From patchwork Mon Jul 8 19:18:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13726978 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C502C3DA41 for ; Mon, 8 Jul 2024 19:18:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A98236B009C; Mon, 8 Jul 2024 15:18:44 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A47F56B009D; Mon, 8 Jul 2024 15:18:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8E8776B009E; Mon, 8 Jul 2024 15:18:44 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 6E35F6B009C for ; Mon, 8 Jul 2024 15:18:44 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 2FBCDC0CF4 for ; Mon, 8 Jul 2024 19:18:44 +0000 (UTC) X-FDA: 82317547368.03.4562C7B Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf11.hostedemail.com (Postfix) with ESMTP id 7512D40014 for ; Mon, 8 Jul 2024 19:18:42 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="LMf/gqVu"; spf=pass (imf11.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1720466299; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=lN5CzbjM6JrBKuPw9E/ahk8V4MXLBjmkhaVS08w0kfs=; b=s1tew8iX7JNrjxWuD3raHZx4Kiq0WzUWcYy7f3b+82zV7b54qCB/7BiQuNkoePOI/VCZfP cI57PtAMgJzJDb9ExW3I+X3i5+fid4pkEAGV9pYz4UgDCGg0AH48wBB3vrAXhonPV58aAC smiEWKgneuUphDcTMlBfjuHvRl8ZBW4= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="LMf/gqVu"; spf=pass (imf11.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1720466299; a=rsa-sha256; cv=none; b=FbZ49vJ/WAwzebwj13/BqwmWVZXullLQjVA9zhoKyCXSWCGUUkzRcLjTMjTsu/UF3CiFnn lnGfNomgkc7spmdjYt6gtMfi0JKhAHX8DRX2vOYe4KSn9ltORzfBcKAHq6ApSDy/vblwrk F9O/Edee/TobevjeBlPfpqCrQvRfsuE= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 7E8A76109A; Mon, 8 Jul 2024 19:18:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2B586C4AF0B; Mon, 8 Jul 2024 19:18:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1720466321; bh=jpCq4pVTfojWK3+oCeJYOpZA2JMe3K30ZPhTJEPXTm8=; h=From:To:Cc:Subject:Date:From; b=LMf/gqVu5uTRk0qpjtAl6C6WIOTm/NNCxI+m+93d21QNSQao90lkJKvPBjg2Xa3Ca 1HrbP47Y3PRcM9ccO3bwTCBwyA+PwYDLo9tI1tE5hcxpu8PeJ7yeKNTMNNQiB+KCR4 JnmlSSfAbWtQEQwa25EpoO6MST19rEvfcnC59oCF/A2VkY3DVRIZyFe9thG+/hV8OQ f6jZNaI0aN92iyHzCDocUEoYfKjsdQX12bGriTNiw0DKQxIc68mo7JQox0JhfZmvKI yBvSJoKWxOBV8Z/911+/WuAg0Y7JFpRK/XNjdRsYK+OuLZUdeAgFYS1SnNiNPdbB5h BWA545zg1JoZA== From: Kees Cook To: Vlastimil Babka Cc: Kees Cook , Jann Horn , Tony Luck , Nick Desaulniers , Miguel Ojeda , Marco Elver , Nathan Chancellor , Hao Luo , Przemek Kitszel , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, "Guilherme G. Piccoli" , Mark Rutland , Jakub Kicinski , Petr Pavlu , Alexander Lobakin , Tony Ambardar , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: [RFC][PATCH 0/4] slab: Allow for type introspection during allocation Date: Mon, 8 Jul 2024 12:18:34 -0700 Message-Id: <20240708190924.work.846-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2994; i=kees@kernel.org; h=from:subject:message-id; bh=jpCq4pVTfojWK3+oCeJYOpZA2JMe3K30ZPhTJEPXTm8=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBmjDuOdWe6mhcXvVpeyqZaFynSqIJTsDPGHDW8u N887JzMD3KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZow7jgAKCRCJcvTf3G3A JqNQD/9iGzvHNxNdqIroWI++R3Le0xfkoghMfcukyAXfd+WO0rVv9usm1/dp+nlarZSuOLiB77o DX1S/LAV1qjvXNDWg5zqRt3iQ+PIAe1b5nQNf7os09rqmWLsY9MBeP1NvrgWfvIsLI/tEExukpZ lWitYINFJ5BRrZ4yN51ZxKWnCPpX46Tnm5txNBdvVYMV14iJSRFxTMXja7ygZMsg2J2BJkjtufH wLDtR0lIJJKiNv82wFR69k2NILcfo8qNwQMerY8f+RuAnKhsLa5lBxjepgTvR1WO8CzPTLxEHde EQ6PMD+r5f9lRyS/Mao+IWfGW0sd1VxqsSytP+50jPdeC2v1my0x4onTw5g2TpJjiBWrUb7ta+M RBlnZovuwEG7S4fQFPGmXt04XXgS1Zd9ZSacnWdKq8Nt8wiPmSbxyAkOBWnO+ieZ548q+eDSKyf ySLjLlCrc36FGNOkjznqEWhUZ9+8lXUbdHUbW0MCM39P9g+6NtVPhj2S64Xq48HS3JLo2oSGM3V hh/tMV6uyjhyNNZEKhhV8G1Ekb19I0drtjcDYV14wDU/ptnK0K9XzKOwkspGLJV6SrUnOLGv15M TKwHW2154D1Qc6NtvOEK2YjztKPTed8cbXCgGMVSTXCgVHcAO8KmtiHBbEUZU5zAZauRw6Vptsv HobRX pQCnT9qT JQ== X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Stat-Signature: 9z9ztui9qmwyc1d8byidjeqnc6xs1d1e X-Rspam-User: