1. 07 11月, 2021 1 次提交
    • K
      Compiler Attributes: add __alloc_size() for better bounds checking · 86cffecd
      Kees Cook 提交于
      GCC and Clang can use the "alloc_size" attribute to better inform the
      results of __builtin_object_size() (for compile-time constant values).
      Clang can additionally use alloc_size to inform the results of
      __builtin_dynamic_object_size() (for run-time values).
      
      Because GCC sees the frequent use of struct_size() as an allocator size
      argument, and notices it can return SIZE_MAX (the overflow indication),
      it complains about these call sites overflowing (since SIZE_MAX is
      greater than the default -Walloc-size-larger-than=PTRDIFF_MAX).  This
      isn't helpful since we already know a SIZE_MAX will be caught at
      run-time (this was an intentional design).  To deal with this, we must
      disable this check as it is both a false positive and redundant.  (Clang
      does not have this warning option.)
      
      Unfortunately, just checking the -Wno-alloc-size-larger-than is not
      sufficient to make the __alloc_size attribute behave correctly under
      older GCC versions.  The attribute itself must be disabled in those
      situations too, as there appears to be no way to reliably silence the
      SIZE_MAX constant expression cases for GCC versions less than 9.1:
      
         In file included from ./include/linux/resource_ext.h:11,
                          from ./include/linux/pci.h:40,
                          from drivers/net/ethernet/intel/ixgbe/ixgbe.h:9,
                          from drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c:4:
         In function 'kmalloc_node',
             inlined from 'ixgbe_alloc_q_vector' at ./include/linux/slab.h:743:9:
         ./include/linux/slab.h:618:9: error: argument 1 value '18446744073709551615' exceeds maximum object size 9223372036854775807 [-Werror=alloc-size-larger-than=]
           return __kmalloc_node(size, flags, node);
                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         ./include/linux/slab.h: In function 'ixgbe_alloc_q_vector':
         ./include/linux/slab.h:455:7: note: in a call to allocation function '__kmalloc_node' declared here
          void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_slab_alignment __malloc;
                ^~~~~~~~~~~~~~
      
      Specifically:
       '-Wno-alloc-size-larger-than' is not correctly handled by GCC < 9.1
          https://godbolt.org/z/hqsfG7q84 (doesn't disable)
          https://godbolt.org/z/P9jdrPTYh (doesn't admit to not knowing about option)
          https://godbolt.org/z/465TPMWKb (only warns when other warnings appear)
      
       '-Walloc-size-larger-than=18446744073709551615' is not handled by GCC < 8.2
          https://godbolt.org/z/73hh1EPxz (ignores numeric value)
      
      Since anything marked with __alloc_size would also qualify for marking
      with __malloc, just include __malloc along with it to avoid redundant
      markings.  (Suggested by Linus Torvalds.)
      
      Finally, make sure checkpatch.pl doesn't get confused about finding the
      __alloc_size attribute on functions.  (Thanks to Joe Perches.)
      
      Link: https://lkml.kernel.org/r/20210930222704.2631604-3-keescook@chromium.orgSigned-off-by: NKees Cook <keescook@chromium.org>
      Tested-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: Andy Whitcroft <apw@canonical.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Daniel Micay <danielmicay@gmail.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Dennis Zhou <dennis@kernel.org>
      Cc: Dwaipayan Ray <dwaipayanray1@gmail.com>
      Cc: Joe Perches <joe@perches.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Alexandre Bounine <alex.bou9@gmail.com>
      Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
      Cc: Ira Weiny <ira.weiny@intel.com>
      Cc: Jing Xiangfeng <jingxiangfeng@huawei.com>
      Cc: John Hubbard <jhubbard@nvidia.com>
      Cc: kernel test robot <lkp@intel.com>
      Cc: Matt Porter <mporter@kernel.crashing.org>
      Cc: Miguel Ojeda <ojeda@kernel.org>
      Cc: Nathan Chancellor <nathan@kernel.org>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Souptick Joarder <jrdr.linux@gmail.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      86cffecd
  2. 02 11月, 2021 1 次提交
  3. 01 11月, 2021 1 次提交
  4. 26 10月, 2021 1 次提交
  5. 24 10月, 2021 1 次提交
  6. 18 10月, 2021 2 次提交
  7. 11 10月, 2021 1 次提交
  8. 04 10月, 2021 1 次提交
  9. 27 9月, 2021 1 次提交
  10. 25 9月, 2021 1 次提交
  11. 22 9月, 2021 1 次提交
    • A
      isystem: delete global -isystem compile option · 04e85bbf
      Alexey Dobriyan 提交于
      Further isolate kernel from userspace, prevent accidental inclusion of
      undesireable headers, mainly float.h and stdatomic.h.
      
      nds32 keeps -isystem globally due to intrinsics used in entrenched header.
      
