mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-12 13:55:32 +00:00
86cffecdea
GCC and Clang can use the "alloc_size" attribute to better inform the
results of __builtin_object_size() (for compile-time constant values).
Clang can additionally use alloc_size to inform the results of
__builtin_dynamic_object_size() (for run-time values).
Because GCC sees the frequent use of struct_size() as an allocator size
argument, and notices it can return SIZE_MAX (the overflow indication),
it complains about these call sites overflowing (since SIZE_MAX is
greater than the default -Walloc-size-larger-than=PTRDIFF_MAX). This
isn't helpful since we already know a SIZE_MAX will be caught at
run-time (this was an intentional design). To deal with this, we must
disable this check as it is both a false positive and redundant. (Clang
does not have this warning option.)
Unfortunately, just checking the -Wno-alloc-size-larger-than is not
sufficient to make the __alloc_size attribute behave correctly under
older GCC versions. The attribute itself must be disabled in those
situations too, as there appears to be no way to reliably silence the
SIZE_MAX constant expression cases for GCC versions less than 9.1:
In file included from ./include/linux/resource_ext.h:11,
from ./include/linux/pci.h:40,
from drivers/net/ethernet/intel/ixgbe/ixgbe.h:9,
from drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c:4:
In function 'kmalloc_node',
inlined from 'ixgbe_alloc_q_vector' at ./include/linux/slab.h:743:9:
./include/linux/slab.h:618:9: error: argument 1 value '18446744073709551615' exceeds maximum object size 9223372036854775807 [-Werror=alloc-size-larger-than=]
return __kmalloc_node(size, flags, node);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/slab.h: In function 'ixgbe_alloc_q_vector':
./include/linux/slab.h:455:7: note: in a call to allocation function '__kmalloc_node' declared here
void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_slab_alignment __malloc;
^~~~~~~~~~~~~~
Specifically:
'-Wno-alloc-size-larger-than' is not correctly handled by GCC < 9.1
https://godbolt.org/z/hqsfG7q84 (doesn't disable)
https://godbolt.org/z/P9jdrPTYh (doesn't admit to not knowing about option)
https://godbolt.org/z/465TPMWKb (only warns when other warnings appear)
'-Walloc-size-larger-than=18446744073709551615' is not handled by GCC < 8.2
https://godbolt.org/z/73hh1EPxz (ignores numeric value)
Since anything marked with __alloc_size would also qualify for marking
with __malloc, just include __malloc along with it to avoid redundant
markings. (Suggested by Linus Torvalds.)
Finally, make sure checkpatch.pl doesn't get confused about finding the
__alloc_size attribute on functions. (Thanks to Joe Perches.)
Link: https://lkml.kernel.org/r/20210930222704.2631604-3-keescook@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Andy Whitcroft <apw@canonical.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Daniel Micay <danielmicay@gmail.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
Cc: Joe Perches <joe@perches.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
Cc: Ira Weiny <ira.weiny@intel.com>
Cc: Jing Xiangfeng <jingxiangfeng@huawei.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: kernel test robot <lkp@intel.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Souptick Joarder <jrdr.linux@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
154 lines
4.6 KiB
C
154 lines
4.6 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __LINUX_COMPILER_TYPES_H
|
|
#error "Please don't include <linux/compiler-gcc.h> directly, include <linux/compiler.h> instead."
|
|
#endif
|
|
|
|
/*
|
|
* Common definitions for all gcc versions go here.
|
|
*/
|
|
#define GCC_VERSION (__GNUC__ * 10000 \
|
|
+ __GNUC_MINOR__ * 100 \
|
|
+ __GNUC_PATCHLEVEL__)
|
|
|
|
/*
|
|
* This macro obfuscates arithmetic on a variable address so that gcc
|
|
* shouldn't recognize the original var, and make assumptions about it.
|
|
*
|
|
* This is needed because the C standard makes it undefined to do
|
|
* pointer arithmetic on "objects" outside their boundaries and the
|
|
* gcc optimizers assume this is the case. In particular they
|
|
* assume such arithmetic does not wrap.
|
|
*
|
|
* A miscompilation has been observed because of this on PPC.
|
|
* To work around it we hide the relationship of the pointer and the object
|
|
* using this macro.
|
|
*
|
|
* Versions of the ppc64 compiler before 4.1 had a bug where use of
|
|
* RELOC_HIDE could trash r30. The bug can be worked around by changing
|
|
* the inline assembly constraint from =g to =r, in this particular
|
|
* case either is valid.