X-Rspamd-Queue-Id: 7512D40014 X-Rspamd-Server: rspam02 X-HE-Tag: 1720466322-235769 X-HE-Meta: U2FsdGVkX1+n91VmZq1pxK1dlWnWOMpl5EpHj6ddHdrVZXcG6SqmbGKk0piuaVs54gwrhD0vlrE0WTYb9ovPhWNtoe37UQXv6cRu0DCNxbce0S7acTY6zchSCwNG8cLVBh5NN6GFa+EVDaqizp+UFirJI0Ek6KeZqSj68QRjPvRNmYMDxga+nM3FznOSUajzhtvCMRoTjIu/38ZeiZ7RMUwqt4FgBMIEJA+QqLDch1WoAdZUTiPNXbwzCfv+WjDjU8Tc/2mWW3HZgGaExTsvD907tb37GVvCYlcqIG1vqC2joowR1gS19wdrtJoZMibn+2QXWRjlRf4NHcwaa8+gTPDngOTa8PiNMGurAGHA2Bu6nzzl6g8Yx9G70xlTHXZzPxoBccj/Z3OgmL4nh+s9+BBxVbzFMPHrYUEV5uvQ9UhwBDrl/wgYZGnNNGXXjfKscQjo4ALEjCMAZPgoNzw27LXjRrNtjK3KCz4dinQgjLTG8fd5jtVn/93xrOnfxPu7Sn5eD93ZjolEii0MBA62VvtiKLDkjwCLHvNiLT+acvLZWmngK8FkzVFQaHPGIy/DMZrIhKoDYevkbLDNu4nnlVBkwPJ2TS6DTpGcrgOUzItadHQAhxJsYO6w/tqFQn0Xm0rFKEz7dj128/MYb0Fabg6kTcKUEVsRV+y0cQT2fOPZW4LCyI0rvpDaTgNpSC8eEO7mjW+Jyw35eNxihpLweXdoKxZHJXUHNL5CvbTWcV/tplBqyMTHnKMKTyvYlEMGkgRqxxy3DdW0/U/pichrWjaTDgf0bDmMMz7CzFDMMKnZonoKy6huw0lPcsDt08DdhtTuV+eV4Bz9vcgE6NDWdkodOb8lzR1CxXB5PF3JvYCfS5s5hpUOaC/2/MisHYu7MB1qadKyNuYfitepHfQOyc4RL+s3RWWUzbEjOzorlUx7ujua4ENMX1k/x7Q7ttkkxWU9TIdnplR+t2Vxvah s2ykLNwD MhmaRQFKnCewwGbAIxZAIag/X97qXrC2w7o+R83iJkdjSGdQiv2UKD6e9hx8ijlmaY2QvlbVbtub/A7r1YnHthqv+dO6bUU5mlTZDTb8ltV16R+/qcOvd0efSHG46SOhyUL0xqad/1+fuYXf3Eu+ClWisUf8coNTFdEhYnFt8N7cCHykBfYEMjyrqa8LlfwddrWLT9dTS4IGMDciHmLW2CGbXNpluMt5vKtj6eNe93LBhJhhqgn+CNKswCZ4bPKdkbQA2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, This is an RFC for some changes I'd like to make to the kernel's allocators (starting with slab) that allow for type introspection, which has been a long-time gap in potential analysis capabilities available at compile-time. The changes here are just a "first step" example that updates kmalloc() and kzalloc() to show what I'm thinking we can do, and shows an example conversion within the fs/pstore tree. Repeating patch 3's commit log here: There is currently no way for the slab to know what type is being allocated, and this hampers the development of any logic that would need this information including basic type checking, alignment need analysis, etc. Allow the size argument to optionally be a variable, from which the type (and there by the size, alignment, or any other features) can be determined at compile-time. This allows for the incremental replacement of the classic code pattern: obj = kmalloc(sizeof(*obj), gfp); into: obj = kmalloc(obj, gfp); As an additional build-time safety feature, the return value of kmalloc() also becomes typed so that the assignment and first argument cannot drift, doing away with the other, more fragile, classic code pattern: obj = kmalloc(sizeof(struct the_object), gfp); into: obj = kmalloc(obj, gfp); And any accidental variable drift will not be masked by the traditional default "void *" return value: obj = kmalloc(something_else, gfp); error: assignment to 'struct the_object *' from incompatible pointer type 'struct foo *' [-Wincompatible-pointer-types] 71 | obj = kmalloc(something_else, gfp); | ^ This also opens the door for a proposed heap hardening feature that would randomize the starting offset of the allocated object within its power-of-2 bucket. Without being able to introspect the type for alignment needs, this can't be done safely (or cannot be done without significant memory usage overhead). For example, a 132 byte structure with an 8 byte alignment could be randomized into 15 locations within the 256 byte bucket: (256 - 132) / 8. Thanks! -Kees Kees Cook (4): compiler_types: Add integral/pointer type helper macros slab: Detect negative size values and saturate slab: Allow for type introspection during allocation pstore: Replace classic kmalloc code pattern with typed argument fs/pstore/blk.c | 2 +- fs/pstore/platform.c | 2 +- fs/pstore/ram.c | 3 +-- fs/pstore/ram_core.c | 2 +- fs/pstore/zone.c | 2 +- include/linux/compiler_types.h | 23 +++++++++++++++++++++++ include/linux/slab.h | 32 +++++++++++++++++++++++++------- 7 files changed, 53 insertions(+), 13 deletions(-)