| Message ID | ZHZq7AV9Q2WG1xRB@work |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp2474607vqr;
Tue, 30 May 2023 14:35:08 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ4jsvDn2g8f5umraQ/cD7G2L2hHRmQT1O5taCzXGan9W+dh1gtsY43rraMPL/y16wtwD9Zw
X-Received: by 2002:a05:6a00:1491:b0:62a:4503:53ba with SMTP id
v17-20020a056a00149100b0062a450353bamr4416429pfu.26.1685482507851;
Tue, 30 May 2023 14:35:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685482507; cv=none;
d=google.com; s=arc-20160816;
b=jJJXvRe2Tj0lNN0D0/rUeAJ4XaTj/SPN3mVI1v8cLKaT8M+6yKqbJ4qGNR4elWon7B
t8GlE7eCUK5Xq9nkCO0by5NbWBMZ/HLUkt1Jk3Vk0YKcDolGtHcDTMYTAnmNY0i5VKgA
sULxkTMnDZKhN5XUzAU7xS4edTG1vbzqcc8teBKP6x6/87X0VUQqJ4UxyXeW1Ug2MA16
YIj23JtKPmIzKPhsXi5MU43g7I+WcJgpi+VxD2yGpJwA3rigWK/ip3BlR6Ew/sYaED6b
FQik/xG/XFC+IKdGsrAqv9cJr3O9L4CP/LMkurqE/CN5/bVSr5wnUzKGQyCUj6NlR9na
wGZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:content-disposition
:mime-version:message-id:subject:cc:to:from:date:dkim-signature;
bh=V3cPMM2R8xF/p75CTOC2Gsl9j4dNyZgFElxG7Z4Um3o=;
b=xL6OBunKCgt1RSb1+vUnzibrMLxao7LFm//+N75Ok+ACPHjf5EUix5MpCtNvwDpivB
8USM/jPlIj0dR2JFyUJtYlQtPMqFJ/I9IcGo7l9ZaSSRHihBhPLcfLsVxCTI6pUe2p+Y
P13PVl27Pl355S7ivQD+InEALlKb8t84YwWK2U5vCGG21oDoq81yXnJNSXx0ZtDKLzjN
V4LJo6X01R4qx257PD5Te7Tt4D/7K/DKJzAOrxnK0BQsKVlz6WTY58Rmz2+caPYxgczo
suVpcBM3fH6F7tSlBNhfWTCIDPCL7Bqf3zLWy5EKSwPAOXS/4lK9wDLBzhXKwx8klVEI
LPWw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ZNQPtKFd;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
f190-20020a6251c7000000b0064553929dbdsi117479pfb.394.2023.05.30.14.34.55;
Tue, 30 May 2023 14:35:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ZNQPtKFd;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233471AbjE3V3c (ORCPT <rfc822;callmefire3@gmail.com>
+ 99 others); Tue, 30 May 2023 17:29:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50712 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230045AbjE3V3b (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 30 May 2023 17:29:31 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E968C7;
Tue, 30 May 2023 14:29:30 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by dfw.source.kernel.org (Postfix) with ESMTPS id CFCB662F3A;
Tue, 30 May 2023 21:29:29 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 58FF0C433EF;
Tue, 30 May 2023 21:29:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
s=k20201202; t=1685482169;
bh=GLu5O3LRK+uO/mUwyhrjlKostu2tteVX5Bk4Ufg7ekc=;
h=Date:From:To:Cc:Subject:From;
b=ZNQPtKFdt5D+x3VhvyKmUos4cGo3u6phr45fOBLBoMRuPKE7fdH8G8pMi346ZzBBY
mhK8Dz5AzQ4T0CJ36AlrlvO1syDAE8qb2tZ/gou9OJeW5yru/5SI0KLTHGjYKPwn42
XtxYYduapa1Z8trkQLBBuE5HC/+kxbdm9twKTe0/iX+JdFpo4fEioJmTtNpszyvoTd
fTMn8yT3wl/G26qYclsyYVotsP6DeAR4tgW5kChJEPEeco45QA33ZzcIEPTQTLD5dq
osA99hB+fW5P+RWmtgA+rdLREk5oxm8PQ/Cyssv9eJMYH/NXdXxjtSrpKwRdGwRYbb
lYCvJBoSDjzFQ==
Date: Tue, 30 May 2023 15:30:20 -0600
From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
To: James Smart <james.smart@broadcom.com>,
Dick Kennedy <dick.kennedy@broadcom.com>,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
"Gustavo A. R. Silva" <gustavoars@kernel.org>,
linux-hardening@vger.kernel.org
Subject: [PATCH][next] scsi: lpfc: Avoid -Wstringop-overflow warning
Message-ID: <ZHZq7AV9Q2WG1xRB@work>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1767356506113554637?=
X-GMAIL-MSGID: =?utf-8?q?1767356506113554637?=
|
| Series |
[next] scsi: lpfc: Avoid -Wstringop-overflow warning
|
|
Commit Message
Gustavo A. R. Silva
May 30, 2023, 9:30 p.m. UTC
Avoid confusing the compiler about possible negative sizes.
