Hi,
This is an RFC for some changes I'd like to make to the kernel's
allocators (starting with slab) that allow for type introspection, which
has been a long-time gap in potential analysis capabilities available
at compile-time. The changes here are just a "first step" example that
updates kmalloc() and kzalloc() to show what I'm thinking we can do,
and shows an example conversion within the fs/pstore tree.
Repeating patch 3's commit log here:
There is currently no way for the slab to know what type is being
allocated, and this hampers the development of any logic that would need
this information including basic type checking, alignment need analysis,
etc.
Allow the size argument to optionally be a variable, from which the
type (and there by the size, alignment, or any other features) can be
determined at compile-time. This allows for the incremental replacement
of the classic code pattern:
obj = kmalloc(sizeof(*obj), gfp);
into:
obj = kmalloc(obj, gfp);
As an additional build-time safety feature, the return value of kmalloc()
also becomes typed so that the assignment and first argument cannot drift,
doing away with the other, more fragile, classic code pattern:
obj = kmalloc(sizeof(struct the_object), gfp);
into:
obj = kmalloc(obj, gfp);
And any accidental variable drift will not be masked by the traditional
default "void *" return value:
obj = kmalloc(something_else, gfp);
error: assignment to 'struct the_object *' from incompatible pointer type 'struct foo *' [-Wincompatible-pointer-types]
71 | obj = kmalloc(something_else, gfp);
| ^
This also opens the door for a proposed heap hardening feature that
would randomize the starting offset of the allocated object within
its power-of-2 bucket. Without being able to introspect the type for
alignment needs, this can't be done safely (or cannot be done without
significant memory usage overhead). For example, a 132 byte structure
with an 8 byte alignment could be randomized into 15 locations within
the 256 byte bucket: (256 - 132) / 8.
Thanks!
-Kees
Kees Cook (4):
compiler_types: Add integral/pointer type helper macros
slab: Detect negative size values and saturate
slab: Allow for type introspection during allocation
pstore: Replace classic kmalloc code pattern with typed argument
fs/pstore/blk.c | 2 +-
fs/pstore/platform.c | 2 +-
fs/pstore/ram.c | 3 +--
fs/pstore/ram_core.c | 2 +-
fs/pstore/zone.c | 2 +-
include/linux/compiler_types.h | 23 +++++++++++++++++++++++
include/linux/slab.h | 32 +++++++++++++++++++++++++-------
7 files changed, 53 insertions(+), 13 deletions(-)
--
2.34.1
