| Message ID | 20221018092526.4035344-2-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | igb: Proactively round up to kmalloc bucket size | expand |
On Tue, Oct 18, 2022 at 02:25:25AM -0700, Kees Cook wrote: > In preparation for removing the "silently change allocation size" > users of ksize(), explicitly round up all q_vector allocations so that > allocations can be correctly compared to ksize(). > > Signed-off-by: Kees Cook <keescook@chromium.org> Hi! Any feedback on this part of the patch pair? > --- > drivers/net/ethernet/intel/igb/igb_main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c > index 6256855d0f62..7a3a41dc0276 100644 > --- a/drivers/net/ethernet/intel/igb/igb_main.c > +++ b/drivers/net/ethernet/intel/igb/igb_main.c > @@ -1195,7 +1195,7 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter, > return -ENOMEM; > > ring_count = txr_count + rxr_count; > - size = struct_size(q_vector, ring, ring_count); > + size = kmalloc_size_roundup(struct_size(q_vector, ring, ring_count)); > > /* allocate q_vector and rings */ > q_vector = adapter->q_vector[v_idx]; Thanks! :) -Kees
> -----Original Message----- > From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf Of > Kees Cook > Sent: Tuesday, October 18, 2022 2:55 PM > To: Ruhl@www.outflux.net; Ruhl, Michael J <michael.j.ruhl@intel.com> > Cc: Kees Cook <keescook@chromium.org>; intel-wired-lan@lists.osuosl.org; > linux-kernel@vger.kernel.org; Eric Dumazet <edumazet@google.com>; > linux-hardening@vger.kernel.org; netdev@vger.kernel.org; Jakub Kicinski > <kuba@kernel.org>; Paolo Abeni <pabeni@redhat.com>; David S. Miller > <davem@davemloft.net> > Subject: [Intel-wired-lan] [PATCH v3 2/2] igb: Proactively round up to kmalloc > bucket size > > In preparation for removing the "silently change allocation size" > users of ksize(), explicitly round up all q_vector allocations so that allocations > can be correctly compared to ksize(). > > Cc: Jesse Brandeburg <jesse.brandeburg@intel.com> > Cc: Tony Nguyen <anthony.l.nguyen@intel.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Jakub Kicinski <kuba@kernel.org> > Cc: Paolo Abeni <pabeni@redhat.com> > Cc: intel-wired-lan@lists.osuosl.org > Cc: netdev@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > drivers/net/ethernet/intel/igb/igb_main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
>-----Original Message----- >From: Kees Cook <keescook@chromium.org> >Sent: Friday, October 28, 2022 11:18 PM >To: Ruhl, Michael J <michael.j.ruhl@intel.com> >Cc: Brandeburg, Jesse <jesse.brandeburg@intel.com>; Nguyen, Anthony L ><anthony.l.nguyen@intel.com>; David S. Miller <davem@davemloft.net>; >Eric Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; >Paolo Abeni <pabeni@redhat.com>; intel-wired-lan@lists.osuosl.org; >netdev@vger.kernel.org; linux-kernel@vger.kernel.org; linux- >hardening@vger.kernel.org >Subject: Re: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size > >On Tue, Oct 18, 2022 at 02:25:25AM -0700, Kees Cook wrote: >> In preparation for removing the "silently change allocation size" >> users of ksize(), explicitly round up all q_vector allocations so that >> allocations can be correctly compared to ksize(). >> >> Signed-off-by: Kees Cook <keescook@chromium.org> > >Hi! Any feedback on this part of the patch pair? > >> --- >> drivers/net/ethernet/intel/igb/igb_main.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/net/ethernet/intel/igb/igb_main.c >b/drivers/net/ethernet/intel/igb/igb_main.c >> index 6256855d0f62..7a3a41dc0276 100644 >> --- a/drivers/net/ethernet/intel/igb/igb_main.c >> +++ b/drivers/net/ethernet/intel/igb/igb_main.c >> @@ -1195,7 +1195,7 @@ static int igb_alloc_q_vector(struct igb_adapter >*adapter, >> return -ENOMEM; >> >> ring_count = txr_count + rxr_count; >> - size = struct_size(q_vector, ring, ring_count); >> + size = kmalloc_size_roundup(struct_size(q_vector, ring, ring_count)); >> >> /* allocate q_vector and rings */ >> q_vector = adapter->q_vector[v_idx]; Hi Kees, Looking at the size usage (from elixir), I see: -- if (!q_vector) { q_vector = kzalloc(size, GFP_KERNEL); } else if (size > ksize(q_vector)) { kfree_rcu(q_vector, rcu); q_vector = kzalloc(size, GFP_KERNEL); } else { memset(q_vector, 0, size); } -- If the size is rounded up, will the (size > ksize()) check ever be true? I.e. have you eliminated this check (and maybe getting rid of the need for first patch?)? Thanks, Mike > >Thanks! :) > >-Kees > >-- >Kees Cook