Use size_t instead of int for variables size and copied.
Address the following warning found with GCC-13:
In function ‘lpfc_debugfs_ras_log_data’,
inlined from ‘lpfc_debugfs_ras_log_open’ at drivers/scsi/lpfc/lpfc_debugfs.c:2271:15:
drivers/scsi/lpfc/lpfc_debugfs.c:2210:25: warning: ‘memcpy’ specified bound between 18446744071562067968 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Wstringop-overflow=]
2210 | memcpy(buffer + copied, dmabuf->virt,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2211 | size - copied - 1);
| ~~~~~~~~~~~~~~~~~~
Link: https://github.com/KSPP/linux/issues/305
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
drivers/scsi/lpfc/lpfc_debugfs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Comments
On Tue, 2023-05-30 at 15:30 -0600, Gustavo A. R. Silva wrote: > Avoid confusing the compiler about possible negative sizes. > Use size_t instead of int for variables size and copied. > > Address the following warning found with GCC-13: > In function ‘lpfc_debugfs_ras_log_data’, > inlined from ‘lpfc_debugfs_ras_log_open’ at > drivers/scsi/lpfc/lpfc_debugfs.c:2271:15: > drivers/scsi/lpfc/lpfc_debugfs.c:2210:25: warning: ‘memcpy’ specified > bound between 18446744071562067968 and 18446744073709551615 exceeds > maximum object size 9223372036854775807 [-Wstringop-overflow=] > 2210 | memcpy(buffer + copied, dmabuf->virt, > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 2211 | size - copied - 1); > | ~~~~~~~~~~~~~~~~~~ > This looks like a compiler bug to me and your workaround would have us using unsigned types everywhere for sizes, which seems wrong. There are calls which return size or error for which we have ssize_t and that type has to be usable in things like memcpy, so the compiler must be fixed or the warning disabled. James
On Tue, May 30, 2023 at 05:36:06PM -0400, James Bottomley wrote: > On Tue, 2023-05-30 at 15:30 -0600, Gustavo A. R. Silva wrote: > > Avoid confusing the compiler about possible negative sizes. > > Use size_t instead of int for variables size and copied. > > > > Address the following warning found with GCC-13: > > In function ‘lpfc_debugfs_ras_log_data’, > > inlined from ‘lpfc_debugfs_ras_log_open’ at > > drivers/scsi/lpfc/lpfc_debugfs.c:2271:15: > > drivers/scsi/lpfc/lpfc_debugfs.c:2210:25: warning: ‘memcpy’ specified > > bound between 18446744071562067968 and 18446744073709551615 exceeds > > maximum object size 9223372036854775807 [-Wstringop-overflow=] > > 2210 | memcpy(buffer + copied, dmabuf->virt, > > | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 2211 | size - copied - 1); > > | ~~~~~~~~~~~~~~~~~~ > > > > This looks like a compiler bug to me and your workaround would have us > using unsigned types everywhere for sizes, which seems wrong. There > are calls which return size or error for which we have ssize_t and that > type has to be usable in things like memcpy, so the compiler must be > fixed or the warning disabled. The compiler is (correctly) noticing that the calculation involving "size" (from which "copied" is set) could go negative. The "unsigned types everywhere" is a slippery slope argument that doesn't apply: this is fixing a specific case of a helper taking a size that is never expected to go negative in multiple places (open-coded multiplication, vmalloc, lpfc_debugfs_ras_log_data, etc). It should be bounds checked at the least... struct lpfc_hba { ... uint32_t cfg_ras_fwlog_buffsize; ... }; lpfc_debugfs_ras_log_open(): ... struct lpfc_hba *phba = inode->i_private; int size; ... size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize; debug->buffer = vmalloc(size); ... debug->len = lpfc_debugfs_ras_log_data(phba, debug->buffer, size); ... lpfc_debugfs_ras_log_data(): ... if ((copied + LPFC_RAS_MAX_ENTRY_SIZE) >= (size - 1)) { memcpy(buffer + copied, dmabuf->virt, size - copied - 1); Honestly, the "if" above is the weirdest part, and perhaps that should just be adjusted instead: if (size <= LPFC_RAS_MAX_ENTRY_SIZE) return -ENOMEM; ... if (size - copied <= LPFC_RAS_MAX_ENTRY_SIZE) { memcpy(..., size - copied - 1); copied += size - copied - 1; break; } ... } return copied;
