From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9FFB1EB64D8
	for <linux-mm@archiver.kernel.org>; Wed, 14 Jun 2023 14:32:53 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 336AC6B0074; Wed, 14 Jun 2023 10:32:53 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2E75B6B0075; Wed, 14 Jun 2023 10:32:53 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 1D7406B0078; Wed, 14 Jun 2023 10:32:53 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 0F16D6B0074
	for <linux-mm@kvack.org>; Wed, 14 Jun 2023 10:32:53 -0400 (EDT)
Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 27510406BA
	for <linux-mm@kvack.org>; Wed, 14 Jun 2023 14:32:52 +0000 (UTC)
X-FDA: 80901594984.21.706E889
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131])
	by imf21.hostedemail.com (Postfix) with ESMTP id 10CBB1C0008
	for <linux-mm@kvack.org>; Wed, 14 Jun 2023 14:32:49 +0000 (UTC)
Authentication-Results: imf21.hostedemail.com;
	dkim=pass header.d=proton.me header.s=protonmail header.b="Xkh/eR8a";
	dmarc=pass (policy=quarantine) header.from=proton.me;
	spf=pass (imf21.hostedemail.com: domain of benno.lossin@proton.me designates 185.70.40.131 as permitted sender) smtp.mailfrom=benno.lossin@proton.me
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1686753170;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=Eym4bt3G3yI5tzMrX6NSMGd1+ikTIMtBGpmezvReHMk=;
	b=kpZ0TctYMN/um5qM12c5IuuCk0l7E/vFU3rDuwq/chWWd6UIrWBpkKulqoLCPzSz0QyIvN
	DmyKhvuUyJXg7JnIi9ymX/6g/a6TZa3aZfjHeTkr+pP43S0M83kTzB8sdBAJjFIg6/XOkA
	ulghI1lMOT51jZhQ4c3jaLLQlQNg0U4=
ARC-Authentication-Results: i=1;
	imf21.hostedemail.com;
	dkim=pass header.d=proton.me header.s=protonmail header.b="Xkh/eR8a";
	dmarc=pass (policy=quarantine) header.from=proton.me;
	spf=pass (imf21.hostedemail.com: domain of benno.lossin@proton.me designates 185.70.40.131 as permitted sender) smtp.mailfrom=benno.lossin@proton.me
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686753170; a=rsa-sha256;
	cv=none;
	b=2c9h6SbEn4T7TUk5LgyqRvVmXoftR+cnOj5bY0/QbHUOLR2Unq7u84i+b0w5/h8OEknvLv
	xwAuCMqFzOdplXaVptZlBckkXXFwfEwnEzBdMAg86BUsdw8VvhAJZmnVSmLrMN5Lezunle
	BTFxqZsWnVZRQIx0rN2gdQvg3XJVhSw=
Date: Wed, 14 Jun 2023 14:32:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
	s=protonmail; t=1686753167; x=1687012367;
	bh=Eym4bt3G3yI5tzMrX6NSMGd1+ikTIMtBGpmezvReHMk=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
	 Message-ID:BIMI-Selector;
	b=Xkh/eR8al1uA04ta5Bbi8OPlyK6TSpuMGojkCHFCB046PABXv7MtBc39nJrrqvDTy
	 Qepc9vvN4tO/+bij/nZwQLdueaT3SnPLRnP/FLD1I/HmrFALkd8uSB0rsVZrcCaiQw
	 1e2kcXYGlxMBuyWM6bgsXqpVMYtwsafhP6BZ2Dzp0LI+sPocaXK5wpFKF/2eLlKdqh
	 lhNUHeg2KsmbSZjuOmeFdM5NC2WxV2WomqYHs9RS04xpJQd7/HaIUOlDqUqb8U7FXD
	 G3wxciegsorkG8l3wVINiAGVclJnBjNmhz36eF5qwXF/aAEuvSGrDQ2lAsfwtDn4W2
	 T9b8t2d5pNruw==
To: Boqun Feng <boqun.feng@gmail.com>
From: Benno Lossin <benno.lossin@proton.me>
Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Miguel Ojeda <ojeda@kernel.org>, Alex Gaynor <alex.gaynor@gmail.com>, Wedson Almeida Filho <wedsonaf@gmail.com>, Gary Guo <gary@garyguo.net>, =?utf-8?Q?Bj=C3=B6rn_Roy_Baron?= <bjorn3_gh@protonmail.com>, Martin Rodriguez Reboredo <yakoyoku@gmail.com>, Alice Ryhl <aliceryhl@google.com>, Dariusz Sosnowski <dsosnowski@dsosnowski.pl>, Geoffrey Thomas <geofft@ldpreload.com>, Fox Chen <foxhlchen@gmail.com>, John Baublitz <john.m.baublitz@gmail.com>, Christoph Lameter <cl@linux.com>, Pekka Enberg <penberg@kernel.org>, David Rientjes <rientjes@google.com>, Joonsoo Kim <iamjoonsoo.kim@lge.com>, Andrew Morton <akpm@linux-foundation.org>, Vlastimil Babka <vbabka@suse.cz>, Roman Gushchin <roman.gushchin@linux.dev>, Hyeonggon Yoo <42.hyeyoo@gmail.com>, Kees Cook <keescook@chromium.org>, Andreas Hindborg <nmi@metaspace.dk>, stable@vger.kernel.org
Subject: Re: [PATCH] rust: allocator: Prevents mis-aligned allocation
Message-ID: <91XpcluPyeKjsC8_uSh1yvgcz2BoRMeih76O5-wTwQgnNiLFdOCiO3HT9kXByzZIiK-6nForUTTeo-H9cR0CWemr7dJuMgMnC0wzGDIBmlQ=@proton.me>
In-Reply-To: <20230613164258.3831917-1-boqun.feng@gmail.com>
References: <20230613164258.3831917-1-boqun.feng@gmail.com>
Feedback-ID: 71780778:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspam-User: 
X-Rspamd-Server: rspam12
X-Rspamd-Queue-Id: 10CBB1C0008
X-Stat-Signature: 8keng44treypxj6eqrannad38c4saknd
X-HE-Tag: 1686753169-544982
X-HE-Meta: U2FsdGVkX18LCDgOCwwaDNS7m2UbS0poEaAKGk8niKdIxZWLPkcr0l90PNItu8FhJ1Ep4qL41ysBF+hiy0OAZqxn+Ugec4mubjt4FlDK5YmTfI0EsqRYocte8g6u2byjOK1MZo6/7d/s39B4e1/XG/S4EBW6nFe72xI8N3ekLPTr15lPV5EvVsk/DgvaXdKuU9l+AV/JPA3loiwk9OJEQr2C4wy3kKHOQZeWc7UjJL1EsxIA9QHCFBLR5fmCZE3givIW4i+iKmweYGMIJNK4JSogV0OHHr43Mxx0ZMDMe8ZlVIs5dczdURl87N5LLW5YMPgXzD+Q4d2f4Ht2tGGiWrisL+TiemJUvkcY6Mnc7aqajF0TdEwn/dPofR8PiqM39Fa4P82xiuPfiezAMeiRexaf3Ab8tqHCFU5J8WH2bJrFqr15AI6yhpfI/Tah8WPZCJeGgoFQFtsRVqfI3WmvBD6l0tJdfZ7lLUVMJQnfqwDRWbXTZTg/hz0ffUsgYsQj0Wl/7dDnuHdfIRRNZv0HPohTYo+u52cxhkxw99cYkGVljhNYi6Pmm/YvFCQoiCIcdPSzvfejunSyuiIxUIIjFMPevaeAnIf6tavo33TDhhNk5ZToRdOBXzGSS3zJRFuDTqwofFvBzHe6yTodtQ/RgowLAWuQUxRLE9SV50A9FWANoNasep0hs1hkNFpeM/2UaTFa2A7ID13TEz4/mpgkQyQ8TzuFfwwZu5Pn/VsjLvta6Yw3+9j2MaSW7M1asFCYM0FX4pBxvPBdiLqmdnrhIWWcuqyBDMyP35JFXZRBtkswZbWKgo9Kr40lSizA3E7Y544RPdoDxhes/eIDHEgWjS++YUu2fd/9ZPHHUNZEXEGZPi4CSsMuBcVQdenlIR2c2fsmV0EhFhqWh3K812lUJAjVLbJelMNinWQJPymzhILZkOz9qzTygOH6yicwiN3epmUlVR0JIJv9fHvLW1C
 Ty7A2dWj
 A4YT1rCRVKj3r1iBORyMaQLsKEbKhc5gNCbB7qiM7NMog9C3/JA84oICARdW6x0lFfTyZ22HjVIsvb+O026YbfW4u5ob3hMIfpvdkLBLN7ub6s4OcpNRtJ6GYPjbvk4yxvFkAugWOzhU0eoxgLRfbdJa1HTSp2mfjdZDADrTmroedjk3jqSWE5KLXmc3Orx+juhaOQhGd2FJVf61sWasJ49Gpc1cD2BvaDGZ3hKW9sIU2GAMx3T1Gc87xEREh5vwtoFdR1QB86+CdAklNdAVfF3GadWgrYpKyb4nAiZULEgRIR2s7oyLc90vvnKiinQw6BqGhhXJKmtDsCSCMcd+MI2gZ2ZmD1d27gV5FxORZ5QEPZG5NpUcltmXPPiKbt63AJrEzs0nOjzchNqJ1z18R4BhNwHHs7SJAYnWFDVh3GkPeBwByi+YLUOTUn6wCED1xKS0B
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 13.06.23 18:42, Boqun Feng wrote:
> Currently the KernelAllocator simply passes the size of the type Layout
> to krealloc(), and in theory the alignment requirement from the type
> Layout may be larger than the guarantee provided by SLAB, which means
> the allocated object is mis-aligned.