      -isystem is selectively reenabled for some files, again, for intrinsics.
      
      Compile tested on:
      
      hexagon-defconfig hexagon-allmodconfig
      alpha-allmodconfig alpha-allnoconfig alpha-defconfig arm64-allmodconfig
      arm64-allnoconfig arm64-defconfig arm-am200epdkit arm-aspeed_g4
      arm-aspeed_g5 arm-assabet arm-at91_dt arm-axm55xx arm-badge4 arm-bcm2835
      arm-cerfcube arm-clps711x arm-cm_x300 arm-cns3420vb arm-colibri_pxa270
      arm-colibri_pxa300 arm-collie arm-corgi arm-davinci_all arm-dove
      arm-ep93xx arm-eseries_pxa arm-exynos arm-ezx arm-footbridge arm-gemini
      arm-h3600 arm-h5000 arm-hackkit arm-hisi arm-imote2 arm-imx_v4_v5
      arm-imx_v6_v7 arm-integrator arm-iop32x arm-ixp4xx arm-jornada720
      arm-keystone arm-lart arm-lpc18xx arm-lpc32xx arm-lpd270 arm-lubbock
      arm-magician arm-mainstone arm-milbeaut_m10v arm-mini2440 arm-mmp2
      arm-moxart arm-mps2 arm-multi_v4t arm-multi_v5 arm-multi_v7 arm-mv78xx0
      arm-mvebu_v5 arm-mvebu_v7 arm-mxs arm-neponset arm-netwinder arm-nhk8815
      arm-omap1 arm-omap2plus arm-orion5x arm-oxnas_v6 arm-palmz72 arm-pcm027
      arm-pleb arm-pxa arm-pxa168 arm-pxa255-idp arm-pxa3xx arm-pxa910
      arm-qcom arm-realview arm-rpc arm-s3c2410 arm-s3c6400 arm-s5pv210
      arm-sama5 arm-shannon arm-shmobile arm-simpad arm-socfpga arm-spear13xx
      arm-spear3xx arm-spear6xx arm-spitz arm-stm32 arm-sunxi arm-tct_hammer
      arm-tegra arm-trizeps4 arm-u8500 arm-versatile arm-vexpress arm-vf610m4
      arm-viper arm-vt8500_v6_v7 arm-xcep arm-zeus csky-allmodconfig
      csky-allnoconfig csky-defconfig h8300-edosk2674 h8300-h8300h-sim
      h8300-h8s-sim i386-allmodconfig i386-allnoconfig i386-defconfig
      ia64-allmodconfig ia64-allnoconfig ia64-bigsur ia64-generic ia64-gensparse
      ia64-tiger ia64-zx1 m68k-amcore m68k-amiga m68k-apollo m68k-atari
      m68k-bvme6000 m68k-hp300 m68k-m5208evb m68k-m5249evb m68k-m5272c3
      m68k-m5275evb m68k-m5307c3 m68k-m5407c3 m68k-m5475evb m68k-mac
      m68k-multi m68k-mvme147 m68k-mvme16x m68k-q40 m68k-stmark2 m68k-sun3
      m68k-sun3x microblaze-allmodconfig microblaze-allnoconfig microblaze-mmu
      mips-ar7 mips-ath25 mips-ath79 mips-bcm47xx mips-bcm63xx mips-bigsur
      mips-bmips_be mips-bmips_stb mips-capcella mips-cavium_octeon mips-ci20
      mips-cobalt mips-cu1000-neo mips-cu1830-neo mips-db1xxx mips-decstation
      mips-decstation_64 mips-decstation_r4k mips-e55 mips-fuloong2e
      mips-gcw0 mips-generic mips-gpr mips-ip22 mips-ip27 mips-ip28 mips-ip32
      mips-jazz mips-jmr3927 mips-lemote2f mips-loongson1b mips-loongson1c
      mips-loongson2k mips-loongson3 mips-malta mips-maltaaprp mips-malta_kvm
      mips-malta_qemu_32r6 mips-maltasmvp mips-maltasmvp_eva mips-maltaup
      mips-maltaup_xpa mips-mpc30x mips-mtx1 mips-nlm_xlp mips-nlm_xlr
      mips-omega2p mips-pic32mzda mips-pistachio mips-qi_lb60 mips-rb532
      mips-rbtx49xx mips-rm200 mips-rs90 mips-rt305x mips-sb1250_swarm
      mips-tb0219 mips-tb0226 mips-tb0287 mips-vocore2 mips-workpad mips-xway
      nds32-allmodconfig nds32-allnoconfig nds32-defconfig nios2-10m50
      nios2-3c120 nios2-allmodconfig nios2-allnoconfig openrisc-allmodconfig