On Tue, 2023-05-30 at 15:44 -0700, Kees Cook wrote: > On Tue, May 30, 2023 at 05:36:06PM -0400, James Bottomley wrote: > > On Tue, 2023-05-30 at 15:30 -0600, Gustavo A. R. Silva wrote: > > > Avoid confusing the compiler about possible negative sizes. > > > Use size_t instead of int for variables size and copied. > > > > > > Address the following warning found with GCC-13: > > > In function ‘lpfc_debugfs_ras_log_data’, > > > inlined from ‘lpfc_debugfs_ras_log_open’ at > > > drivers/scsi/lpfc/lpfc_debugfs.c:2271:15: > > > drivers/scsi/lpfc/lpfc_debugfs.c:2210:25: warning: ‘memcpy’ > > > specified > > > bound between 18446744071562067968 and 18446744073709551615 > > > exceeds > > > maximum object size 9223372036854775807 [-Wstringop-overflow=] > > > 2210 | memcpy(buffer + copied, dmabuf- > > > >virt, > > > | > > > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > 2211 | size - copied - 1); > > > | ~~~~~~~~~~~~~~~~~~ > > > > > > > This looks like a compiler bug to me and your workaround would have > > us using unsigned types everywhere for sizes, which seems wrong. > > There are calls which return size or error for which we have > > ssize_t and that type has to be usable in things like memcpy, so > > the compiler must be fixed or the warning disabled. > > The compiler is (correctly) noticing that the calculation involving > "size" (from which "copied" is set) could go negative. It can? But if it can, then changing size and copied to unsigned doesn't fix it, does it? > The "unsigned types everywhere" is a slippery slope argument that > doesn't apply: this is fixing a specific case of a helper taking a > size that is never expected to go negative in multiple places > (open-coded multiplication, vmalloc, lpfc_debugfs_ras_log_data, etc). > It should be bounds checked at the least... So your claim is the compiler only gets it wrong in this one case and if we just change this one case it will never get it wrong again? I think I prefer the idea that there's a problem in the bounds checking code which should be susceptible to fixing if we file a compiler bug (either it should get it right or ignore the case if it can't decide). > struct lpfc_hba { > ... > uint32_t cfg_ras_fwlog_buffsize; > ... > }; > > lpfc_debugfs_ras_log_open(): > ... > struct lpfc_hba *phba = inode->i_private; > int size; > ... > size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba- > >cfg_ras_fwlog_buffsize; > debug->buffer = vmalloc(size); > ... > debug->len = lpfc_debugfs_ras_log_data(phba, debug->buffer, > size); > ... > > lpfc_debugfs_ras_log_data(): > ... > if ((copied + LPFC_RAS_MAX_ENTRY_SIZE) >= (size - 1)) > { > memcpy(buffer + copied, dmabuf->virt, > size - copied - 1); > > Honestly, the "if" above is the weirdest part, and perhaps that > should > just be adjusted instead: > > if (size <= LPFC_RAS_MAX_ENTRY_SIZE) > return -ENOMEM; > ... > if (size - copied <= LPFC_RAS_MAX_ENTRY_SIZE) { > memcpy(..., size - copied - 1); > copied += size - copied - 1; > break; > } > ... > } > return copied; No one said you couldn't improve the code. It was claiming a fix by changing a signed variable to unsigned that got my attention because it's a classic indicator of compiler problems. I didn't say anything about all the strlcpy replacements where the source is guaranteed to be zero terminated so the problem alluded to in the changelog doesn't exist. But since it all becomes about the inefficiency of the ignored strlen it did strike me that the most common pattern in sysfs code is strlcpy followed by strim or strstrip, which could be done slightly more efficiently as a single operation, if someone wanted actually to improve our sysfs use cases ... James
