Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2498756pxb; Mon, 18 Jan 2021 21:15:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJwDj28qWMo0HVyZkUPlW72Q02TfQnXHz7GVuoxr2WNqwVta7/zfHdKmWvCDSonyZA3q6x2a X-Received: by 2002:a17:907:175c:: with SMTP id lf28mr1900155ejc.110.1611033358350; Mon, 18 Jan 2021 21:15:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611033358; cv=none; d=google.com; s=arc-20160816; b=xOfAtogDEPsgAAORDN0kdvFjJUC00s2cTsvZlTnkcAlsIZQwY9y+a2R20jc8NhHEuu TrS7x3/jqU7fJiICMi3UTrZMU10AqWKjaf2zitZeSlIZ0caix3gzLxyNCGwrCcLsujyi xOE9qiN3/m4E/KrdF+jQHIFvsOcGK2Fd2hznD9uH964zVF6Fi4QtxR39i9189L2OoJjD z1M53xeKwOndLcAldW6RMSf8AvCE7nmG2nqdJ35P9XUvNNU6hhlg2WQQzH/l1PoMg54j iZ0omLbCkXqB+cKMnmuIO4hJGuPJeVA0mTH0qJdlHjBa2pc1D/ASTFspdk4/ukEpgtRS WOEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:reply-to; bh=Gg7q9GduIRgx2UlpFBLiEs1b2y3DvvvebX7UOpm7VLM=; b=r6Qk8UGdVwn46aT+S3bi9Dm6BRmgdwev8UFxg92MRYviGvz2uIJEFokj9x6KbnWYbf Ckr/+FVAKSFjFQvIlmeeauG/QOOcS5Eo0irGU7iy+tukCIax/a0YZ3Leba8I8qIeIj/I jSeA5bcXuX8pUEAyxQfReLZsFzfJzp9WVLUGvzStK21TB/N9c9cAGkLVkT/5G9O/OJlx HxzOEZ2fFhMXrumuCs50KOfvmf/c/l68z+TL9FxIKKVVbi2fDtk13C+UaChusm6aexbZ poUZVRN0WNphKDhubT30Z4TgmecPyXm421Rg4v7Tp/thhWFaU5ed98WuZq/sxVXjd5n1 JxpQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k11si7643046ejp.611.2021.01.18.21.15.35; Mon, 18 Jan 2021 21:15:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2437723AbhARUJp (ORCPT + 99 others); Mon, 18 Jan 2021 15:09:45 -0500 Received: from mail-1.ca.inter.net ([208.85.220.69]:41946 "EHLO mail-1.ca.inter.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2394185AbhARUJh (ORCPT ); Mon, 18 Jan 2021 15:09:37 -0500 Received: from localhost (offload-3.ca.inter.net [208.85.220.70]) by mail-1.ca.inter.net (Postfix) with ESMTP id 17EE32EA2F1; Mon, 18 Jan 2021 15:08:53 -0500 (EST) Received: from mail-1.ca.inter.net ([208.85.220.69]) by localhost (offload-3.ca.inter.net [208.85.220.70]) (amavisd-new, port 10024) with ESMTP id 6wxIMQiKLd4y; Mon, 18 Jan 2021 14:55:17 -0500 (EST) Received: from [192.168.48.23] (host-104-157-204-209.dyn.295.ca [104.157.204.209]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: dgilbert@interlog.com) by mail-1.ca.inter.net (Postfix) with ESMTPSA id 06E792EA2DB; Mon, 18 Jan 2021 15:08:51 -0500 (EST) Reply-To: dgilbert@interlog.com Subject: Re: [PATCH v6 1/4] sgl_alloc_order: remove 4 GiB limit, sgl_free() warning To: Jason Gunthorpe Cc: linux-scsi@vger.kernel.org, linux-block@vger.kernel.org, target-devel@vger.kernel.org, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, martin.petersen@oracle.com, jejb@linux.vnet.ibm.com, bostroesser@gmail.com, ddiss@suse.de, bvanassche@acm.org References: <20210118163006.61659-1-dgilbert@interlog.com> <20210118163006.61659-2-dgilbert@interlog.com> <20210118182854.GJ4605@ziepe.ca> From: Douglas Gilbert Message-ID: <59707b66-0b6c-b397-82fe-5ad6a6f99ba1@interlog.com> Date: Mon, 18 Jan 2021 15:08:51 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20210118182854.GJ4605@ziepe.ca> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-01-18 1:28 p.m., Jason Gunthorpe wrote: > On Mon, Jan 18, 2021 at 11:30:03AM -0500, Douglas Gilbert wrote: > >> After several flawed attempts to detect overflow, take the fastest >> route by stating as a pre-condition that the 'order' function argument >> cannot exceed 16 (2^16 * 4k = 256 MiB). > > That doesn't help, the point of the overflow check is similar to > overflow checks in kcalloc: to prevent the routine from allocating > less memory than the caller might assume. > > For instance ipr_store_update_fw() uses request_firmware() (which is > controlled by userspace) to drive the length argument to > sgl_alloc_order(). If userpace gives too large a value this will > corrupt kernel memory. > > So this math: > > nent = round_up(length, PAGE_SIZE << order) >> (PAGE_SHIFT + order); But that check itself overflows if order is too large (e.g. 65). A pre-condition says that the caller must know or check a value is sane, and if the user space can have a hand in the value passed the caller _must_ check pre-conditions IMO. A pre-condition also implies that the function's implementation will not have code to check the pre-condition. My "log of both sides" proposal at least got around the overflowing left shift problem. And one reviewer, Bodo Stroesser, liked it. > Needs to be checked, add a precondition to order does not help. I > already proposed a straightforward algorithm you can use. It does help, it stops your proposed check from being flawed :-) Giving a false sense of security seems more dangerous than a pre-condition statement IMO. Bart's original overflow check (in the mainline) limits length to 4GB (due to wrapping inside a 32 bit unsigned). Also note there is another pre-condition statement in that function's definition, namely that length cannot be 0. So perhaps you, Bart Van Assche and Bodo Stroesser, should compare notes and come up with a solution that you are _all_ happy with. The pre-condition works for me and is the fastest. The 'length' argument might be large, say > 1 GB [I use 1 GB in testing but did try 4GB and found the bug I'm trying to fix] but having individual elements greater than say 32 MB each does not seem very practical (and fails on the systems that I test with). In my testing the largest element size is 4 MB. Doug Gilbert