From: Matthew Wilcox <matthew@wil.cx>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Eric Sesterhenn <snakebyte@gmx.de>,
kernel-janitors@lists.osdl.org, linux-fsdevel@vger.kernel.org
Subject: Re: [KJ] [Patch] fs/ kzalloc conversions
Date: Fri, 24 Feb 2006 15:26:28 +0000 [thread overview]
Message-ID: <20060224152628.GO28587@parisc-linux.org> (raw)
In-Reply-To: <20060224111755.GA7801@mipter.zuzino.mipt.ru>
[-- Attachment #1: Type: text/plain, Size: 2720 bytes --]
[this mail serves two purposes. One is to educate about the limits of
what a compiler can do, and the other is to alert to a memory-corruption
bug in AIO. If you're only interested in the latter, please skip to
the bottom.]
On Fri, Feb 24, 2006 at 02:17:55PM +0300, Alexey Dobriyan wrote:
> > @@ -122,10 +122,9 @@ static int aio_setup_ring(struct kioctx
> > if (nr_pages > AIO_RING_PAGES) {
> > - info->ring_pages = kmalloc(sizeof(struct page *) * nr_pages, GFP_KERNEL);
> > + info->ring_pages = kzalloc(sizeof(struct page *) * nr_pages, GFP_KERNEL);
> > if (!info->ring_pages)
> > return -ENOMEM;
> > - memset(info->ring_pages, 0, sizeof(struct page *) * nr_pages);
> > }
>
> I thought, kcalloc should be used here, but after looking at size(1)
> outputs kzalloc wins. Which is slightly suspicious.
Look at the definition of kcalloc:
static inline void *kcalloc(size_t n, size_t size, gfp_t flags)
{
if (n != 0 && size > INT_MAX / n)
return NULL;
return kzalloc(n * size, flags);
}
so you'd be calling kcalloc(nr_pages, sizeof(struct page *), GFP_KERNEL)
which would expand to:
if (nr_pages > AIO_RING_PAGES) {
if (nr_pages != 0 && sizeof(struct page *) > INT_MAX / nr_pages)
info->ring_pages = NULL;
else
info->ring_pages = kzalloc(nr_pages * sizeof(struct page *), GFP_KERNEL);
if (!info->ring_pages)
return -ENOMEM;
}
Now, GCC is pretty clever at optimising. So it probably turns that into:
if (nr_pages > AIO_RING_PAGES) {
if (sizeof(struct page *) > INT_MAX / nr_pages)
return -ENOMEM;
info->ring_pages = kzalloc(nr_pages * sizeof(struct page *), GFP_KERNEL);
if (!info->ring_pages)
return -ENOMEM;
}
But it can't tell what nr_pages is limited to back in ioctx_alloc().
So it can't optimise away the first test entirely.
[aio-interested readers should pick up again here]
Even if it traces back what nr_pages is limited to (moderately
complicated), it's limited to the global variable aio_max_nr. Even if
gcc were engaged in whole-program-analysis, it would probably give up
on seeing its address taken in kernel/sysctl.c. And, at least to this
human's eyes, aio_max_nr actually appears to have *no* limit.
So the test isn't useless and we should use kcalloc here, otherwise an
unthinking sysadmin can increment the aio_max_nr sysctl value to, let's
say, 0x7fffffff. On a 32-bit machine, the multiplication will wrap,
maybe turn into a small positive number, and we'll gleefully walk off
the end of the array, corrupting data as we go.
And we should set the .extra1 and .extra2 values in the FS_AIO_MAX_NR
clause of kernel/sysctl.c anyway. Does anyone have thoughts on what the
*useful* range of this variable is?
