diff mbox series

[v3,1/4] sgl_alloc_order: remove 4 GiB limit, sgl_free() warning

Message ID 20201019191928.77845-2-dgilbert@interlog.com (mailing list archive)
State New, archived
Headers show
Series [v3,1/4] sgl_alloc_order: remove 4 GiB limit, sgl_free() warning | expand

Commit Message

Douglas Gilbert Oct. 19, 2020, 7:19 p.m. UTC
This patch removes a check done by sgl_alloc_order() before it starts
any allocations. The comment before the removed code says: "Check for
integer overflow" arguably gives a false sense of security. The right
hand side of the expression in the condition is resolved as u32 so
cannot exceed UINT32_MAX (4 GiB) which means 'length' cannot exceed
that amount. If that was the intention then the comment above it
could be dropped and the condition rewritten more clearly as:
     if (length > UINT32_MAX) <<failure path >>;

The author's intention is to use sgl_alloc_order() to replace
vmalloc(unsigned long) for a large allocation (debug ramdisk).
vmalloc has no limit at 4 GiB so its seems unreasonable that:
    sgl_alloc_order(unsigned long long length, ....)
does. sgl_s made with sgl_alloc_order(chainable=false) have equally
sized segments placed in a scatter gather array. That allows O(1)
navigation around a big sgl using some simple integer maths.

Having previously sent a patch to fix a memory leak in
sg_alloc_order() take the opportunity to put a one line comment above
sgl_free()'s declaration that it is not suitable when order > 0 . The
mis-use of sgl_free() when order > 0 was the reason for the memory
leak. The other users of sgl_alloc_order() in the kernel where
checked and found to handle free-ing properly.

Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
---
 include/linux/scatterlist.h | 1 +
 lib/scatterlist.c           | 3 ---
 2 files changed, 1 insertion(+), 3 deletions(-)

Comments

Bodo Stroesser Nov. 3, 2020, 12:54 p.m. UTC | #1
Am 19.10.20 um 21:19 schrieb Douglas Gilbert:
> This patch removes a check done by sgl_alloc_order() before it starts
> any allocations. The comment before the removed code says: "Check for
> integer overflow" arguably gives a false sense of security. The right
> hand side of the expression in the condition is resolved as u32 so
> cannot exceed UINT32_MAX (4 GiB) which means 'length' cannot exceed
> that amount. If that was the intention then the comment above it
> could be dropped and the condition rewritten more clearly as:
>       if (length > UINT32_MAX) <<failure path >>;

I think the intention of the check is to reject calls, where length is so high, that calculation of nent overflows unsigned int nent/nalloc.
Consistently a similar check is done few lines later before incrementing nalloc due to chainable = true.
So I think the code tries to allow length values up to 4G << (PAGE_SHIFT + order).

That said I think instead of removing the check it better should be fixed, e.g. by adding an unsigned long long cast before nent

BTW: I don't know why there are two checks. I think one check after conditionally incrementing nalloc would be enough.

> 
> The author's intention is to use sgl_alloc_order() to replace
> vmalloc(unsigned long) for a large allocation (debug ramdisk).
> vmalloc has no limit at 4 GiB so its seems unreasonable that:
>      sgl_alloc_order(unsigned long long length, ....)
> does. sgl_s made with sgl_alloc_order(chainable=false) have equally
> sized segments placed in a scatter gather array. That allows O(1)
> navigation around a big sgl using some simple integer maths.
> 
> Having previously sent a patch to fix a memory leak in
> sg_alloc_order() take the opportunity to put a one line comment above
> sgl_free()'s declaration that it is not suitable when order > 0 . The
> mis-use of sgl_free() when order > 0 was the reason for the memory
> leak. The other users of sgl_alloc_order() in the kernel where
> checked and found to handle free-ing properly.
> 
> Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
> ---
>   include/linux/scatterlist.h | 1 +
>   lib/scatterlist.c           | 3 ---
>   2 files changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h
> index 45cf7b69d852..80178afc2a4a 100644
> --- a/include/linux/scatterlist.h
> +++ b/include/linux/scatterlist.h
> @@ -302,6 +302,7 @@ struct scatterlist *sgl_alloc(unsigned long long length, gfp_t gfp,
>   			      unsigned int *nent_p);
>   void sgl_free_n_order(struct scatterlist *sgl, int nents, int order);
>   void sgl_free_order(struct scatterlist *sgl, int order);
> +/* Only use sgl_free() when order is 0 */
>   void sgl_free(struct scatterlist *sgl);
>   #endif /* CONFIG_SGL_ALLOC */
>   
> diff --git a/lib/scatterlist.c b/lib/scatterlist.c
> index c448642e0f78..d5770e7f1030 100644
> --- a/lib/scatterlist.c
> +++ b/lib/scatterlist.c
> @@ -493,9 +493,6 @@ struct scatterlist *sgl_alloc_order(unsigned long long length,
>   	u32 elem_len;
>   
>   	nent = round_up(length, PAGE_SIZE << order) >> (PAGE_SHIFT + order);
> -	/* Check for integer overflow */
> -	if (length > (nent << (PAGE_SHIFT + order)))
> -		return NULL;
>   	nalloc = nent;
>   	if (chainable) {
>   		/* Check for integer overflow */
>
Douglas Gilbert Nov. 4, 2020, 6:26 p.m. UTC | #2
On 2020-11-03 7:54 a.m., Bodo Stroesser wrote:
> Am 19.10.20 um 21:19 schrieb Douglas Gilbert:
>> This patch removes a check done by sgl_alloc_order() before it starts
>> any allocations. The comment before the removed code says: "Check for
>> integer overflow" arguably gives a false sense of security. The right
>> hand side of the expression in the condition is resolved as u32 so
>> cannot exceed UINT32_MAX (4 GiB) which means 'length' cannot exceed
>> that amount. If that was the intention then the comment above it
>> could be dropped and the condition rewritten more clearly as:
>>        if (length > UINT32_MAX) <<failure path >>;
> 
> I think the intention of the check is to reject calls, where length is so high, that calculation of nent overflows unsigned int nent/nalloc.
> Consistently a similar check is done few lines later before incrementing nalloc due to chainable = true.
> So I think the code tries to allow length values up to 4G << (PAGE_SHIFT + order).
> 
> That said I think instead of removing the check it better should be fixed, e.g. by adding an unsigned long long cast before nent
> 
> BTW: I don't know why there are two checks. I think one check after conditionally incrementing nalloc would be enough.

