On Mon, 25 Aug 2025 at 22:18, Kees Cook <k...@kernel.org> wrote: > On August 25, 2025 11:44:40 AM EDT, Marco Elver <el...@google.com> wrote: > >Additionally, when I compile my kernel with -Rpass=alloc-token, which > >provides diagnostics where (after dead-code elimination) type inference > >failed, I see 966 allocation sites where the compiler failed to identify > >a type. Some initial review confirms these are mostly variable sized > >buffers, but also include structs with trailing flexible length arrays > >(the latter could be recognized by the compiler by teaching it to look > >more deeply into complex expressions such as those generated by > >struct_size). > > Can the type be extracted from an AST analysis of the lhs? > > struct foo *p = kmalloc(bytes, gfp); > > Doesn't tell us much from "bytes", but typeof(*p) does...
Certainly possible. It currently looks for explicit casts if it can't figure out from malloc args, but is not yet able to deal with implicit casts like that. But it's fixable - on the TODO list, and should improve coverage even more.