      openrisc-allnoconfig openrisc-or1klitex openrisc-or1ksim
      openrisc-simple_smp parisc-allnoconfig parisc-generic-32bit
      parisc-generic-64bit powerpc-acadia powerpc-adder875 powerpc-akebono
      powerpc-amigaone powerpc-arches powerpc-asp8347 powerpc-bamboo
      powerpc-bluestone powerpc-canyonlands powerpc-cell powerpc-chrp32
      powerpc-cm5200 powerpc-currituck powerpc-ebony powerpc-eiger
      powerpc-ep8248e powerpc-ep88xc powerpc-fsp2 powerpc-g5 powerpc-gamecube
      powerpc-ge_imp3a powerpc-holly powerpc-icon powerpc-iss476-smp
      powerpc-katmai powerpc-kilauea powerpc-klondike powerpc-kmeter1
      powerpc-ksi8560 powerpc-linkstation powerpc-lite5200b powerpc-makalu
      powerpc-maple powerpc-mgcoge powerpc-microwatt powerpc-motionpro
      powerpc-mpc512x powerpc-mpc5200 powerpc-mpc7448_hpc2 powerpc-mpc8272_ads
      powerpc-mpc8313_rdb powerpc-mpc8315_rdb powerpc-mpc832x_mds
      powerpc-mpc832x_rdb powerpc-mpc834x_itx powerpc-mpc834x_itxgp
      powerpc-mpc834x_mds powerpc-mpc836x_mds powerpc-mpc836x_rdk
      powerpc-mpc837x_mds powerpc-mpc837x_rdb powerpc-mpc83xx
      powerpc-mpc8540_ads powerpc-mpc8560_ads powerpc-mpc85xx_cds
      powerpc-mpc866_ads powerpc-mpc885_ads powerpc-mvme5100 powerpc-obs600
      powerpc-pasemi powerpc-pcm030 powerpc-pmac32 powerpc-powernv
      powerpc-ppa8548 powerpc-ppc40x powerpc-ppc44x powerpc-ppc64
      powerpc-ppc64e powerpc-ppc6xx powerpc-pq2fads powerpc-ps3
      powerpc-pseries powerpc-rainier powerpc-redwood powerpc-sam440ep
      powerpc-sbc8548 powerpc-sequoia powerpc-skiroot powerpc-socrates
      powerpc-storcenter powerpc-stx_gp3 powerpc-taishan powerpc-tqm5200
      powerpc-tqm8540 powerpc-tqm8541 powerpc-tqm8548 powerpc-tqm8555
      powerpc-tqm8560 powerpc-tqm8xx powerpc-walnut powerpc-warp powerpc-wii
      powerpc-xes_mpc85xx riscv-allmodconfig riscv-allnoconfig riscv-nommu_k210
      riscv-nommu_k210_sdcard riscv-nommu_virt riscv-rv32 s390-allmodconfig
      s390-allnoconfig s390-debug s390-zfcpdump sh-ap325rxa sh-apsh4a3a
      sh-apsh4ad0a sh-dreamcast sh-ecovec24 sh-ecovec24-romimage sh-edosk7705
      sh-edosk7760 sh-espt sh-hp6xx sh-j2 sh-kfr2r09 sh-kfr2r09-romimage
      sh-landisk sh-lboxre2 sh-magicpanelr2 sh-microdev sh-migor sh-polaris
      sh-r7780mp sh-r7785rp sh-rsk7201 sh-rsk7203 sh-rsk7264 sh-rsk7269
      sh-rts7751r2d1 sh-rts7751r2dplus sh-sdk7780 sh-sdk7786 sh-se7206 sh-se7343
      sh-se7619 sh-se7705 sh-se7712 sh-se7721 sh-se7722 sh-se7724 sh-se7750
      sh-se7751 sh-se7780 sh-secureedge5410 sh-sh03 sh-sh2007 sh-sh7710voipgw
      sh-sh7724_generic sh-sh7757lcr sh-sh7763rdp sh-sh7770_generic sh-sh7785lcr
      sh-sh7785lcr_32bit sh-shmin sh-shx3 sh-titan sh-ul2 sh-urquell
      sparc-allmodconfig sparc-allnoconfig sparc-sparc32 sparc-sparc64
      um-i386-allmodconfig um-i386-allnoconfig um-i386-defconfig
      um-x86_64-allmodconfig um-x86_64-allnoconfig x86_64-allmodconfig
      x86_64-allnoconfig x86_64-defconfig xtensa-allmodconfig xtensa-allnoconfig
      xtensa-audio_kc705 xtensa-cadence_csp xtensa-common xtensa-generic_kc705
      xtensa-iss xtensa-nommu_kc705 xtensa-smp_lx200 xtensa-virt
      xtensa-xip_kc705
      