On Wed, May 31, 2023 at 10:56:50AM -0400, James Bottomley wrote: > On Tue, 2023-05-30 at 15:44 -0700, Kees Cook wrote: > > On Tue, May 30, 2023 at 05:36:06PM -0400, James Bottomley wrote: > > > On Tue, 2023-05-30 at 15:30 -0600, Gustavo A. R. Silva wrote: > > > > Avoid confusing the compiler about possible negative sizes. > > > > Use size_t instead of int for variables size and copied. > > > > > > > > Address the following warning found with GCC-13: > > > > In function ‘lpfc_debugfs_ras_log_data’, > > > > inlined from ‘lpfc_debugfs_ras_log_open’ at > > > > drivers/scsi/lpfc/lpfc_debugfs.c:2271:15: > > > > drivers/scsi/lpfc/lpfc_debugfs.c:2210:25: warning: ‘memcpy’ > > > > specified > > > > bound between 18446744071562067968 and 18446744073709551615 > > > > exceeds > > > > maximum object size 9223372036854775807 [-Wstringop-overflow=] > > > > 2210 | memcpy(buffer + copied, dmabuf- > > > > >virt, > > > > | > > > > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > 2211 | size - copied - 1); > > > > | ~~~~~~~~~~~~~~~~~~ > > > > > > > > > > This looks like a compiler bug to me and your workaround would have > > > us using unsigned types everywhere for sizes, which seems wrong. > > > There are calls which return size or error for which we have > > > ssize_t and that type has to be usable in things like memcpy, so > > > the compiler must be fixed or the warning disabled. > > > > The compiler is (correctly) noticing that the calculation involving > > "size" (from which "copied" is set) could go negative. > > It can? But if it can, then changing size and copied to unsigned > doesn't fix it, does it? Yes: (int) (const expression 256 * 1024) (u32) size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize; this can wrap to negative if cfg_ras_fwlog_buffsize is large enough. If "size" is size_t, it can't wrap, and is therefore never negative. > So your claim is the compiler only gets it wrong in this one case and > if we just change this one case it will never get it wrong again? What? No, I'm saying this is a legitimate diagnostic, and the wrong type was chosen for "size": it never needs to carry a negative value, and it potentially needs to handle values greater than u32. But you're right -- there is still a potential for runtime confusion in that the return from lpfc_debugfs_ras_log_data() must be signed. So perhaps the best option is to check for overflow directly. Gustavo, does this fix it? diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c index bdf34af4ef36..7f9b221e7c34 100644 --- a/drivers/scsi/lpfc/lpfc_debugfs.c +++ b/drivers/scsi/lpfc/lpfc_debugfs.c @@ -2259,11 +2259,15 @@ lpfc_debugfs_ras_log_open(struct inode *inode, struct file *file) goto out; } spin_unlock_irq(&phba->hbalock); - debug = kmalloc(sizeof(*debug), GFP_KERNEL); + + if (check_mul_overflow(LPFC_RAS_MIN_BUFF_POST_SIZE, + phba->cfg_ras_fwlog_buffsize, &size)) + goto out; + + debug = kzalloc(sizeof(*debug), GFP_KERNEL); if (!debug) goto out; - size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize; debug->buffer = vmalloc(size); if (!debug->buffer) goto free_debug; -Kees
