Introduce kmalloc_size_roundup()
|
|
Message
Kees Cook
Sept. 22, 2022, 3:10 a.m. UTC
Hi, This series fixes up the cases where callers of ksize() use it to opportunistically grow their buffer sizes, which can run afoul of the __alloc_size hinting that CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE use to perform dynamic buffer bounds checking. Quoting the first patch: In the effort to help the compiler reason about buffer sizes, the __alloc_size attribute was added to allocators. This improves the scope of the compiler's ability to apply CONFIG_UBSAN_BOUNDS and (in the near future) CONFIG_FORTIFY_SOURCE. For most allocations, this works well, as the vast majority of callers are not expecting to use more memory than what they asked for. There is, however, one common exception to this: anticipatory resizing of kmalloc allocations. These cases all use ksize() to determine the actual bucket size of a given allocation (e.g. 128 when 126 was asked for). This comes in two styles in the kernel: 1) An allocation has been determined to be too small, and needs to be resized. Instead of the caller choosing its own next best size, it wants to minimize the number of calls to krealloc(), so it just uses ksize() plus some additional bytes, forcing the realloc into the next bucket size, from which it can learn how large it is now. For example: data = krealloc(data, ksize(data) + 1, gfp); data_len = ksize(data); 2) The minimum size of an allocation is calculated, but since it may grow in the future, just use all the space available in the chosen bucket immediately, to avoid needing to reallocate later. A good example of this is skbuff's allocators: data = kmalloc_reserve(size, gfp_mask, node, &pfmemalloc); ... /* kmalloc(size) might give us more room than requested. * Put skb_shared_info exactly at the end of allocated zone, * to allow max possible filling before reallocation. */ osize = ksize(data); size = SKB_WITH_OVERHEAD(osize); In both cases, the "how large is the allocation?" question is answered _after_ the allocation, where the compiler hinting is not in an easy place to make the association any more. This mismatch between the compiler's view of the buffer length and the code's intention about how much it is going to actually use has already caused problems[1]. It is possible to fix this by reordering the use of the "actual size" information. We can serve the needs of users of ksize() and still have accurate buffer length hinting for the compiler by doing the bucket size calculation _before_ the allocation. Code can instead ask "how large an allocation would I get for a given size?". Introduce kmalloc_size_roundup(), to serve this function so we can start replacing the "anticipatory resizing" uses of ksize(). [1] https://github.com/ClangBuiltLinux/linux/issues/1599 https://github.com/KSPP/linux/issues/183 ------- And after adding kmalloc_size_roundup(), put it to use with the various ksize() callers, restore the previously removed __alloc_size hint, and fix the use of __malloc annotations. I tried to trim the CC list on this series since it got rather long. I kept all the suggested mailing lists, though. :) Thanks! -Kees Kees Cook (12): slab: Introduce kmalloc_size_roundup() skbuff: Proactively round up to kmalloc bucket size net: ipa: Proactively round up to kmalloc bucket size btrfs: send: Proactively round up to kmalloc bucket size dma-buf: Proactively round up to kmalloc bucket size coredump: Proactively round up to kmalloc bucket size igb: Proactively round up to kmalloc bucket size openvswitch: Proactively round up to kmalloc bucket size x86/microcode/AMD: Track patch allocation size explicitly iwlwifi: Track scan_cmd allocation size explicitly slab: Remove __malloc attribute from realloc functions slab: Restore __alloc_size attribute to __kmalloc_track_caller arch/x86/include/asm/microcode.h | 1 + arch/x86/kernel/cpu/microcode/amd.c | 3 +- drivers/dma-buf/dma-resv.c | 9 +++- drivers/net/ethernet/intel/igb/igb_main.c | 1 + drivers/net/ipa/gsi_trans.c | 7 ++- drivers/net/wireless/intel/iwlwifi/dvm/dev.h | 1 + drivers/net/wireless/intel/iwlwifi/dvm/scan.c | 10 +++- drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 +- drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 3 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 6 +-- fs/btrfs/send.c | 11 +++-- fs/coredump.c | 7 ++- include/linux/compiler_types.h | 13 ++---- include/linux/slab.h | 46 ++++++++++++++++--- mm/slab_common.c | 17 +++++++ net/core/skbuff.c | 34 +++++++------- net/openvswitch/flow_netlink.c | 4 +- 17 files changed, 125 insertions(+), 51 deletions(-)
