| Message ID | 20230623211457.102544-17-Julia.Lawall@inria.fr |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp6054761vqr;
Fri, 23 Jun 2023 14:40:37 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ6+IzX06fdncWxOsX35VflSjUUMzNz6FvI/i8aC5r5GhScl49VMmtEzTwlbdrKDHNi6X9Nl
X-Received: by 2002:a17:90a:19ce:b0:25e:db77:1db7 with SMTP id
14-20020a17090a19ce00b0025edb771db7mr27174402pjj.9.1687556437461;
Fri, 23 Jun 2023 14:40:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687556437; cv=none;
d=google.com; s=arc-20160816;
b=QzK/6B+tBRF8baFXB2w4D4X/94OgpxlQmOoIgpB7yoMxfi8+qSmFyDFLPw/OOhaqKQ
RiYxdWyp3wDzUYqSsm4DTDvLEWqx+h/cNSBjGxxfZ04MEZSDUH2GHnYT4XS21FfRKar9
ksDin3lHdrbclXiAG2vkveyKdg1OrkCsizSUc91RacDAjTlfuHWMTkRvbNTaHQUtWGdi
co7+o4tgqrniRa/JicVg9a71dmncswXDk+USZ7YO6rUGWwO+WHgcoqj1rRJvwkZyffmg
ayLfJUZfiwCKnrXD/1oTIOY0zvNPDYoVw5dthrDge3CL2L4kLA/M0oRPNLHeTIIgJhzd
Uu1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=NBw5vlMSYDphuKB5VO9qUzXDvK0V7Xr95Q+k+nN/f84=;
fh=GCqGrws+MgIy7TDj0DbaHKdqX1BOXKj2FTlZm+3riyc=;
b=mcRgoXz1rLKf64O6vxbaO9e0huLtc7IwHvx+wJFimhLI5BDv0jY36KoPDTF3cgHCxe
GGC0pV4Cm7e2U+v8eB73w0fP12LZ0YmHBOQgODY1lYUUA6V0IHH0iowhZlBMxz0CIWJw
t8BXoMDa7/mK02Yin8Drn/8U3xwLM0JR4EO+/N1yR/47CEglK9sOZx40Pfs0mBfiC/Px
B69PuUnS201QBgI39Edqra+Kyp43R0+pi19eCPvVGde8uuQJzJkHboC1iAmzID9Phcyc
QP56vdavhvKeWaQK7FrdkbqmyJOBnJZI2gjoDLDIlnpkqsubGhTYqTSrq0azvp8ggy27
Imbg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@inria.fr header.s=dc header.b=N3bMVT0Y;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=inria.fr
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
q12-20020a17090a1b0c00b00260a7aee610si2451628pjq.152.2023.06.23.14.40.24;
Fri, 23 Jun 2023 14:40:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@inria.fr header.s=dc header.b=N3bMVT0Y;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=inria.fr
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232867AbjFWVQD (ORCPT <rfc822;maxin.john@gmail.com> + 99 others);
Fri, 23 Jun 2023 17:16:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50360 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232831AbjFWVPX (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 23 Jun 2023 17:15:23 -0400
Received: from mail3-relais-sop.national.inria.fr
(mail3-relais-sop.national.inria.fr [192.134.164.104])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5ABAA10F1;
Fri, 23 Jun 2023 14:15:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=inria.fr; s=dc;
h=from:to:cc:subject:date:message-id:in-reply-to:
references:mime-version:content-transfer-encoding;
bh=NBw5vlMSYDphuKB5VO9qUzXDvK0V7Xr95Q+k+nN/f84=;
b=N3bMVT0Y+Wz5gL7ugjMaEKH0XK9iI00oy1rtPtin0vJJydKmTLv4sWIx
f9+bOpvwsiKisFRe7CqTYof5bkdOr2VD7KZRPHvQT9tp4F5J5wmAQjGXP
YzxOr1bylniwAlzHURkE8ebQwCSCW0fHOuPTsil5W0sJvnvzY6uhkWbNo
8=;
Authentication-Results: mail3-relais-sop.national.inria.fr;
dkim=none (message not signed) header.i=none;
spf=SoftFail smtp.mailfrom=Julia.Lawall@inria.fr;
dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="6.01,153,1684792800";
d="scan'208";a="59686174"
Received: from i80.paris.inria.fr (HELO i80.paris.inria.fr.) ([128.93.90.48])
by mail3-relais-sop.national.inria.fr with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Jun 2023 23:15:12 +0200
From: Julia Lawall <Julia.Lawall@inria.fr>
To: Zhenyu Wang <zhenyuw@linux.intel.com>
Cc: keescook@chromium.org, kernel-janitors@vger.kernel.org,
Zhi Wang <zhi.a.wang@intel.com>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>,
David Airlie <airlied@gmail.com>,
Daniel Vetter <daniel@ffwll.ch>,
intel-gvt-dev@lists.freedesktop.org,
intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 16/26] drm/i915/gvt: use array_size
Date: Fri, 23 Jun 2023 23:14:47 +0200
Message-Id: <20230623211457.102544-17-Julia.Lawall@inria.fr>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20230623211457.102544-1-Julia.Lawall@inria.fr>
References: <20230623211457.102544-1-Julia.Lawall@inria.fr>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H3,
RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,
URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1769531178505388038?=
X-GMAIL-MSGID: =?utf-8?q?1769531178505388038?=
|
| Series |
use array_size
|
|
Commit Message
Julia Lawall
June 23, 2023, 9:14 p.m. UTC
Use array_size to protect against multiplication overflows.
