On Fri, Sep 10, 2021 at 11:43 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> I had originally set out to do that, but the problem with merging with
> __malloc is the bit in the docs about "and that the memory has undefined
> content". So we can't do that for kmalloc() in the face of GFP_ZERO, as
> well as a bunch of other helpers. I always get suspicious about "this
> will improve optimization because we depend on claiming something is
> 'undefined'". :|
Oh, I had entirely missed that historical subtlety of __malloc.
Yeah, that would have been absolutely horrible. But it's not actually
really true.
It seems that the gcc people actually realized the problem, and fixed
the documentation:
"Attribute malloc indicates that a function is malloc-like, i.e.,
that the pointer P returned by the function cannot alias any other
pointer valid when the function returns, and moreover no pointers to
valid objects occur in any storage addressed by P. In addition, the
GCC predicts that a function with the attribute returns non-null in
most cases"
IOW, it is purely about aliasing guarantees. Basically the guarantee
is that the memory that a "malloc" function returns can not alias
(directly or indirectly) any other allocations.
See
https://gcc.gnu.org/onlinedocs/gcc-11.2.0/gcc/Common-Function-Attributes.html#Common-Function-Attributes
So I think it's ok, and your reaction was entirely correct, but came
from looking at old documentation.
Linus