Comments
Am 22.09.22 um 05:10 schrieb Kees Cook: > Hi, > > This series fixes up the cases where callers of ksize() use it to > opportunistically grow their buffer sizes, which can run afoul of the > __alloc_size hinting that CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE > use to perform dynamic buffer bounds checking. Good cleanup, but one question: What other use cases we have for ksize() except the opportunistically growth of buffers? Of hand I can't see any. So when this patch set is about to clean up this use case it should probably also take care to remove ksize() or at least limit it so that it won't be used for this use case in the future. Regards, Christian. > Quoting the first patch: > > > In the effort to help the compiler reason about buffer sizes, the > __alloc_size attribute was added to allocators. This improves the scope > of the compiler's ability to apply CONFIG_UBSAN_BOUNDS and (in the near > future) CONFIG_FORTIFY_SOURCE. For most allocations, this works well, > as the vast majority of callers are not expecting to use more memory > than what they asked for. > > There is, however, one common exception to this: anticipatory resizing > of kmalloc allocations. These cases all use ksize() to determine the > actual bucket size of a given allocation (e.g. 128 when 126 was asked > for). This comes in two styles in the kernel: > > 1) An allocation has been determined to be too small, and needs to be > resized. Instead of the caller choosing its own next best size, it > wants to minimize the number of calls to krealloc(), so it just uses > ksize() plus some additional bytes, forcing the realloc into the next > bucket size, from which it can learn how large it is now. For example: > > data = krealloc(data, ksize(data) + 1, gfp); > data_len = ksize(data); > > 2) The minimum size of an allocation is calculated, but since it may > grow in the future, just use all the space available in the chosen > bucket immediately, to avoid needing to reallocate later. A good > example of this is skbuff's allocators: > > data = kmalloc_reserve(size, gfp_mask, node, &pfmemalloc); > ... > /* kmalloc(size) might give us more room than requested. > * Put skb_shared_info exactly at the end of allocated zone, > * to allow max possible filling before reallocation. > */ > osize = ksize(data); > size = SKB_WITH_OVERHEAD(osize); > > In both cases, the "how large is the allocation?" question is answered > _after_ the allocation, where the compiler hinting is not in an easy place > to make the association any more. This mismatch between the compiler's > view of the buffer length and the code's intention about how much it is > going to actually use has already caused problems[1]. It is possible to > fix this by reordering the use of the "actual size" information. > > We can serve the needs of users of ksize() and still have accurate buffer > length hinting for the compiler by doing the bucket size calculation > _before_ the allocation. Code can instead ask "how large an allocation > would I get for a given size?". > > Introduce kmalloc_size_roundup(), to serve this function so we can start > replacing the "anticipatory resizing" uses of ksize(). > > [1] https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FClangBuiltLinux%2Flinux%2Fissues%2F1599&data=05%7C01%7Cchristian.koenig%40amd.com%7C491e7c24ddc64e9e505b08da9c47fe36%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637994130356907320%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=te%2BJ46%2B8L8oBTyGS3C7ueORFYI%2BhMRbfEoflVErr4k0%3D&reserved=0 > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FKSPP%2Flinux%2Fissues%2F183&data=05%7C01%7Cchristian.koenig%40amd.com%7C491e7c24ddc64e9e505b08da9c47fe36%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637994130356907320%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lrOCZN6EE%2BnDBA5DfOqteQt0nKCbJJ9bxlh2F13%2B3Es%3D&reserved=0 > ------- > > And after adding kmalloc_size_roundup(), put it to use with the various > ksize() callers, restore the previously removed __alloc_size hint, > and fix the use of __malloc annotations. > > I tried to trim the CC list on this series since it got rather long. I > kept all the suggested mailing lists, though. :) > > Thanks! > > -Kees > > Kees Cook (12): > slab: Introduce kmalloc_size_roundup() > skbuff: Proactively round up to kmalloc bucket size > net: ipa: Proactively round up to kmalloc bucket size > btrfs: send: Proactively round up to kmalloc bucket size > dma-buf: Proactively round up to kmalloc bucket size > coredump: Proactively round up to kmalloc bucket size > igb: Proactively round up to kmalloc bucket size > openvswitch: Proactively round up to kmalloc bucket size > x86/microcode/AMD: Track patch allocation size explicitly > iwlwifi: Track scan_cmd allocation size explicitly > slab: Remove __malloc attribute from realloc functions > slab: Restore __alloc_size attribute to __kmalloc_track_caller > > arch/x86/include/asm/microcode.h | 1 + > arch/x86/kernel/cpu/microcode/amd.c | 3 +- > drivers/dma-buf/dma-resv.c | 9 +++- > drivers/net/ethernet/intel/igb/igb_main.c | 1 + > drivers/net/ipa/gsi_trans.c | 7 ++- > drivers/net/wireless/intel/iwlwifi/dvm/dev.h | 1 + > drivers/net/wireless/intel/iwlwifi/dvm/scan.c | 10 +++- > drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 +- > drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 3 +- > drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 6 +-- > fs/btrfs/send.c | 11 +++-- > fs/coredump.c | 7 ++- > include/linux/compiler_types.h | 13 ++---- > include/linux/slab.h | 46 ++++++++++++++++--- > mm/slab_common.c | 17 +++++++ > net/core/skbuff.c | 34 +++++++------- > net/openvswitch/flow_netlink.c | 4 +- > 17 files changed, 125 insertions(+), 51 deletions(-) >
On Thu, Sep 22, 2022 at 09:10:56AM +0200, Christian König wrote: > Am 22.09.22 um 05:10 schrieb Kees Cook: > > Hi, > > > > This series fixes up the cases where callers of ksize() use it to > > opportunistically grow their buffer sizes, which can run afoul of the > > __alloc_size hinting that CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE > > use to perform dynamic buffer bounds checking. > > Good cleanup, but one question: What other use cases we have for ksize() > except the opportunistically growth of buffers? The remaining cases all seem to be using it as a "do we need to resize yet?" check, where they don't actually track the allocation size themselves and want to just depend on the slab cache to answer it. This is most clearly seen in the igp code: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/intel/igb/igb_main.c?h=v6.0-rc6#n1204 My "solution" there kind of side-steps it, and leaves ksize() as-is: https://lore.kernel.org/linux-hardening/20220922031013.2150682-8-keescook@chromium.org/ The more correct solution would be to add per-v_idx size tracking, similar to the other changes I sent: https://lore.kernel.org/linux-hardening/20220922031013.2150682-11-keescook@chromium.org/ I wonder if perhaps I should just migrate some of this code to using something like struct membuf. > Off hand I can't see any. > > So when this patch set is about to clean up this use case it should probably > also take care to remove ksize() or at least limit it so that it won't be > used for this use case in the future. Yeah, my goal would be to eliminate ksize(), and it seems possible if other cases are satisfied with tracking their allocation sizes directly. -Kees
On 9/22/22 17:55, Kees Cook wrote: > On Thu, Sep 22, 2022 at 09:10:56AM +0200, Christian König wrote: >> Am 22.09.22 um 05:10 schrieb Kees Cook: >> > Hi, >> > >> > This series fixes up the cases where callers of ksize() use it to >> > opportunistically grow their buffer sizes, which can run afoul of the >> > __alloc_size hinting that CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE >> > use to perform dynamic buffer bounds checking. >> >> Good cleanup, but one question: What other use cases we have for ksize() >> except the opportunistically growth of buffers? > > The remaining cases all seem to be using it as a "do we need to resize > yet?" check, where they don't actually track the allocation size > themselves and want to just depend on the slab cache to answer it. This > is most clearly seen in the igp