      Tested-by: Nathan Chancellor <nathan@kernel.org> # build (hexagon)
      Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
      Acked-by: NArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      04e85bbf
  12. 20 9月, 2021 1 次提交
  13. 14 9月, 2021 2 次提交
  14. 13 9月, 2021 1 次提交
  15. 09 9月, 2021 1 次提交
  16. 06 9月, 2021 1 次提交
    • L
      Enable '-Werror' by default for all kernel builds · 3fe617cc
      Linus Torvalds 提交于
      ... but make it a config option so that broken environments can disable
      it when required.
      
      We really should always have a clean build, and will disable specific
      over-eager warnings as required, if we can't fix them.  But while I
      fairly religiously enforce that in my own tree, it doesn't get enforced
      by various build robots that don't necessarily report warnings.
      
      So this just makes '-Werror' a default compiler flag, but allows people
      to disable it for their configuration if they have some particular
      issues.
      
      Occasionally, new compiler versions end up enabling new warnings, and it
      can take a while before we have them fixed (or the warnings disabled if
      that is what it takes), so the config option allows for that situation.
      
      Hopefully this will mean that I get fewer pull requests that have new
      warnings that were not noticed by various automation we have in place.
      
      Knock wood.
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3fe617cc
  17. 03 9月, 2021 4 次提交
    • N
      kbuild: Shuffle blank line to improve comment meaning · 6272cc38
      Nathan Chancellor 提交于
      -Wunused-but-set-variable and -Wunused-const-variable are both disabled
      for the same reason but there is a blank line between them and no blank
      line between -Wno-unused-const-variable and the block.
      
      Shuffle the new line so that it is clear that the comment applied to
      both flags and the next block is separate from them.
      Signed-off-by: NNathan Chancellor <nathan@kernel.org>
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      6272cc38
    • N
      kbuild: Add a comment above -Wno-gnu · 5c6ae0ef
      Nathan Chancellor 提交于
      Whenever a warning is disabled, it is helpful for future travelers to
      understand why the warning is disabled and why it is acceptable to do
      so. Add a comment for -Wno-gnu so that people understand why it is
      disabled.
      Signed-off-by: NNathan Chancellor <nathan@kernel.org>
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      5c6ae0ef
    • N
      kbuild: Remove -Wno-format-invalid-specifier from clang block · a312b60d
      Nathan Chancellor 提交于
      Turning on -Wformat does not reveal any instances of this warning across
      several different builds so remove this line to keep the number of
      disabled warnings as slim as possible.
      
      This has been disabled since commit 61163efa ("kbuild: LLVMLinux:
      Add Kbuild support for building kernel with Clang"), which does not
      explain exactly why it was turned off but since it was so long ago in
      terms of both the kernel and LLVM so it is possible that some bug got
      fixed along the way.
      Signed-off-by: NNathan Chancellor <nathan@kernel.org>
      Reviewed-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      a312b60d
    • N
      Makefile: remove stale cc-option checks · 7d73c3e9
      Nick Desaulniers 提交于
      cc-option, cc-option-yn, and cc-disable-warning all invoke the compiler
      during build time, and can slow down the build when these checks become
      stale for our supported compilers, whose minimally supported versions
      increases over time. See Documentation/process/changes.rst for the
      current supported minimal versions (GCC 4.9+, clang 10.0.1+). Compiler
      version support for these flags may be verified on godbolt.org.
      
