Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp3662499pxb; Sun, 24 Oct 2021 08:00:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLE1RxfV/+nPrzmj2DVE/AvdgYDdRon9vvl7j/EQDToa7XBzBBGIBPZ8d7mzD+8S5amgBa X-Received: by 2002:a50:d841:: with SMTP id v1mr18152893edj.221.1635087617328; Sun, 24 Oct 2021 08:00:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635087617; cv=none; d=google.com; s=arc-20160816; b=mia8Y1tA5LMygQMJul6ekb7Xol1YYSTXkNqzukvCEPGKnlNMpsyeNsHTAyHaSFZ9MS zRgUCHiPmkzbmjC5JBpHTXOvv0buj3mwJUWcrKHVtahx4TjjXzisBxVQu0Bl2Hyr4DmA JRaj/GJwq1uV15kRSdj1UXdTnuVT/YYYnDIA85d/6LScsE2Bmt4FjJmv2/G8VLo5neQM 49Un7N2Lts8Y/QlZSbtB0mn8QZY5FjEUrcLk9MlaRWVVgSUwEdDDIlEauDF7KuQs9T3L yyg3gd9qfnhYcsdM6Nwz6ZvueMsrbAULMawtM/aNzHgcDGV2kma3z9Zi+6QPBxy4pP/p XNMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=rs+9AqwC0tHN54NQS153KCWlEWoLLo6C5aJEsJhHiik=; b=Mxx3gJzdhpqzfG99EzXUBeX0/EJMBoU8taqCd8b4aeLQmKArpBtBGLFUTs9pHw+9Mm 9arLVEesqIg9Cp6RIPDZBdtefLefOHHEyAstVYY+sr2L+oXJmM/Z2VwuL1cnfPJbM/AU 409yeskThnAPODOM8gPw6Eu98QrQiIUVWrU2AJyqcH0A2v5ahKMm3NqvCUE88ZxuUBj5 yxbz+RfzX1nF+U0w9fORQvXMyPRwto5Z52kyTe/oYTXpi2LcAaduaiStH0E5YNsh1i80 kNF1VKE2beVW8Li7/Hm8uISp3deW2qCHkh4mSmiUXzPqeAwnQeMDc/s2Wh5teJh4bRSE nAQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s3si2901290edx.532.2021.10.24.07.59.53; Sun, 24 Oct 2021 08:00:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230379AbhJXPAN (ORCPT + 99 others); Sun, 24 Oct 2021 11:00:13 -0400 Received: from smtp06.smtpout.orange.fr ([80.12.242.128]:52863 "EHLO smtp.smtpout.orange.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231256AbhJXPAN (ORCPT ); Sun, 24 Oct 2021 11:00:13 -0400 Received: from [192.168.1.18] ([92.140.161.106]) by smtp.orange.fr with ESMTPA id eewXmJYg7TdRTeewXmLjC3; Sun, 24 Oct 2021 16:57:51 +0200 X-ME-Helo: [192.168.1.18] X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ== X-ME-Date: Sun, 24 Oct 2021 16:57:51 +0200 X-ME-IP: 92.140.161.106 Subject: Re: [PATCH] gve: Fix a possible invalid memory access To: Willem de Bruijn Cc: jeroendb@google.com, csully@google.com, awogbemila@google.com, davem@davemloft.net, kuba@kernel.org, bcf@google.com, gustavoars@kernel.org, edumazet@google.com, jfraker@google.com, yangchun@google.com, xliutaox@google.com, sagis@google.com, lrizzo@google.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org References: From: Christophe JAILLET Message-ID: Date: Sun, 24 Oct 2021 16:57:49 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 24/10/2021 à 15:51, Willem de Bruijn a écrit : > On Sun, Oct 24, 2021 at 7:52 AM Christophe JAILLET > wrote: >> >> It is spurious to allocate a bitmap for 'num_qpls' bits and record the >> size of this bitmap with another value. >> >> 'qpl_map_size' is used in 'drivers/net/ethernet/google/gve/gve.h' with >> 'find_[first|next]_zero_bit()'. >> So, it looks that memory after the allocated 'qpl_id_map' could be >> scanned. > > find_first_zero_bit takes a length argument in bits: > > /** > * find_first_zero_bit - find the first cleared bit in a memory region > * @addr: The address to start the search at > * @size: The maximum number of bits to search > > qpl_map_size is passed to find_first_zero_bit. > > It does seem roundabout to compute first the number of longs needed to > hold num_qpl bits > > BITS_TO_LONGS(num_qpls) > > then again compute the number of bits in this buffer > > * sizeof(unsigned long) * BITS_PER_BYTE > > Which will simply be num_qpls again. > > But, removing BITS_PER_BYTE does not arrive at the right number. (* embarrassed *) So obvious. Thank you for taking time for the explanation on a so badly broken patch. I apologize for the noise and the waste of time :( BTW, why not just have 'priv->qpl_cfg.qpl_map_size = num_qpls;'? CJ > > >> >> Remove the '* BITS_PER_BYTE' to have allocation and length be the same. >> >> Fixes: f5cedc84a30d ("gve: Add transmit and receive support") >> Signed-off-by: Christophe JAILLET >> --- >> This patch is completely speculative and un-tested! >> You'll be warned. >> --- >> drivers/net/ethernet/google/gve/gve_main.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c >> index 7647cd05b1d2..19fe9e9b62f5 100644 >> --- a/drivers/net/ethernet/google/gve/gve_main.c >> +++ b/drivers/net/ethernet/google/gve/gve_main.c >> @@ -866,7 +866,7 @@ static int gve_alloc_qpls(struct gve_priv *priv) >> } >> >> priv->qpl_cfg.qpl_map_size = BITS_TO_LONGS(num_qpls) * >> - sizeof(unsigned long) * BITS_PER_BYTE; >> + sizeof(unsigned long); >> priv->qpl_cfg.qpl_id_map = kvcalloc(BITS_TO_LONGS(num_qpls), >> sizeof(unsigned long), GFP_KERNEL); >> if (!priv->qpl_cfg.qpl_id_map) { >> -- >> 2.30.2 >> >