On Mon, Oct 31, 2022 at 08:42:36PM +0000, Ruhl, Michael J wrote: > Looking at the size usage (from elixir), I see: > > -- > if (!q_vector) { > q_vector = kzalloc(size, GFP_KERNEL); > } else if (size > ksize(q_vector)) { > kfree_rcu(q_vector, rcu); > q_vector = kzalloc(size, GFP_KERNEL); > } else { > memset(q_vector, 0, size); > } > -- > > If the size is rounded up, will the (size > ksize()) check ever be true? > > I.e. have you eliminated this check (and maybe getting rid of the need for first patch?)? Hi! It looked like igb_alloc_q_vector() was designed to be called multiple times on the same q_vector (i.e. to grow its allocation size over time). So for that case, yes, the "size > ksize(q_vector)" check is needed. If it's only ever called once (which is hard for me to tell), then no. (And if "no", why was the alloc/free case even there in the first place?) -Kees
>-----Original Message----- >From: Kees Cook <keescook@chromium.org> >Sent: Tuesday, November 1, 2022 5:37 PM >To: Ruhl, Michael J <michael.j.ruhl@intel.com> >Cc: Brandeburg, Jesse <jesse.brandeburg@intel.com>; Nguyen, Anthony L ><anthony.l.nguyen@intel.com>; David S. Miller <davem@davemloft.net>; >Eric Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; >Paolo Abeni <pabeni@redhat.com>; intel-wired-lan@lists.osuosl.org; >netdev@vger.kernel.org; linux-kernel@vger.kernel.org; linux- >hardening@vger.kernel.org >Subject: Re: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size > >On Mon, Oct 31, 2022 at 08:42:36PM +0000, Ruhl, Michael J wrote: >> Looking at the size usage (from elixir), I see: >> >> -- >> if (!q_vector) { >> q_vector = kzalloc(size, GFP_KERNEL); >> } else if (size > ksize(q_vector)) { >> kfree_rcu(q_vector, rcu); >> q_vector = kzalloc(size, GFP_KERNEL); >> } else { >> memset(q_vector, 0, size); >> } >> -- >> >> If the size is rounded up, will the (size > ksize()) check ever be true? >> >> I.e. have you eliminated this check (and maybe getting rid of the need for >first patch?)? > >Hi! > >It looked like igb_alloc_q_vector() was designed to be called multiple >times on the same q_vector (i.e. to grow its allocation size over time). >So for that case, yes, the "size > ksize(q_vector)" check is needed. If >it's only ever called once (which is hard for me to tell), then no. (And >if "no", why was the alloc/free case even there in the first place?) Ahh, Ok, I missed the fact that size is based on ring_count. When I saw the "struct_size" I assumed that size would be the same every time and missed this point. So can vary over time, and this ksize check is needed. With that in mind these patches look good to me. Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com> Mike >-Kees > >-- >Kees Cook
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index 6256855d0f62..7a3a41dc0276 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -1195,7 +1195,7 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter, return -ENOMEM; ring_count = txr_count + rxr_count; - size = struct_size(q_vector, ring, ring_count); + size = kmalloc_size_roundup(struct_size(q_vector, ring, ring_count)); /* allocate q_vector and rings */ q_vector = adapter->q_vector[v_idx];
In preparation for removing the "silently change allocation size" users of ksize(), explicitly round up all q_vector allocations so that allocations can be correctly compared to ksize(). Cc: Jesse Brandeburg <jesse.brandeburg@intel.com> Cc: Tony Nguyen <anthony.l.nguyen@intel.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <edumazet@google.com> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Paolo Abeni <pabeni@redhat.com> Cc: intel-wired-lan@lists.osuosl.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/net/ethernet/intel/igb/igb_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)