| Message ID | 20201019191928.77845-2-dgilbert@interlog.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v3,1/4] sgl_alloc_order: remove 4 GiB limit, sgl_free() warning | expand |
Am 19.10.20 um 21:19 schrieb Douglas Gilbert: > This patch removes a check done by sgl_alloc_order() before it starts > any allocations. The comment before the removed code says: "Check for > integer overflow" arguably gives a false sense of security. The right > hand side of the expression in the condition is resolved as u32 so > cannot exceed UINT32_MAX (4 GiB) which means 'length' cannot exceed > that amount. If that was the intention then the comment above it > could be dropped and the condition rewritten more clearly as: > if (length > UINT32_MAX) <<failure path >>; I think the intention of the check is to reject calls, where length is so high, that calculation of nent overflows unsigned int nent/nalloc. Consistently a similar check is done few lines later before incrementing nalloc due to chainable = true. So I think the code tries to allow length values up to 4G << (PAGE_SHIFT + order). That said I think instead of removing the check it better should be fixed, e.g. by adding an unsigned long long cast before nent BTW: I don't know why there are two checks. I think one check after conditionally incrementing nalloc would be enough. > > The author's intention is to use sgl_alloc_order() to replace > vmalloc(unsigned long) for a large allocation (debug ramdisk). > vmalloc has no limit at 4 GiB so its seems unreasonable that: > sgl_alloc_order(unsigned long long length, ....) > does. sgl_s made with sgl_alloc_order(chainable=false) have equally > sized segments placed in a scatter gather array. That allows O(1) > navigation around a big sgl using some simple integer maths. > > Having previously sent a patch to fix a memory leak in > sg_alloc_order() take the opportunity to put a one line comment above > sgl_free()'s declaration that it is not suitable when order > 0 . The > mis-use of sgl_free() when order > 0 was the reason for the memory > leak. The other users of sgl_alloc_order() in the kernel where > checked and found to handle free-ing properly. > > Signed-off-by: Douglas Gilbert <dgilbert@interlog.com> > --- > include/linux/scatterlist.h | 1 + > lib/scatterlist.c | 3 --- > 2 files changed, 1 insertion(+), 3 deletions(-) > > diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h > index 45cf7b69d852..80178afc2a4a 100644 > --- a/include/linux/scatterlist.h > +++ b/include/linux/scatterlist.h > @@ -302,6 +302,7 @@ struct scatterlist *sgl_alloc(unsigned long long length, gfp_t gfp, > unsigned int *nent_p); > void sgl_free_n_order(struct scatterlist *sgl, int nents, int order); > void sgl_free_order(struct scatterlist *sgl, int order); > +/* Only use sgl_free() when order is 0 */ > void sgl_free(struct scatterlist *sgl); > #endif /* CONFIG_SGL_ALLOC */ > > diff --git a/lib/scatterlist.c b/lib/scatterlist.c > index c448642e0f78..d5770e7f1030 100644 > --- a/lib/scatterlist.c > +++ b/lib/scatterlist.c > @@ -493,9 +493,6 @@ struct scatterlist *sgl_alloc_order(unsigned long long length, > u32 elem_len; > > nent = round_up(length, PAGE_SIZE << order) >> (PAGE_SHIFT + order); > - /* Check for integer overflow */ > - if (length > (nent << (PAGE_SHIFT + order))) > - return NULL; > nalloc = nent; > if (chainable) { > /* Check for integer overflow */ >
On 2020-11-03 7:54 a.m., Bodo Stroesser wrote: > Am 19.10.20 um 21:19 schrieb Douglas Gilbert: >> This patch removes a check done by sgl_alloc_order() before it starts >> any allocations. The comment before the removed code says: "Check for >> integer overflow" arguably gives a false sense of security. The right >> hand side of the expression in the condition is resolved as u32 so >> cannot exceed UINT32_MAX (4 GiB) which means 'length' cannot exceed >> that amount. If that was the intention then the comment above it >> could be dropped and the condition rewritten more clearly as: >> if (length > UINT32_MAX) <<failure path >>; > > I think the intention of the check is to reject calls, where length is so high, that calculation of nent overflows unsigned int nent/nalloc. > Consistently a similar check is done few lines later before incrementing nalloc due to chainable = true. > So I think the code tries to allow length values up to 4G << (PAGE_SHIFT + order). > > That said I think instead of removing the check it better should be fixed, e.g. by adding an unsigned long long cast before nent > > BTW: I don't know why there are two checks. I think one check after conditionally incrementing nalloc would be enough. Okay, I'm working on a "v4" patchset. Apart from the above, my plan