|
|
*/
|
|
#define RELOC_HIDE(ptr, off) \
|
|
({ \
|
|
unsigned long __ptr; \
|
|
__asm__ ("" : "=r"(__ptr) : "0"(ptr)); \
|
|
(typeof(ptr)) (__ptr + (off)); \
|
|
})
|
|
|
|
#ifdef CONFIG_RETPOLINE
|
|
#define __noretpoline __attribute__((__indirect_branch__("keep")))
|
|
#endif
|
|
|
|
#define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)
|
|
|
|
#define __compiletime_object_size(obj) __builtin_object_size(obj, 0)
|
|
|
|
#if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
|
|
#define __latent_entropy __attribute__((latent_entropy))
|
|
#endif
|
|
|
|
/*
|
|
* calling noreturn functions, __builtin_unreachable() and __builtin_trap()
|
|
* confuse the stack allocation in gcc, leading to overly large stack
|
|
* frames, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365
|
|
*
|
|
* Adding an empty inline assembly before it works around the problem
|
|
*/
|
|
#define barrier_before_unreachable() asm volatile("")
|
|
|
|
/*
|
|
* Mark a position in code as unreachable. This can be used to
|
|
* suppress control flow warnings after asm blocks that transfer
|
|
* control elsewhere.
|
|
*/
|
|
#define unreachable() \
|
|
do { \
|
|
annotate_unreachable(); \
|
|
barrier_before_unreachable(); \
|
|
__builtin_unreachable(); \
|
|
} while (0)
|
|
|
|
#if defined(RANDSTRUCT_PLUGIN) && !defined(__CHECKER__)
|
|
#define __randomize_layout __attribute__((randomize_layout))
|
|
#define __no_randomize_layout __attribute__((no_randomize_layout))
|
|
/* This anon struct can add padding, so only enable it under randstruct. */
|
|
#define randomized_struct_fields_start struct {
|
|
#define randomized_struct_fields_end } __randomize_layout;
|
|
#endif
|
|
|
|
/*
|
|
* GCC 'asm goto' miscompiles certain code sequences:
|
|
*
|
|
* http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
|
|
*
|
|
* Work it around via a compiler barrier quirk suggested by Jakub Jelinek.
|
|
*
|
|
* (asm goto is automatically volatile - the naming reflects this.)
|
|
*/
|
|
#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
|
|
|
|
#if defined(CONFIG_ARCH_USE_BUILTIN_BSWAP)
|
|
#define __HAVE_BUILTIN_BSWAP32__
|
|
#define __HAVE_BUILTIN_BSWAP64__
|
|
#define __HAVE_BUILTIN_BSWAP16__
|
|
#endif /* CONFIG_ARCH_USE_BUILTIN_BSWAP */
|
|
|
|
#if GCC_VERSION >= 70000
|
|
#define KASAN_ABI_VERSION 5
|
|
#else
|
|
#define KASAN_ABI_VERSION 4
|
|
#endif
|
|
|
|
#if __has_attribute(__no_sanitize_address__)
|
|
#define __no_sanitize_address __attribute__((no_sanitize_address))
|
|
#else
|
|
#define __no_sanitize_address
|
|
#endif
|
|
|
|
#if defined(__SANITIZE_THREAD__) && __has_attribute(__no_sanitize_thread__)
|
|
#define __no_sanitize_thread __attribute__((no_sanitize_thread))
|
|
#else
|
|
#define __no_sanitize_thread
|
|
#endif
|
|
|
|
#if __has_attribute(__no_sanitize_undefined__)
|
|
#define __no_sanitize_undefined __attribute__((no_sanitize_undefined))
|
|
#else
|
|
#define __no_sanitize_undefined
|
|
#endif
|
|
|
|
#if defined(CONFIG_KCOV) && __has_attribute(__no_sanitize_coverage__)
|
|
#define __no_sanitize_coverage __attribute__((no_sanitize_coverage))
|
|
#else
|
|
#define __no_sanitize_coverage
|
|
#endif
|
|
|
|
/*
|
|
* Turn individual warnings and errors on and off locally, depending
|
|
* on version.
|
|
*/
|
|
#define __diag_GCC(version, severity, s) \
|
|
__diag_GCC_ ## version(__diag_GCC_ ## severity s)
|
|
|
|
/* Severity used in pragma directives */
|
|
#define __diag_GCC_ignore ignored
|
|
#define __diag_GCC_warn warning
|
|
#define __diag_GCC_error error
|
|
|
|
#define __diag_str1(s) #s
|
|
#define __diag_str(s) __diag_str1(s)
|
|
#define __diag(s) _Pragma(__diag_str(GCC diagnostic s))
|
|
|
|
#if GCC_VERSION >= 80000
|
|
#define __diag_GCC_8(s) __diag(s)
|
|
#else
|
|
#define __diag_GCC_8(s)
|
|
#endif
|
|
|
|
/*
|
|
* Prior to 9.1, -Wno-alloc-size-larger-than (and therefore the "alloc_size"
|
|
* attribute) do not work, and must be disabled.
|
|
*/
|
|
#if GCC_VERSION < 90100
|
|
#undef __alloc_size__
|
|
#endif
|