From: Paolo Abeni <pabeni@redhat.com>
To: Kees Cook <keescook@chromium.org>,
"David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Nick Desaulniers <ndesaulniers@google.com>,
David Rientjes <rientjes@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
Pavel Begunkov <asml.silence@gmail.com>,
Menglong Dong <imagedong@tencent.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v3][next] skbuff: Proactively round up to kmalloc bucket size
Date: Thu, 20 Oct 2022 10:42:47 +0200 [thread overview]
Message-ID: <0ea1fc165a6c6117f982f4f135093e69cb884930.camel@redhat.com> (raw)
In-Reply-To: <20221018093005.give.246-kees@kernel.org>
Hello,
On Tue, 2022-10-18 at 02:33 -0700, Kees Cook wrote:
> Instead of discovering the kmalloc bucket size _after_ allocation, round
> up proactively so the allocation is explicitly made for the full size,
> allowing the compiler to correctly reason about the resulting size of
> the buffer through the existing __alloc_size() hint.
>
> This will allow for kernels built with CONFIG_UBSAN_BOUNDS or the
> coming dynamic bounds checking under CONFIG_FORTIFY_SOURCE to gain
> back the __alloc_size() hints that were temporarily reverted in commit
> 93dd04ab0b2b ("slab: remove __alloc_size attribute from __kmalloc_track_caller")
>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Cc: netdev@vger.kernel.org
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: David Rientjes <rientjes@google.com>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> v3: refactor again to pass allocation size more cleanly to callers
> v2: https://lore.kernel.org/lkml/20220923202822.2667581-4-keescook@chromium.org/
> ---
> net/core/skbuff.c | 41 ++++++++++++++++++++++-------------------
> 1 file changed, 22 insertions(+), 19 deletions(-)
>
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index 1d9719e72f9d..3ea1032d03ec 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -425,11 +425,12 @@ EXPORT_SYMBOL(napi_build_skb);
> * memory is free
> */
> static void *kmalloc_reserve(size_t size, gfp_t flags, int node,
> - bool *pfmemalloc)
> + bool *pfmemalloc, size_t *alloc_size)
> {
> void *obj;
> bool ret_pfmemalloc = false;
>
> + size = kmalloc_size_roundup(size);
> /*
> * Try a regular allocation, when that fails and we're not entitled
> * to the reserves, fail.
> @@ -448,6 +449,7 @@ static void *kmalloc_reserve(size_t size, gfp_t flags, int node,
> if (pfmemalloc)
> *pfmemalloc = ret_pfmemalloc;
>
> + *alloc_size = size;
> return obj;
> }
>
> @@ -479,7 +481,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
> {
> struct kmem_cache *cache;
> struct sk_buff *skb;
> - unsigned int osize;
> + size_t alloc_size;
> bool pfmemalloc;
> u8 *data;
>
> @@ -506,15 +508,15 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
> */
> size = SKB_DATA_ALIGN(size);
> size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
> - data = kmalloc_reserve(size, gfp_mask, node, &pfmemalloc);
> - if (unlikely(!data))
> - goto nodata;
I'm sorry for not noticing the above in the previous iteration, but I
think this revision will produce worse code than the V1, as
kmalloc_reserve() now pollutes an additional register.
Why did you prefer adding an additional parameter to kmalloc_reserve()?
I think computing the alloc_size in the caller is even more readable.
Additionally, as a matter of personal preference, I would not introduce
an additional variable for alloc_size, just:
// ...
size = kmalloc_size_roundup(size);
data = kmalloc_reserve(size, gfp_mask, node, &pfmemalloc);
The rationale is smaller diff, and consistent style with the existing
code where 'size' is already adjusted multiple times icrementally.
Cheers,
Paolo
next prev parent reply other threads:[~2022-10-20 8:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-18 9:33 [PATCH v3][next] skbuff: Proactively round up to kmalloc bucket size Kees Cook
2022-10-20 8:42 ` Paolo Abeni [this message]
2022-10-21 16:10 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0ea1fc165a6c6117f982f4f135093e69cb884930.camel@redhat.com \
--to=pabeni@redhat.com \
--cc=asml.silence@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=imagedong@tencent.com \
--cc=keescook@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ndesaulniers@google.com \
--cc=netdev@vger.kernel.org \
--cc=rientjes@google.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).