[-- Attachment #2: Type: text/plain, Size: 168 bytes --]
_______________________________________________
Kernel-janitors mailing list
Kernel-janitors@lists.osdl.org
https://lists.osdl.org/mailman/listinfo/kernel-janitors
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Wilcox <matthew@wil.cx>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Eric Sesterhenn <snakebyte@gmx.de>,
kernel-janitors@lists.osdl.org, linux-fsdevel@vger.kernel.org
Subject: Re: [KJ] [Patch] fs/ kzalloc conversions
Date: Fri, 24 Feb 2006 08:26:28 -0700 [thread overview]
Message-ID: <20060224152628.GO28587@parisc-linux.org> (raw)
In-Reply-To: <20060224111755.GA7801@mipter.zuzino.mipt.ru>
[this mail serves two purposes. One is to educate about the limits of
what a compiler can do, and the other is to alert to a memory-corruption
bug in AIO. If you're only interested in the latter, please skip to
the bottom.]
On Fri, Feb 24, 2006 at 02:17:55PM +0300, Alexey Dobriyan wrote:
> > @@ -122,10 +122,9 @@ static int aio_setup_ring(struct kioctx
> > if (nr_pages > AIO_RING_PAGES) {
> > - info->ring_pages = kmalloc(sizeof(struct page *) * nr_pages, GFP_KERNEL);
> > + info->ring_pages = kzalloc(sizeof(struct page *) * nr_pages, GFP_KERNEL);
> > if (!info->ring_pages)
> > return -ENOMEM;
> > - memset(info->ring_pages, 0, sizeof(struct page *) * nr_pages);
> > }
>
> I thought, kcalloc should be used here, but after looking at size(1)
> outputs kzalloc wins. Which is slightly suspicious.
Look at the definition of kcalloc:
static inline void *kcalloc(size_t n, size_t size, gfp_t flags)
{
if (n != 0 && size > INT_MAX / n)
return NULL;
return kzalloc(n * size, flags);
}
so you'd be calling kcalloc(nr_pages, sizeof(struct page *), GFP_KERNEL)
which would expand to:
if (nr_pages > AIO_RING_PAGES) {
if (nr_pages != 0 && sizeof(struct page *) > INT_MAX / nr_pages)
info->ring_pages = NULL;
else
info->ring_pages = kzalloc(nr_pages * sizeof(struct page *), GFP_KERNEL);
if (!info->ring_pages)
return -ENOMEM;
}
Now, GCC is pretty clever at optimising. So it probably turns that into:
if (nr_pages > AIO_RING_PAGES) {
if (sizeof(struct page *) > INT_MAX / nr_pages)
return -ENOMEM;
info->ring_pages = kzalloc(nr_pages * sizeof(struct page *), GFP_KERNEL);
if (!info->ring_pages)
return -ENOMEM;
}
But it can't tell what nr_pages is limited to back in ioctx_alloc().
So it can't optimise away the first test entirely.
[aio-interested readers should pick up again here]
Even if it traces back what nr_pages is limited to (moderately
complicated), it's limited to the global variable aio_max_nr. Even if
gcc were engaged in whole-program-analysis, it would probably give up
on seeing its address taken in kernel/sysctl.c. And, at least to this
human's eyes, aio_max_nr actually appears to have *no* limit.
So the test isn't useless and we should use kcalloc here, otherwise an
unthinking sysadmin can increment the aio_max_nr sysctl value to, let's
say, 0x7fffffff. On a 32-bit machine, the multiplication will wrap,
maybe turn into a small positive number, and we'll gleefully walk off
the end of the array, corrupting data as we go.
And we should set the .extra1 and .extra2 values in the FS_AIO_MAX_NR
clause of kernel/sysctl.c anyway. Does anyone have thoughts on what the
*useful* range of this variable is?
next prev parent reply other threads:[~2006-02-24 15:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-24 9:14 [KJ] [Patch] fs/ kzalloc conversions Eric Sesterhenn
2006-02-24 11:17 ` Alexey Dobriyan
2006-02-24 15:26 ` Matthew Wilcox [this message]
2006-02-24 15:26 ` Matthew Wilcox
2006-02-24 20:50 ` Eric Sesterhenn
2006-02-24 20:50 ` Eric Sesterhenn
2006-02-25 0:07 ` Zach Brown
2006-02-25 0:07 ` Zach Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060224152628.GO28587@parisc-linux.org \
--to=matthew@wil.cx \
--cc=adobriyan@gmail.com \
--cc=kernel-janitors@lists.osdl.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=snakebyte@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.