[v3,2/2] igb: Proactively round up to kmalloc bucket size

Message ID 20221018092526.4035344-2-keescook@chromium.org
State New
Headers
Series igb: Proactively round up to kmalloc bucket size |

Commit Message

Kees Cook Oct. 18, 2022, 9:25 a.m. UTC
  In preparation for removing the "silently change allocation size"
users of ksize(), explicitly round up all q_vector allocations so that
allocations can be correctly compared to ksize().

Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: intel-wired-lan@lists.osuosl.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
  

Comments

Kees Cook Oct. 29, 2022, 3:17 a.m. UTC | #1
On Tue, Oct 18, 2022 at 02:25:25AM -0700, Kees Cook wrote:
> In preparation for removing the "silently change allocation size"
> users of ksize(), explicitly round up all q_vector allocations so that
> allocations can be correctly compared to ksize().
>
> Signed-off-by: Kees Cook <keescook@chromium.org>

Hi! Any feedback on this part of the patch pair?

> ---
>  drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
> index 6256855d0f62..7a3a41dc0276 100644
> --- a/drivers/net/ethernet/intel/igb/igb_main.c
> +++ b/drivers/net/ethernet/intel/igb/igb_main.c
> @@ -1195,7 +1195,7 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter,
>  		return -ENOMEM;
>  
>  	ring_count = txr_count + rxr_count;
> -	size = struct_size(q_vector, ring, ring_count);
> +	size = kmalloc_size_roundup(struct_size(q_vector, ring, ring_count));
>  
>  	/* allocate q_vector and rings */
>  	q_vector = adapter->q_vector[v_idx];

Thanks! :)

-Kees
  
G, GurucharanX Oct. 29, 2022, 3:30 a.m. UTC | #2
> -----Original Message-----
> From: Intel-wired-lan <intel-wired-lan-bounces@osuosl.org> On Behalf Of
> Kees Cook
> Sent: Tuesday, October 18, 2022 2:55 PM
> To: Ruhl@www.outflux.net; Ruhl, Michael J <michael.j.ruhl@intel.com>
> Cc: Kees Cook <keescook@chromium.org>; intel-wired-lan@lists.osuosl.org;
> linux-kernel@vger.kernel.org; Eric Dumazet <edumazet@google.com>;
> linux-hardening@vger.kernel.org; netdev@vger.kernel.org; Jakub Kicinski
> <kuba@kernel.org>; Paolo Abeni <pabeni@redhat.com>; David S. Miller
> <davem@davemloft.net>
> Subject: [Intel-wired-lan] [PATCH v3 2/2] igb: Proactively round up to kmalloc
> bucket size
> 
> In preparation for removing the "silently change allocation size"
> users of ksize(), explicitly round up all q_vector allocations so that allocations
> can be correctly compared to ksize().
> 
> Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
> Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: intel-wired-lan@lists.osuosl.org
> Cc: netdev@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 

Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
  
Michael J. Ruhl Oct. 31, 2022, 8:42 p.m. UTC | #3
>-----Original Message-----
>From: Kees Cook <keescook@chromium.org>
>Sent: Friday, October 28, 2022 11:18 PM
>To: Ruhl, Michael J <michael.j.ruhl@intel.com>
>Cc: Brandeburg, Jesse <jesse.brandeburg@intel.com>; Nguyen, Anthony L
><anthony.l.nguyen@intel.com>; David S. Miller <davem@davemloft.net>;
>Eric Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>;
>Paolo Abeni <pabeni@redhat.com>; intel-wired-lan@lists.osuosl.org;
>netdev@vger.kernel.org; linux-kernel@vger.kernel.org; linux-
>hardening@vger.kernel.org
>Subject: Re: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size
>
>On Tue, Oct 18, 2022 at 02:25:25AM -0700, Kees Cook wrote:
>> In preparation for removing the "silently change allocation size"
>> users of ksize(), explicitly round up all q_vector allocations so that
>> allocations can be correctly compared to ksize().
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>
>Hi! Any feedback on this part of the patch pair?
>
>> ---
>>  drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/ethernet/intel/igb/igb_main.c
>b/drivers/net/ethernet/intel/igb/igb_main.c
>> index 6256855d0f62..7a3a41dc0276 100644
>> --- a/drivers/net/ethernet/intel/igb/igb_main.c
>> +++ b/drivers/net/ethernet/intel/igb/igb_main.c
>> @@ -1195,7 +1195,7 @@ static int igb_alloc_q_vector(struct igb_adapter
>*adapter,
>>  		return -ENOMEM;
>>
>>  	ring_count = txr_count + rxr_count;
>> -	size = struct_size(q_vector, ring, ring_count);
>> +	size = kmalloc_size_roundup(struct_size(q_vector, ring, ring_count));
>>
>>  	/* allocate q_vector and rings */
>>  	q_vector = adapter->q_vector[v_idx];

Hi Kees,

Looking at the size usage (from elixir), I see:

--
	if (!q_vector) {
		q_vector = kzalloc(size, GFP_KERNEL);
	} else if (size > ksize(q_vector)) {
		kfree_rcu(q_vector, rcu);
		q_vector = kzalloc(size, GFP_KERNEL);
	} else {
		memset(q_vector, 0, size);
	}
--

If the size is rounded up, will the (size > ksize()) check ever be true?