Okay, I'm working on a "v4" patchset. Apart from the above, my plan is
to extend sgl_compare_sgl() with a helper that additionally yields
the byte index of the first miscompare.

Doug Gilbert

>> The author's intention is to use sgl_alloc_order() to replace
>> vmalloc(unsigned long) for a large allocation (debug ramdisk).
>> vmalloc has no limit at 4 GiB so its seems unreasonable that:
>>       sgl_alloc_order(unsigned long long length, ....)
>> does. sgl_s made with sgl_alloc_order(chainable=false) have equally
>> sized segments placed in a scatter gather array. That allows O(1)
>> navigation around a big sgl using some simple integer maths.
>>
>> Having previously sent a patch to fix a memory leak in
>> sg_alloc_order() take the opportunity to put a one line comment above
>> sgl_free()'s declaration that it is not suitable when order > 0 . The
>> mis-use of sgl_free() when order > 0 was the reason for the memory
>> leak. The other users of sgl_alloc_order() in the kernel where
>> checked and found to handle free-ing properly.
>>
>> Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
>> ---
>>    include/linux/scatterlist.h | 1 +
>>    lib/scatterlist.c           | 3 ---
>>    2 files changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h
>> index 45cf7b69d852..80178afc2a4a 100644
>> --- a/include/linux/scatterlist.h
>> +++ b/include/linux/scatterlist.h
>> @@ -302,6 +302,7 @@ struct scatterlist *sgl_alloc(unsigned long long length, gfp_t gfp,
>>    			      unsigned int *nent_p);
>>    void sgl_free_n_order(struct scatterlist *sgl, int nents, int order);
>>    void sgl_free_order(struct scatterlist *sgl, int order);
>> +/* Only use sgl_free() when order is 0 */
>>    void sgl_free(struct scatterlist *sgl);
>>    #endif /* CONFIG_SGL_ALLOC */
>>    
>> diff --git a/lib/scatterlist.c b/lib/scatterlist.c
>> index c448642e0f78..d5770e7f1030 100644
>> --- a/lib/scatterlist.c
>> +++ b/lib/scatterlist.c
>> @@ -493,9 +493,6 @@ struct scatterlist *sgl_alloc_order(unsigned long long length,
>>    	u32 elem_len;
>>    
>>    	nent = round_up(length, PAGE_SIZE << order) >> (PAGE_SHIFT + order);
>> -	/* Check for integer overflow */
>> -	if (length > (nent << (PAGE_SHIFT + order)))
>> -		return NULL;
>>    	nalloc = nent;
>>    	if (chainable) {
>>    		/* Check for integer overflow */
>>
diff mbox series

Patch

diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h
index 45cf7b69d852..80178afc2a4a 100644
--- a/include/linux/scatterlist.h
+++ b/include/linux/scatterlist.h
@@ -302,6 +302,7 @@  struct scatterlist *sgl_alloc(unsigned long long length, gfp_t gfp,
 			      unsigned int *nent_p);
 void sgl_free_n_order(struct scatterlist *sgl, int nents, int order);
 void sgl_free_order(struct scatterlist *sgl, int order);
+/* Only use sgl_free() when order is 0 */
 void sgl_free(struct scatterlist *sgl);
 #endif /* CONFIG_SGL_ALLOC */
 
diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index c448642e0f78..d5770e7f1030 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -493,9 +493,6 @@  struct scatterlist *sgl_alloc_order(unsigned long long length,
 	u32 elem_len;
 
 	nent = round_up(length, PAGE_SIZE << order) >> (PAGE_SHIFT + order);
-	/* Check for integer overflow */
-	if (length > (nent << (PAGE_SHIFT + order)))
-		return NULL;
 	nalloc = nent;
 	if (chainable) {
 		/* Check for integer overflow */