is to extend sgl_compare_sgl() with a helper that additionally yields the byte index of the first miscompare. Doug Gilbert >> The author's intention is to use sgl_alloc_order() to replace >> vmalloc(unsigned long) for a large allocation (debug ramdisk). >> vmalloc has no limit at 4 GiB so its seems unreasonable that: >> sgl_alloc_order(unsigned long long length, ....) >> does. sgl_s made with sgl_alloc_order(chainable=false) have equally >> sized segments placed in a scatter gather array. That allows O(1) >> navigation around a big sgl using some simple integer maths. >> >> Having previously sent a patch to fix a memory leak in >> sg_alloc_order() take the opportunity to put a one line comment above >> sgl_free()'s declaration that it is not suitable when order > 0 . The >> mis-use of sgl_free() when order > 0 was the reason for the memory >> leak. The other users of sgl_alloc_order() in the kernel where >> checked and found to handle free-ing properly. >> >> Signed-off-by: Douglas Gilbert <dgilbert@interlog.com> >> --- >> include/linux/scatterlist.h | 1 + >> lib/scatterlist.c | 3 --- >> 2 files changed, 1 insertion(+), 3 deletions(-) >> >> diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h >> index 45cf7b69d852..80178afc2a4a 100644 >> --- a/include/linux/scatterlist.h >> +++ b/include/linux/scatterlist.h >> @@ -302,6 +302,7 @@ struct scatterlist *sgl_alloc(unsigned long long length, gfp_t gfp, >> unsigned int *nent_p); >> void sgl_free_n_order(struct scatterlist *sgl, int nents, int order); >> void sgl_free_order(struct scatterlist *sgl, int order); >> +/* Only use sgl_free() when order is 0 */ >> void sgl_free(struct scatterlist *sgl); >> #endif /* CONFIG_SGL_ALLOC */ >> >> diff --git a/lib/scatterlist.c b/lib/scatterlist.c >> index c448642e0f78..d5770e7f1030 100644 >> --- a/lib/scatterlist.c >> +++ b/lib/scatterlist.c >> @@ -493,9 +493,6 @@ struct scatterlist *sgl_alloc_order(unsigned long long length, >> u32 elem_len; >> >> nent = round_up(length, PAGE_SIZE << order) >> (PAGE_SHIFT + order); >> - /* Check for integer overflow */ >> - if (length > (nent << (PAGE_SHIFT + order))) >> - return NULL; >> nalloc = nent; >> if (chainable) { >> /* Check for integer overflow */ >>
diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h index 45cf7b69d852..80178afc2a4a 100644 --- a/include/linux/scatterlist.h +++ b/include/linux/scatterlist.h @@ -302,6 +302,7 @@ struct scatterlist *sgl_alloc(unsigned long long length, gfp_t gfp, unsigned int *nent_p); void sgl_free_n_order(struct scatterlist *sgl, int nents, int order); void sgl_free_order(struct scatterlist *sgl, int order); +/* Only use sgl_free() when order is 0 */ void sgl_free(struct scatterlist *sgl); #endif /* CONFIG_SGL_ALLOC */ diff --git a/lib/scatterlist.c b/lib/scatterlist.c index c448642e0f78..d5770e7f1030 100644 --- a/lib/scatterlist.c +++ b/lib/scatterlist.c @@ -493,9 +493,6 @@ struct scatterlist *sgl_alloc_order(unsigned long long length, u32 elem_len; nent = round_up(length, PAGE_SIZE << order) >> (PAGE_SHIFT + order); - /* Check for integer overflow */ - if (length > (nent << (PAGE_SHIFT + order))) - return NULL; nalloc = nent; if (chainable) { /* Check for integer overflow */
This patch removes a check done by sgl_alloc_order() before it starts any allocations. The comment before the removed code says: "Check for integer overflow" arguably gives a false sense of security. The right hand side of the expression in the condition is resolved as u32 so cannot exceed UINT32_MAX (4 GiB) which means 'length' cannot exceed that amount. If that was the intention then the comment above it could be dropped and the condition rewritten more clearly as: if (length > UINT32_MAX) <<failure path >>; The author's intention is to use sgl_alloc_order() to replace vmalloc(unsigned long) for a large allocation (debug ramdisk). vmalloc has no limit at 4 GiB so its seems unreasonable that: sgl_alloc_order(unsigned long long length, ....) does. sgl_s made with sgl_alloc_order(chainable=false) have equally sized segments placed in a scatter gather array. That allows O(1) navigation around a big sgl using some simple integer maths. Having previously sent a patch to fix a memory leak in sg_alloc_order() take the opportunity to put a one line comment above sgl_free()'s declaration that it is not suitable when order > 0 . The mis-use of sgl_free() when order > 0 was the reason for the memory leak. The other users of sgl_alloc_order() in the kernel where checked and found to handle free-ing properly. Signed-off-by: Douglas Gilbert <dgilbert@interlog.com> --- include/linux/scatterlist.h | 1 + lib/scatterlist.c | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-)