* tile-srom and krealloc with __GFP_ZERO defect
@ 2016-07-28 17:27 Joe Perches
2016-07-28 18:11 ` possible krealloc with __GFP_ZERO defects Joe Perches
0 siblings, 1 reply; 5+ messages in thread
From: Joe Perches @ 2016-07-28 17:27 UTC (permalink / raw)
To: Chris Metcalf; +Cc: LKML
Hello Chris,
There is a defect in krealloc with __GFP_ZERO so this code in
drivers/chat/tile-srom.c may not work properly:
drivers/char/tile-srom.c- for (i = 0; ; i++) {
drivers/char/tile-srom.c- int devhdl;
drivers/char/tile-srom.c- char buf[20];
drivers/char/tile-srom.c- struct srom_dev *new_srom_devices =
drivers/char/tile-srom.c- krealloc(srom_devices, (i+1) * sizeof(struct srom_dev),
drivers/char/tile-srom.c: GFP_KERNEL | __GFP_ZERO);
drivers/char/tile-srom.c- if (!new_srom_devices) {
drivers/char/tile-srom.c- result = -ENOMEM;
drivers/char/tile-srom.c- goto fail_mem;
drivers/char/tile-srom.c- }
drivers/char/tile-srom.c- srom_devices = new_srom_devices;
http://linux-kernel.vger.kernel.narkive.com/xyiQV3vf/slab-krealloc-with-gfp-zero-defect
^ permalink raw reply [flat|nested] 5+ messages in thread* possible krealloc with __GFP_ZERO defects 2016-07-28 17:27 tile-srom and krealloc with __GFP_ZERO defect Joe Perches @ 2016-07-28 18:11 ` Joe Perches 2016-07-28 19:07 ` [PATCH] tile-srom: avoid krealloc(... __GFP_ZERO) pattern Chris Metcalf 2016-08-05 11:37 ` possible krealloc with __GFP_ZERO defects Matt Fleming 0 siblings, 2 replies; 5+ messages in thread From: Joe Perches @ 2016-07-28 18:11 UTC (permalink / raw) To: Chris Metcalf, Matt Fleming, Arnd Bergmann, Greg Kroah-Hartman, Ferruh Yigit, Dmitry Torokhov, Jaroslav Kysela, Takashi Iwai Cc: LKML (forwarding to the maintainers of other uses) On Thu, 2016-07-28 at 10:27 -0700, Joe Perches wrote: > There is a defect in krealloc with __GFP_ZERO so this code in > drivers/chat/tile-srom.c may not work properly: > > drivers/char/tile-srom.c- for (i = 0; ; i++) { > drivers/char/tile-srom.c- int devhdl; > drivers/char/tile-srom.c- char buf[20]; > drivers/char/tile-srom.c- struct srom_dev *new_srom_devices = > drivers/char/tile-srom.c- krealloc(srom_devices, (i+1) * sizeof(struct srom_dev), > drivers/char/tile-srom.c: GFP_KERNEL | __GFP_ZERO); > drivers/char/tile-srom.c- if (!new_srom_devices) { > drivers/char/tile-srom.c- result = -ENOMEM; > drivers/char/tile-srom.c- goto fail_mem; > drivers/char/tile-srom.c- } > drivers/char/tile-srom.c- srom_devices = new_srom_devices; > > http://linux-kernel.vger.kernel.narkive.com/xyiQV3vf/slab-krealloc-with-gfp-zero-defect Here are the other in-tree uses that may not work properly $ grep-2.5.4 -rP --include=*.