code: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/intel/igb/igb_main.c?h=v6.0-rc6#n1204 > > My "solution" there kind of side-steps it, and leaves ksize() as-is: > https://lore.kernel.org/linux-hardening/20220922031013.2150682-8-keescook@chromium.org/ > > The more correct solution would be to add per-v_idx size tracking, > similar to the other changes I sent: > https://lore.kernel.org/linux-hardening/20220922031013.2150682-11-keescook@chromium.org/ > > I wonder if perhaps I should just migrate some of this code to using > something like struct membuf. > >> Off hand I can't see any. >> >> So when this patch set is about to clean up this use case it should probably >> also take care to remove ksize() or at least limit it so that it won't be >> used for this use case in the future. > > Yeah, my goal would be to eliminate ksize(), and it seems possible if > other cases are satisfied with tracking their allocation sizes directly. I think we could leave ksize() to determine the size without a need for external tracking, but from now on forbid callers from using that hint to overflow the allocation size they actually requested? Once we remove the kasan/kfence hooks in ksize() that make the current kinds of usage possible, we should be able to catch any offenders of the new semantics that would appear? > -Kees >
On Thu, Sep 22, 2022 at 11:05:47PM +0200, Vlastimil Babka wrote: > On 9/22/22 17:55, Kees Cook wrote: > > On Thu, Sep 22, 2022 at 09:10:56AM +0200, Christian König wrote: > > [...] > > > So when this patch set is about to clean up this use case it should probably > > > also take care to remove ksize() or at least limit it so that it won't be > > > used for this use case in the future. > > > > Yeah, my goal would be to eliminate ksize(), and it seems possible if > > other cases are satisfied with tracking their allocation sizes directly. > > I think we could leave ksize() to determine the size without a need for > external tracking, but from now on forbid callers from using that hint to > overflow the allocation size they actually requested? Once we remove the > kasan/kfence hooks in ksize() that make the current kinds of usage possible, > we should be able to catch any offenders of the new semantics that would appear? That's correct. I spent the morning working my way through the rest of the ksize() users I didn't clean up yesterday, and in several places I just swapped in __ksize(). But that wouldn't even be needed if we just removed the kasan unpoisoning from ksize(), etc. I am tempted to leave it __ksize(), though, just to reinforce that it's not supposed to be used "normally". What do you think?
On 9/22/22 23:49, Kees Cook wrote: > On Thu, Sep 22, 2022 at 11:05:47PM +0200, Vlastimil Babka wrote: >> On 9/22/22 17:55, Kees Cook wrote: >> > On Thu, Sep 22, 2022 at 09:10:56AM +0200, Christian König wrote: >> > [...] >> > > So when this patch set is about to clean up this use case it should probably >> > > also take care to remove ksize() or at least limit it so that it won't be >> > > used for this use case in the future. >> > >> > Yeah, my goal would be to eliminate ksize(), and it seems possible if >> > other cases are satisfied with tracking their allocation sizes directly. >> >> I think we could leave ksize() to determine the size without a need for >> external tracking, but from now on forbid callers from using that hint to >> overflow the allocation size they actually requested? Once we remove the >> kasan/kfence hooks in ksize() that make the current kinds of usage possible, >> we should be able to catch any offenders of the new semantics that would appear? > > That's correct. I spent the morning working my way through the rest of > the ksize() users I didn't clean up yesterday, and in several places I > just swapped in __ksize(). But that wouldn't even be needed if we just > removed the kasan unpoisoning from ksize(), etc. > > I am tempted to leave it __ksize(), though, just to reinforce that it's > not supposed to be used "normally". What do you think? Sounds good. Note in linux-next there's now a series in slab.git planned for 6.1 that moves __ksize() declaration to mm/slab.h to make it more private. But we don't want random users outside mm and related kasan/kfence subsystems to include mm/slab.h, so we'll have to expose it again instead of ksize().