From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.0 tests=MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F08BAC33CA1 for ; Mon, 20 Jan 2020 11:14:16 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id BF39020674 for ; Mon, 20 Jan 2020 11:14:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BF39020674 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 57D966B0636; Mon, 20 Jan 2020 06:14:16 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 52DF76B0637; Mon, 20 Jan 2020 06:14:16 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 41D556B0638; Mon, 20 Jan 2020 06:14:16 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0107.hostedemail.com [216.40.44.107]) by kanga.kvack.org (Postfix) with ESMTP id 281046B0636 for ; Mon, 20 Jan 2020 06:14:16 -0500 (EST) Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with SMTP id D5DCF440E for ; Mon, 20 Jan 2020 11:14:15 +0000 (UTC) X-FDA: 76397753670.03.bears83_7c78c959b2f53 X-HE-Tag: bears83_7c78c959b2f53 X-Filterd-Recvd-Size: 5299 Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com [209.85.128.68]) by imf26.hostedemail.com (Postfix) with ESMTP for ; Mon, 20 Jan 2020 11:14:15 +0000 (UTC) Received: by mail-wm1-f68.google.com with SMTP id p17so14318169wmb.0 for ; Mon, 20 Jan 2020 03:14:15 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=WTrlGhs59LAijTepaX8teYcfP4R2wr8PKeRF3cIoZ0k=; b=e8EbLSYBx3UH2McjQj/FvBXjOBYYfdsiP3NS14feeIAtMtg/fdSUgEoLgLflhZwUZt g9s/9pqwxgY4/xCsBZbCmswJQbS+xAmfU3MatLjT3kbMaxUDxxyEnG1nLd1bMrCPdcaF HLPZDfxhQzMtESlcDWKT+qjz6LQsbdSyfDZv78tdsRe2KzZIbhSRZc60a4Is/rweWyRg jBv03yHngPN5QIjGRZUh8OHX6QittAuhPEi0OCiFsHA9VxEiaDpOLoMMOGOG+iNafDmN eVkO2i/+lVQiZAIVNlkBeToKcw/XakQ7dJnEwZr9lGxU5KBtDmu3J+AX9QrftZUA+HhF vhgA== X-Gm-Message-State: APjAAAX3NnGE0rfVuSzu6g1IrJhfgb6A6GooDAZc2KNKCWIEIxEXivOL PX6akDwELmPgJxFJeh8ZAyk= X-Google-Smtp-Source: APXvYqxsxF2pkFMlDoibbwLhvA/mXy9eZXBCy9GDircNX9HUt/S5dO7+aPEtBqLj6E+TwiyjeuMmhQ== X-Received: by 2002:a05:600c:210e:: with SMTP id u14mr17916690wml.28.1579518854095; Mon, 20 Jan 2020 03:14:14 -0800 (PST) Received: from localhost (prg-ext-pat.suse.com. [213.151.95.130]) by smtp.gmail.com with ESMTPSA id u84sm75872wmg.10.2020.01.20.03.14.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Jan 2020 03:14:13 -0800 (PST) Date: Mon, 20 Jan 2020 12:14:11 +0100 From: Michal Hocko To: Daniel Axtens Cc: kernel-hardening@lists.openwall.com, linux-mm@kvack.org, keescook@chromium.org, linux-kernel@vger.kernel.org, akpm@linux-foundation.org Subject: Re: [PATCH 4/5] [VERY RFC] mm: kmalloc(_node): return NULL immediately for SIZE_MAX Message-ID: <20200120111411.GX18451@dhcp22.suse.cz> References: <20200120074344.504-1-dja@axtens.net> <20200120074344.504-5-dja@axtens.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200120074344.504-5-dja@axtens.net> User-Agent: Mutt/1.12.2 (2019-09-21) Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon 20-01-20 18:43:43, Daniel Axtens wrote: > kmalloc is sometimes compiled with an size that at compile time may be > equal to SIZE_MAX. >=20 > For example, struct_size(struct, array member, array elements) returns = the > size of a structure that has an array as the last element, containing a > given number of elements, or SIZE_MAX on overflow. >=20 > However, struct_size operates in (arguably) unintuitive ways at compile= time. > Consider the following snippet: >=20 > struct foo { > int a; > int b[0]; > }; >=20 > struct foo *alloc_foo(int elems) > { > struct foo *result; > size_t size =3D struct_size(result, b, elems); > if (__builtin_constant_p(size)) { > BUILD_BUG_ON(size =3D=3D SIZE_MAX); > } > result =3D kmalloc(size, GFP_KERNEL); > return result; > } >=20 > I expected that size would only be constant if alloc_foo() was called > within that translation unit with a constant number of elements, and th= e > compiler had decided to inline it. I'd therefore expect that 'size' is = only > SIZE_MAX if the constant provided was a huge number. >=20 > However, instead, this function hits the BUILD_BUG_ON, even if never > called. >=20 > include/linux/compiler.h:394:38: error: call to =E2=80=98__compiletime_= assert_32=E2=80=99 declared with attribute error: BUILD_BUG_ON failed: si= ze =3D=3D SIZE_MAX This sounds more like a bug to me. Have you tried to talk to compiler guys? > This is with gcc 9.2.1, and I've also observed it with an gcc 8 series > compiler. >=20 > My best explanation of this is: >=20 > - elems is a signed int, so a small negative number will become a very > large unsigned number when cast to a size_t, leading to overflow. >=20 > - Then, the only way in which size can be a constant is if we hit the > overflow case, in which 'size' will be 'SIZE_MAX'. >=20 > - So the compiler takes that value into the body of the if statement a= nd > blows up. >=20 > But I could be totally wrong. >=20 > Anyway, this is relevant to slab.h because kmalloc() and kmalloc_node() > check if the supplied size is a constant and take a faster path if so. = A > number of callers of those functions use struct_size to determine the s= ize > of a memory allocation. Therefore, at compile time, those functions wil= l go > down the constant path, specialising for the overflow case. >=20 > When my next patch is applied, gcc will then throw a warning any time > kmalloc_large could be called with a SIZE_MAX size, as gcc deems SIZE_M= AX > to be too big an allocation. >=20 > So, make functions that check __builtin_constant_p check also against > SIZE_MAX in the constant path, and immediately return NULL if we hit it= . I am not sure I am happy about an additional conditional path in the hot path of the allocator. Especially when we already have a check for KMALLOC_MAX_CACHE_SIZE. --=20 Michal Hocko SUSE Labs