From: Ira Weiny <ira.weiny@intel.com>
To: Souptick Joarder <jrdr.linux@gmail.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>,
Matthew Wilcox <willy@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
linux-kernel@vger.kernel.org, John Hubbard <jhubbard@nvidia.com>
Subject: Re: [PATCH] mm/gup.c: Handling ERR within unpin_user_pages()
Date: Mon, 14 Sep 2020 14:01:41 -0700 [thread overview]
Message-ID: <20200914210141.GD878166@iweiny-DESK2.sc.intel.com> (raw)
In-Reply-To: <CAFqt6zasxyAc9heAFuQ0xXuwpk8s7RThordModvLVDNDfFYvkA@mail.gmail.com>
On Tue, Sep 15, 2020 at 02:22:33AM +0530, Souptick Joarder wrote:
> On Mon, Sep 14, 2020 at 7:38 PM Jason Gunthorpe <jgg@ziepe.ca> wrote:
> >
> > On Mon, Sep 14, 2020 at 07:20:34AM +0530, Souptick Joarder wrote:
> > > On Sun, Sep 13, 2020 at 8:25 PM Matthew Wilcox <willy@infradead.org> wrote:
> > > >
> > > > On Sun, Sep 13, 2020 at 08:02:35PM +0530, Souptick Joarder wrote:
> > > > > It is possible that a buggy caller of unpin_user_pages()
> > > > > (specially in error handling path) may end up calling it with
> > > > > npages < 0 which is unnecessary.
> > > > > @@ -328,6 +328,9 @@ void unpin_user_pages(struct page **pages, unsigned long npages)
> > > > > {
> > > > > unsigned long index;
> > > > >
> > > > > + if (WARN_ON_ONCE(npages < 0))
> > > > > + return;
> > > >
> > > > But npages is unsigned long. So it can't be less than zero.
> > >
> > > Sorry, I missed it.
> > >
> > > Then, it means if npages is assigned with -ERRNO by caller, unpin_user_pages()
> > > may end up calling a big loop, which is unnecessary.
> >
> > How will a caller allocate memory of the right size and still manage
> > to call with the wrong npages? Do you have an example of a broken caller?
>
> These are two broken callers which might end up calling unpin_user_pages()
> with -ERRNO.
> drivers/rapidio/devices/rio_mport_cdev.c#L952
The error here is that nr_pages should not be set to pinned if pinned is < 0.
Why not fix the logic there? Because it is inherently dangerous to set an
unsigned from a signed variable like that.
> drivers/misc/mic/scif/scif_rma.c#L1399
Again this is a caller who is not properly checking error conditions.
>
> They both are in error handling paths, so might not have any serious impact.
> But theoretically possible.
Actually I think they might have serious problems so they both should be fixed.
In the end this patch just can't work because npages can't be < 0 like Matthew
said.
Ira
prev parent reply other threads:[~2020-09-14 21:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-13 14:32 [PATCH] mm/gup.c: Handling ERR within unpin_user_pages() Souptick Joarder
2020-09-13 14:55 ` Matthew Wilcox
2020-09-14 1:50 ` Souptick Joarder
2020-09-14 1:50 ` Souptick Joarder
2020-09-14 14:08 ` Jason Gunthorpe
2020-09-14 20:52 ` Souptick Joarder
2020-09-14 20:52 ` Souptick Joarder
2020-09-14 20:56 ` John Hubbard
2020-09-14 21:01 ` Ira Weiny [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200914210141.GD878166@iweiny-DESK2.sc.intel.com \
--to=ira.weiny@intel.com \
--cc=akpm@linux-foundation.org \
--cc=jgg@ziepe.ca \
--cc=jhubbard@nvidia.com \
--cc=jrdr.linux@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.