The changes were done using the following Coccinelle semantic patch:
// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@
(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
---
drivers/gpu/drm/i915/gvt/gtt.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Comments
Hi Julia, On Fri, Jun 23, 2023 at 11:14:47PM +0200, Julia Lawall wrote: > Use array_size to protect against multiplication overflows. > > The changes were done using the following Coccinelle semantic patch: > > // <smpl> > @@ > expression E1, E2; > constant C1, C2; > identifier alloc = {vmalloc,vzalloc}; > @@ > > ( > alloc(C1 * C2,...) > | > alloc( > - (E1) * (E2) > + array_size(E1, E2) > ,...) > ) > // </smpl> > > Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr> > > --- > drivers/gpu/drm/i915/gvt/gtt.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c > index 4ec85308379a..df52385ad436 100644 > --- a/drivers/gpu/drm/i915/gvt/gtt.c > +++ b/drivers/gpu/drm/i915/gvt/gtt.c > @@ -1969,14 +1969,16 @@ static struct intel_vgpu_mm *intel_vgpu_create_ggtt_mm(struct intel_vgpu *vgpu) > return ERR_PTR(-ENOMEM); > } > > - mm->ggtt_mm.host_ggtt_aperture = vzalloc((vgpu_aperture_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64)); > + mm->ggtt_mm.host_ggtt_aperture = > + vzalloc(array_size(vgpu_aperture_sz(vgpu) >> PAGE_SHIFT, sizeof(u64))); > if (!mm->ggtt_mm.host_ggtt_aperture) { > vfree(mm->ggtt_mm.virtual_ggtt); > vgpu_free_mm(mm); > return ERR_PTR(-ENOMEM); > } > > - mm->ggtt_mm.host_ggtt_hidden = vzalloc((vgpu_hidden_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64)); > + mm->ggtt_mm.host_ggtt_hidden = > + vzalloc(array_size(vgpu_hidden_sz(vgpu) >> PAGE_SHIFT, sizeof(u64))); thanks for this patch, but I see an issue here. array_size() truncates the allocation to SIZE_MAX, and I'm OK with it. The problem is that no error is notified and the user doesn't know that a truncation has happened. So that if we save from an overflow here, we might encur to an unwanted access later when we would start using the array for the size we think is allocated. kmalloc_array(), for example, returns NULL of there is a multiplication overflow and I think that's a better behaviour, although more drastic. Andi > if (!mm->ggtt_mm.host_ggtt_hidden) { > vfree(mm->ggtt_mm.host_ggtt_aperture); > vfree(mm->ggtt_mm.virtual_ggtt);
On Mon, Jun 26, 2023 at 11:26:55AM +0200, Andi Shyti wrote: > > diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c > > index 4ec85308379a..df52385ad436 100644 > > --- a/drivers/gpu/drm/i915/gvt/gtt.c > > +++ b/drivers/gpu/drm/i915/gvt/gtt.c > > @@ -1969,14 +1969,16 @@ static struct intel_vgpu_mm *intel_vgpu_create_ggtt_mm(struct intel_vgpu *vgpu) > > return ERR_PTR(-ENOMEM); > > } > > > > - mm->ggtt_mm.host_ggtt_aperture = vzalloc((vgpu_aperture_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64)); > > + mm->ggtt_mm.host_ggtt_aperture = > > + vzalloc(array_size(vgpu_aperture_sz(vgpu) >> PAGE_SHIFT, sizeof(u64))); > > if (!mm->ggtt_mm.host_ggtt_aperture) { > > vfree(mm->ggtt_mm.virtual_ggtt); > > vgpu_free_mm(mm); > > return ERR_PTR(-ENOMEM); > > } > > > > - mm->ggtt_mm.host_ggtt_hidden = vzalloc((vgpu_hidden_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64)); > > + mm->ggtt_mm.host_ggtt_hidden = > > + vzalloc(array_size(vgpu_hidden_sz(vgpu) >> PAGE_SHIFT, sizeof(u64))); > > thanks for this patch, but I see an issue here. array_size() > truncates the allocation to SIZE_MAX, and I'm OK with it. > > The problem is that no error is notified and the user doesn't > know that a truncation has happened. So that if we save from an > overflow here, we might encur to an unwanted access later when we > would start using the array for the size we think is allocated. SIZE_MAX allocations are guaranteed to fail, so the NULL check will still return -ENOMEM. > > kmalloc_array(), for example, returns NULL of there is a > multiplication overflow and I think that's a better behaviour, > although more drastic. It's the same either way. regards, dan carpenter
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c index 4ec85308379a..df52385ad436 100644 --- a/drivers/gpu/drm/i915/gvt/gtt.c +++ b/drivers/gpu/drm/i915/gvt/gtt.c @@ -1969,14 +1969,16 @@ static struct intel_vgpu_mm *intel_vgpu_create_ggtt_mm(struct intel_vgpu *vgpu) return ERR_PTR(-ENOMEM); } - mm->ggtt_mm.host_ggtt_aperture = vzalloc((vgpu_aperture_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64)); + mm->ggtt_mm.host_ggtt_aperture = + vzalloc(array_size(vgpu_aperture_sz(vgpu) >> PAGE_SHIFT, sizeof(u64))); if (!mm->ggtt_mm.host_ggtt_aperture) { vfree(mm->ggtt_mm.virtual_ggtt); vgpu_free_mm(mm); return ERR_PTR(-ENOMEM); } - mm->ggtt_mm.host_ggtt_hidden = vzalloc((vgpu_hidden_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64)); + mm->ggtt_mm.host_ggtt_hidden = + vzalloc(array_size(vgpu_hidden_sz(vgpu) >> PAGE_SHIFT, sizeof(u64))); if (!mm->ggtt_mm.host_ggtt_hidden) { vfree(mm->ggtt_mm.host_ggtt_aperture); vfree(mm->ggtt_mm.virtual_ggtt);