>=20
> Fixes this by adjusting the allocation size to the nearest power of two,
> which SLAB always guarantees a size-aligned allocation. And because Rust
> guarantees that original size must be a multiple of alignment and the
> alignment must be a power of two, then the alignment requirement is
> satisfied.
>=20
> Suggested-by: Vlastimil Babka <vbabka@suse.cz>
> Co-developed-by: Andreas Hindborg (Samsung) <nmi@metaspace.dk>
> Signed-off-by: Andreas Hindborg (Samsung) <nmi@metaspace.dk>
> Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
> Cc: stable@vger.kernel.org # v6.1+

Reviewed-by: Benno Lossin <benno.lossin@proton.me>

--=20
Cheers,
Benno

> ---
> Some more explanation:
>=20
> * Layout is a data structure describing a particular memory layout,
>    conceptionally it has two fields: align and size.
>=20
>    * align is guaranteed to be a power of two.
>    * size can be smaller than align (only when the Layout is created via
>      Layout::from_align_size())
>    * After pad_to_align(), the size is guaranteed to be a multiple of
>      align
>=20
> For more information, please see:
>=20
> =09https://doc.rust-lang.org/stable/std/alloc/struct.Layout.html
>=20
>   rust/bindings/bindings_helper.h |  1 +
>   rust/kernel/allocator.rs        | 17 ++++++++++++++++-
>   2 files changed, 17 insertions(+), 1 deletion(-)
>=20
> diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_hel=
per.h
> index 3e601ce2548d..6619ce95dd37 100644
> --- a/rust/bindings/bindings_helper.h
> +++ b/rust/bindings/bindings_helper.h
> @@ -15,3 +15,4 @@
>   /* `bindgen` gets confused at certain things. */
>   const gfp_t BINDINGS_GFP_KERNEL =3D GFP_KERNEL;
>   const gfp_t BINDINGS___GFP_ZERO =3D __GFP_ZERO;
> +const size_t BINDINGS_ARCH_SLAB_MINALIGN =3D ARCH_SLAB_MINALIGN;
> diff --git a/rust/kernel/allocator.rs b/rust/kernel/allocator.rs
> index 397a3dd57a9b..66575cf87ce2 100644
> --- a/rust/kernel/allocator.rs
> +++ b/rust/kernel/allocator.rs
> @@ -11,9 +11,24 @@
>=20
>   unsafe impl GlobalAlloc for KernelAllocator {
>       unsafe fn alloc(&self, layout: Layout) -> *mut u8 {
> +        // Customized layouts from `Layout::from_size_align()` can have =
size < align, so pads first.
> +        let layout =3D layout.pad_to_align();
> +
> +        let mut size =3D layout.size();
> +
> +        if layout.align() > bindings::BINDINGS_ARCH_SLAB_MINALIGN {
> +            // The alignment requirement exceeds the slab guarantee, the=
n tries to enlarges the size
> +            // to use the "power-of-two" size/alignment guarantee (see c=
omments in kmalloc() for
> +            // more information).
> +            //
> +            // Note that `layout.size()` (after padding) is guaranteed t=
o be muliples of
> +            // `layout.align()`, so `next_power_of_two` gives enough ali=
gnment guarantee.
> +            size =3D size.next_power_of_two();
> +        }
> +
>           // `krealloc()` is used instead of `kmalloc()` because the latt=
er is
>           // an inline function and cannot be bound to as a result.
> -        unsafe { bindings::krealloc(ptr::null(), layout.size(), bindings=
::GFP_KERNEL) as *mut u8 }
> +        unsafe { bindings::krealloc(ptr::null(), size, bindings::GFP_KER=
NEL) as *mut u8 }
>       }
>=20
>       unsafe fn dealloc(&self, ptr: *mut u8, _layout: Layout) {
> --
> 2.39.2
>