      The following flags are GCC only and supported since at least GCC 4.9.
      Remove cc-option and cc-disable-warning tests.
      * -fno-tree-loop-im
      * -Wno-maybe-uninitialized
      * -fno-reorder-blocks
      * -fno-ipa-cp-clone
      * -fno-partial-inlining
      * -femit-struct-debug-baseonly
      * -fno-inline-functions-called-once
      * -fconserve-stack
      
      The following flags are supported by all supported versions of GCC and
      Clang. Remove their cc-option, cc-option-yn, and cc-disable-warning tests.
      * -fno-delete-null-pointer-checks
      * -fno-var-tracking
      * -Wno-array-bounds
      
      The following configs are made dependent on GCC, since they use GCC
      specific flags.
      * READABLE_ASM
      * DEBUG_SECTION_MISMATCH
      
      -mfentry was not supported by s390-linux-gnu-gcc until gcc-9+, add a
      comment.
      
      --param=allow-store-data-races=0 was renamed to -fno-allow-store-data-races
      in the GCC 10 release; add a comment.
      
      -Wmaybe-uninitialized (GCC specific) was being added for CONFIG_GCOV,
      then again unconditionally; add it only once.
      
      Also, base RETPOLINE_CFLAGS and RETPOLINE_VDSO_CFLAGS on CONFIC_CC_IS_*
      then remove cc-option tests for Clang.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/1436Acked-by: NMiguel Ojeda <ojeda@kernel.org>
      Reviewed-by: NNathan Chancellor <nathan@kernel.org>
      Signed-off-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NMasahiro Yamada <masahiroy@kernel.org>
      7d73c3e9
  18. 02 9月, 2021 1 次提交
  19. 30 8月, 2021 1 次提交
  20. 23 8月, 2021 1 次提交
  21. 16 8月, 2021 1 次提交
  22. 10 8月, 2021 4 次提交
  23. 09 8月, 2021 1 次提交
  24. 05 8月, 2021 2 次提交
  25. 02 8月, 2021 1 次提交
  26. 26 7月, 2021 1 次提交
  27. 21 7月, 2021 1 次提交
    • K
      hardening: Introduce CONFIG_ZERO_CALL_USED_REGS · a82adfd5
      Kees Cook 提交于
      When CONFIG_ZERO_CALL_USED_REGS is enabled, build the kernel with
      "-fzero-call-used-regs=used-gpr" (in GCC 11). This option will zero any
      caller-used register contents just before returning from a function,
      ensuring that temporary values are not leaked beyond the function
      boundary. This means that register contents are less likely to be
      available for side channel attacks and information exposures.
      
      Additionally this helps reduce the number of useful ROP gadgets in the
      kernel image by about 20%:
      
      $ ROPgadget.py --nosys --nojop --binary vmlinux.stock | tail -n1
      Unique gadgets found: 337245
      
      $ ROPgadget.py --nosys --nojop --binary vmlinux.zero-call-regs | tail -n1
      Unique gadgets found: 267175
      
      and more notably removes simple "write-what-where" gadgets:
      
      $ ROPgadget.py --ropchain --binary vmlinux.stock | sed -n '/Step 1/,/Step 2/p'
      - Step 1 -- Write-what-where gadgets
      
              [+] Gadget found: 0xffffffff8102d76c mov qword ptr [rsi], rdx ; ret
              [+] Gadget found: 0xffffffff81000cf5 pop rsi ; ret
              [+] Gadget found: 0xffffffff8104d7c8 pop rdx ; ret
              [-] Can't find the 'xor rdx, rdx' gadget. Try with another 'mov [reg], reg'
      
              [+] Gadget found: 0xffffffff814c2b4c mov qword ptr [rsi], rdi ; ret
              [+] Gadget found: 0xffffffff81000cf5 pop rsi ; ret
              [+] Gadget found: 0xffffffff81001e51 pop rdi ; ret
              [-] Can't find the 'xor rdi, rdi' gadget. Try with another 'mov [reg], reg'
      
              [+] Gadget found: 0xffffffff81540d61 mov qword ptr [rsi], rdi ; pop rbx ; pop rbp ; ret
              [+] Gadget found: 0xffffffff81000cf5 pop rsi ; ret
              [+] Gadget found: 0xffffffff81001e51 pop rdi ; ret
              [-] Can't find the 'xor rdi, rdi' gadget. Try with another 'mov [reg], reg'
      