I understand the desire to satisfy a compiler warning, but for what it’s worth I don’t think "size" could ever be negative here. size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize; phba->cfg_ras_fwlog_buffsize could never be larger than 4 because it is restricted via lpfc_ras_fwlog_buffsize_set and LPFC_ATTR’s call to lpfc_rangecheck(val, 0, 4). And, #define LPFC_RAS_MIN_BUFF_POST_SIZE (256 * 1024). So, 256 * 1024 * 4 = 1,048,576 = 0x00100000 is the max “size” could ever be. On Thu, Jun 1, 2023 at 9:49 AM Kees Cook <keescook@chromium.org> wrote: > > On Wed, May 31, 2023 at 10:56:50AM -0400, James Bottomley wrote: > > On Tue, 2023-05-30 at 15:44 -0700, Kees Cook wrote: > > > On Tue, May 30, 2023 at 05:36:06PM -0400, James Bottomley wrote: > > > > On Tue, 2023-05-30 at 15:30 -0600, Gustavo A. R. Silva wrote: > > > > > Avoid confusing the compiler about possible negative sizes. > > > > > Use size_t instead of int for variables size and copied. > > > > > > > > > > Address the following warning found with GCC-13: > > > > > In function ‘lpfc_debugfs_ras_log_data’, > > > > > inlined from ‘lpfc_debugfs_ras_log_open’ at > > > > > drivers/scsi/lpfc/lpfc_debugfs.c:2271:15: > > > > > drivers/scsi/lpfc/lpfc_debugfs.c:2210:25: warning: ‘memcpy’ > > > > > specified > > > > > bound between 18446744071562067968 and 18446744073709551615 > > > > > exceeds > > > > > maximum object size 9223372036854775807 [-Wstringop-overflow=] > > > > > 2210 | memcpy(buffer + copied, dmabuf- > > > > > >virt, > > > > > | > > > > > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > 2211 | size - copied - 1); > > > > > | ~~~~~~~~~~~~~~~~~~ > > > > > > > > > > > > > This looks like a compiler bug to me and your workaround would have > > > > us using unsigned types everywhere for sizes, which seems wrong. > > > > There are calls which return size or error for which we have > > > > ssize_t and that type has to be usable in things like memcpy, so > > > > the compiler must be fixed or the warning disabled. > > > > > > The compiler is (correctly) noticing that the calculation involving > > > "size" (from which "copied" is set) could go negative. > > > > It can? But if it can, then changing size and copied to unsigned > > doesn't fix it, does it? > > Yes: > > (int) (const expression 256 * 1024) (u32) > size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize; > > this can wrap to negative if cfg_ras_fwlog_buffsize is large enough. If > "size" is size_t, it can't wrap, and is therefore never negative. > > > So your claim is the compiler only gets it wrong in this one case and > > if we just change this one case it will never get it wrong again? > > What? No, I'm saying this is a legitimate diagnostic, and the wrong type > was chosen for "size": it never needs to carry a negative value, and it > potentially needs to handle values greater than u32. > > But you're right -- there is still a potential for runtime confusion in > that the return from lpfc_debugfs_ras_log_data() must be signed. So > perhaps the best option is to check for overflow directly. > > Gustavo, does this fix it? > > > diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c > index bdf34af4ef36..7f9b221e7c34 100644 > --- a/drivers/scsi/lpfc/lpfc_debugfs.c > +++ b/drivers/scsi/lpfc/lpfc_debugfs.c > @@ -2259,11 +2259,15 @@ lpfc_debugfs_ras_log_open(struct inode *inode, struct file *file) > goto out; > } > spin_unlock_irq(&phba->hbalock); > - debug = kmalloc(sizeof(*debug), GFP_KERNEL); > + > + if (check_mul_overflow(LPFC_RAS_MIN_BUFF_POST_SIZE, > + phba->cfg_ras_fwlog_buffsize, &size)) > + goto out; > + > + debug = kzalloc(sizeof(*debug), GFP_KERNEL); > if (!debug) > goto out; > > - size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize; > debug->buffer = vmalloc(size); > if (!debug->buffer) > goto free_debug; > > > -Kees > > -- > Kees Cook