I.e. have you eliminated this check (and maybe getting rid of the need for first patch?)?

Thanks,

Mike


>
>Thanks! :)
>
>-Kees
>
>--
>Kees Cook
  
Kees Cook Nov. 1, 2022, 9:37 p.m. UTC | #4
On Mon, Oct 31, 2022 at 08:42:36PM +0000, Ruhl, Michael J wrote:
> Looking at the size usage (from elixir), I see:
> 
> --
> 	if (!q_vector) {
> 		q_vector = kzalloc(size, GFP_KERNEL);
> 	} else if (size > ksize(q_vector)) {
> 		kfree_rcu(q_vector, rcu);
> 		q_vector = kzalloc(size, GFP_KERNEL);
> 	} else {
> 		memset(q_vector, 0, size);
> 	}
> --
> 
> If the size is rounded up, will the (size > ksize()) check ever be true?
> 
> I.e. have you eliminated this check (and maybe getting rid of the need for first patch?)?

Hi!

It looked like igb_alloc_q_vector() was designed to be called multiple
times on the same q_vector (i.e. to grow its allocation size over time).
So for that case, yes, the "size > ksize(q_vector)" check is needed. If
it's only ever called once (which is hard for me to tell), then no. (And
if "no", why was the alloc/free case even there in the first place?)

-Kees
  
Michael J. Ruhl Nov. 2, 2022, 2:12 p.m. UTC | #5
>-----Original Message-----
>From: Kees Cook <keescook@chromium.org>
>Sent: Tuesday, November 1, 2022 5:37 PM
>To: Ruhl, Michael J <michael.j.ruhl@intel.com>
>Cc: Brandeburg, Jesse <jesse.brandeburg@intel.com>; Nguyen, Anthony L
><anthony.l.nguyen@intel.com>; David S. Miller <davem@davemloft.net>;
>Eric Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>;
>Paolo Abeni <pabeni@redhat.com>; intel-wired-lan@lists.osuosl.org;
>netdev@vger.kernel.org; linux-kernel@vger.kernel.org; linux-
>hardening@vger.kernel.org
>Subject: Re: [PATCH v3 2/2] igb: Proactively round up to kmalloc bucket size
>
>On Mon, Oct 31, 2022 at 08:42:36PM +0000, Ruhl, Michael J wrote:
>> Looking at the size usage (from elixir), I see:
>>
>> --
>> 	if (!q_vector) {
>> 		q_vector = kzalloc(size, GFP_KERNEL);
>> 	} else if (size > ksize(q_vector)) {
>> 		kfree_rcu(q_vector, rcu);
>> 		q_vector = kzalloc(size, GFP_KERNEL);
>> 	} else {
>> 		memset(q_vector, 0, size);
>> 	}
>> --
>>
>> If the size is rounded up, will the (size > ksize()) check ever be true?
>>
>> I.e. have you eliminated this check (and maybe getting rid of the need for
>first patch?)?
>
>Hi!
>
>It looked like igb_alloc_q_vector() was designed to be called multiple
>times on the same q_vector (i.e. to grow its allocation size over time).
>So for that case, yes, the "size > ksize(q_vector)" check is needed. If
>it's only ever called once (which is hard for me to tell), then no. (And
>if "no", why was the alloc/free case even there in the first place?)

Ahh, Ok, I missed the fact that size is based on ring_count.  When I saw
the "struct_size" I assumed that size would be the same every time and
missed this point.

So can vary over time, and this ksize check is needed.

With that in mind these patches look good to me.

Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>

Mike

>-Kees
>
>--
>Kees Cook
  

Patch

diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 6256855d0f62..7a3a41dc0276 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -1195,7 +1195,7 @@  static int igb_alloc_q_vector(struct igb_adapter *adapter,
 		return -ENOMEM;
 
 	ring_count = txr_count + rxr_count;
-	size = struct_size(q_vector, ring, ring_count);
+	size = kmalloc_size_roundup(struct_size(q_vector, ring, ring_count));
 
 	/* allocate q_vector and rings */
 	q_vector = adapter->q_vector[v_idx];