              [+] Gadget found: 0xffffffff8105341e mov qword ptr [rsi], rax ; ret
              [+] Gadget found: 0xffffffff81000cf5 pop rsi ; ret
              [+] Gadget found: 0xffffffff81029a11 pop rax ; ret
              [+] Gadget found: 0xffffffff811f1c3b xor rax, rax ; ret
      
      - Step 2 -- Init syscall number gadgets
      
      $ ROPgadget.py --ropchain --binary vmlinux.zero* | sed -n '/Step 1/,/Step 2/p'
      - Step 1 -- Write-what-where gadgets
      
              [-] Can't find the 'mov qword ptr [r64], r64' gadget
      
      For an x86_64 parallel build tests, this has a less than 1% performance
      impact, and grows the image size less than 1%:
      
      $ size vmlinux.stock vmlinux.zero-call-regs
         text    data     bss     dec     hex filename
      22437676   8559152 14127340 45124168 2b08a48 vmlinux.stock
      22453184   8563248 14110956 45127388 2b096dc vmlinux.zero-call-regs
      
      Impact for other architectures may vary. For example, arm64 sees a 5.5%
      image size growth, mainly due to needing to always clear x16 and x17:
      https://lore.kernel.org/lkml/20210510134503.GA88495@C02TD0UTHF1T.local/Signed-off-by: NKees Cook <keescook@chromium.org>
      a82adfd5
  28. 19 7月, 2021 1 次提交
  29. 18 7月, 2021 1 次提交
  30. 16 7月, 2021 1 次提交
    • L
      Revert "Makefile: Enable -Wimplicit-fallthrough for Clang" · d936eb23
      Linus Torvalds 提交于
      This reverts commit b7eb335e.
      
      It turns out that the problem with the clang -Wimplicit-fallthrough
      warning is not about the kernel source code, but about clang itself, and
      that the warning is unusable until clang fixes its broken ways.
      
      In particular, when you enable this warning for clang, you not only get
      warnings about implicit fallthroughs.  You also get this:
      
         warning: fallthrough annotation in unreachable code [-Wimplicit-fallthrough]
      
      which is completely broken becasue it
      
       (a) doesn't even tell you where the problem is (seriously: no line
           numbers, no filename, no nothing).
      
       (b) is fundamentally broken anyway, because there are perfectly valid
           reasons to have a fallthrough statement even if it turns out that
           it can perhaps not be reached.
      
      In the kernel, an example of that second case is code in the scheduler:
      
                      switch (state) {
                      case cpuset:
                              if (IS_ENABLED(CONFIG_CPUSETS)) {
                                      cpuset_cpus_allowed_fallback(p);
                                      state = possible;
                                      break;
                              }
                              fallthrough;
                      case possible:
      
      where if CONFIG_CPUSETS is enabled you actually never hit the
      fallthrough case at all.  But that in no way makes the fallthrough
      wrong.
      
      So the warning is completely broken, and enabling it for clang is a very
      bad idea.
      
      In the meantime, we can keep the gcc option enabled, and make the gcc
      build use
      
          -Wimplicit-fallthrough=5
      
      which means that we will at least continue to require a proper
      fallthrough statement, and that gcc won't silently accept the magic
      comment versions. Because gcc does this all correctly, and while the odd
      "=5" part is kind of obscure, it's documented in [1]:
      
        "-Wimplicit-fallthrough=5 doesn’t recognize any comments as
         fallthrough comments, only attributes disable the warning"
      
      so if clang ever fixes its bad behavior we can try enabling it there again.
      
      Link: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html [1]
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
      Cc: Nathan Chancellor <nathan@kernel.org>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d936eb23
  31. 15 7月, 2021 1 次提交
    • G
      Makefile: Enable -Wimplicit-fallthrough for Clang · b7eb335e
      Gustavo A. R. Silva 提交于
      With the recent fixes for fallthrough warnings, it is now possible to
      enable -Wimplicit-fallthrough for Clang.
      
      It's important to mention that since we have adopted the use of the
      pseudo-keyword macro fallthrough; we also want to avoid having more
      /* fall through */ comments being introduced. Notice that contrary
      to GCC, Clang doesn't recognize any comments as implicit fall-through
      markings when the -Wimplicit-fallthrough option is enabled. So, in
      order to avoid having more comments being introduced, we have to use
      the option -Wimplicit-fallthrough=5 for GCC, which similar to Clang,
      will cause a warning in case a code comment is intended to be used
      as a fall-through marking.
      Co-developed-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NGustavo A. R. Silva <gustavoars@kernel.org>
      b7eb335e