On Thu, Jun 01, 2023 at 09:48:55AM -0700, Kees Cook wrote: > On Wed, May 31, 2023 at 10:56:50AM -0400, James Bottomley wrote: > > On Tue, 2023-05-30 at 15:44 -0700, Kees Cook wrote: > > > On Tue, May 30, 2023 at 05:36:06PM -0400, James Bottomley wrote: > > > > On Tue, 2023-05-30 at 15:30 -0600, Gustavo A. R. Silva wrote: > > > > > Avoid confusing the compiler about possible negative sizes. > > > > > Use size_t instead of int for variables size and copied. > > > > > > > > > > Address the following warning found with GCC-13: > > > > > In function ‘lpfc_debugfs_ras_log_data’, > > > > > inlined from ‘lpfc_debugfs_ras_log_open’ at > > > > > drivers/scsi/lpfc/lpfc_debugfs.c:2271:15: > > > > > drivers/scsi/lpfc/lpfc_debugfs.c:2210:25: warning: ‘memcpy’ > > > > > specified > > > > > bound between 18446744071562067968 and 18446744073709551615 > > > > > exceeds > > > > > maximum object size 9223372036854775807 [-Wstringop-overflow=] > > > > > 2210 | memcpy(buffer + copied, dmabuf- > > > > > >virt, > > > > > | > > > > > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > 2211 | size - copied - 1); > > > > > | ~~~~~~~~~~~~~~~~~~ > > > > > > > > > > > > > This looks like a compiler bug to me and your workaround would have > > > > us using unsigned types everywhere for sizes, which seems wrong. > > > > There are calls which return size or error for which we have > > > > ssize_t and that type has to be usable in things like memcpy, so > > > > the compiler must be fixed or the warning disabled. > > > > > > The compiler is (correctly) noticing that the calculation involving > > > "size" (from which "copied" is set) could go negative. > > > > It can? But if it can, then changing size and copied to unsigned > > doesn't fix it, does it? > > Yes: > > (int) (const expression 256 * 1024) (u32) > size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize; > > this can wrap to negative if cfg_ras_fwlog_buffsize is large enough. If > "size" is size_t, it can't wrap, and is therefore never negative. > > > So your claim is the compiler only gets it wrong in this one case and > > if we just change this one case it will never get it wrong again? > > What? No, I'm saying this is a legitimate diagnostic, and the wrong type > was chosen for "size": it never needs to carry a negative value, and it > potentially needs to handle values greater than u32. > > But you're right -- there is still a potential for runtime confusion in > that the return from lpfc_debugfs_ras_log_data() must be signed. So > perhaps the best option is to check for overflow directly. > > Gustavo, does this fix it? Yep; it does. I think we can go with this solution. Thanks! -- Gustavo > > > diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c > index bdf34af4ef36..7f9b221e7c34 100644 > --- a/drivers/scsi/lpfc/lpfc_debugfs.c > +++ b/drivers/scsi/lpfc/lpfc_debugfs.c > @@ -2259,11 +2259,15 @@ lpfc_debugfs_ras_log_open(struct inode *inode, struct file *file) > goto out; > } > spin_unlock_irq(&phba->hbalock); > - debug = kmalloc(sizeof(*debug), GFP_KERNEL); > + > + if (check_mul_overflow(LPFC_RAS_MIN_BUFF_POST_SIZE, > + phba->cfg_ras_fwlog_buffsize, &size)) > + goto out; > + > + debug = kzalloc(sizeof(*debug), GFP_KERNEL); > if (!debug) > goto out; > > - size = LPFC_RAS_MIN_BUFF_POST_SIZE * phba->cfg_ras_fwlog_buffsize; > debug->buffer = vmalloc(size); > if (!debug->buffer) > goto free_debug; > > > -Kees > > -- > Kees Cook
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c index bdf34af4ef36..493729e74abe 100644 --- a/drivers/scsi/lpfc/lpfc_debugfs.c +++ b/drivers/scsi/lpfc/lpfc_debugfs.c @@ -2189,9 +2189,9 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf, #endif static int lpfc_debugfs_ras_log_data(struct lpfc_hba *phba, - char *buffer, int size) + char *buffer, size_t size) { - int copied = 0; + size_t copied = 0; struct lpfc_dmabuf *dmabuf, *next; memset(buffer, 0, size); @@ -2249,7 +2249,7 @@ lpfc_debugfs_ras_log_open(struct inode *inode, struct file *file) { struct lpfc_hba *phba = inode->i_private; struct lpfc_debug *debug; - int size; + size_t size; int rc = -ENOMEM; spin_lock_irq(&phba->hbalock);