[ch] -n "krealloc[^;]+__GFP_ZERO" * drivers/firmware/efi/capsule-loader.c:87: temp_page = krealloc(cap_info->pages, pages_needed * sizeof(void *), GFP_KERNEL | __GFP_ZERO); drivers/char/tile-srom.c:375: krealloc(srom_devices, (i+1) * sizeof(struct srom_dev), GFP_KERNEL | __GFP_ZERO); drivers/input/touchscreen/cyttsp4_core.c:521: p = krealloc(si->btn, si->si_ofs.btn_keys_size, GFP_KERNEL|__GFP_ZERO); drivers/input/touchscreen/cyttsp4_core.c:565: p = krealloc(si->xy_mode, si->si_ofs.mode_size, GFP_KERNEL|__GFP_ZERO); drivers/input/touchscreen/cyttsp4_core.c:570: p = krealloc(si->xy_data, si->si_ofs.data_size, GFP_KERNEL|__GFP_ZERO); drivers/input/touchscreen/cyttsp4_core.c:575: p = krealloc(si->btn_rec_data, si->si_ofs.btn_rec_size * si->si_ofs.num_btns, GFP_KERNEL|__GFP_ZERO); sound/hda/array.c:28: nlist = krealloc(array->list, size, GFP_KERNEL | __GFP_ZERO); sound/core/info.c:342: char *nbuf = krealloc(buf->buffer, PAGE_ALIGN(next), GFP_KERNEL | __GFP_ZERO); ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] tile-srom: avoid krealloc(... __GFP_ZERO) pattern 2016-07-28 18:11 ` possible krealloc with __GFP_ZERO defects Joe Perches @ 2016-07-28 19:07 ` Chris Metcalf 2016-08-05 11:37 ` possible krealloc with __GFP_ZERO defects Matt Fleming 1 sibling, 0 replies; 5+ messages in thread From: Chris Metcalf @ 2016-07-28 19:07 UTC (permalink / raw) To: Joe Perches, Matt Fleming, Arnd Bergmann, Greg Kroah-Hartman, Ferruh Yigit, Dmitry Torokhov, Jaroslav Kysela, Takashi Iwai Cc: Chris Metcalf, LKML Joe Perches points out [1] that this pattern isn't currently safe. This driver doesn't really need the zeroing semantic anyway; by restructuring the code slightly we can initialize all the fields of the structure up front instead. [1] https://lkml.kernel.org/r/1469729491.3998.58.camel@perches.com Signed-off-by: Chris Metcalf <cmetcalf@mellanox.com> --- drivers/char/tile-srom.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/drivers/char/tile-srom.c b/drivers/char/tile-srom.c index 69f6b4acc377..398800edb2cc 100644 --- a/drivers/char/tile-srom.c +++ b/drivers/char/tile-srom.c @@ -331,13 +331,11 @@ static const struct file_operations srom_fops = { /** * srom_setup_minor() - Initialize per-minor information. * @srom: Per-device SROM state. - * @index: Device to set up. + * @devhdl: Partition device handle. */ -static int srom_setup_minor(struct srom_dev *srom, int index) +static int srom_setup_minor(struct srom_dev *srom, int devhdl) { - struct device *dev; - int devhdl = srom->hv_devhdl; - + srom->hv_devhdl = devhdl; mutex_init(&srom->lock); if (_srom_read(devhdl, &srom->total_size, @@ -350,9 +348,7 @@ static int srom_setup_minor(struct srom_dev *srom, int index) SROM_PAGE_SIZE_OFF, sizeof(srom->page_size)) < 0) return -EIO; - dev = device_create(srom_class, &srom_parent->dev, - MKDEV(srom_major, index), srom, "%d", index); - return PTR_ERR_OR_ZERO(dev); + return 0; } /** srom_init() - Initialize the driver's module. */ @@ -365,7 +361,7 @@ static int srom_init(void) * Start with a plausible number of partitions; the krealloc() call * below will yield about log(srom_devs) additional allocations. */ - srom_devices = kzalloc(4 * sizeof(struct srom_dev), GFP_KERNEL); + srom_devices = kmalloc(4 * sizeof(struct srom_dev), GFP_KERNEL); /* Discover the number of srom partitions. */ for (i = 0; ; i++) { @@ -373,7 +369,7 @@ static int srom_init(void) char buf[20]; struct srom_dev *new_srom_devices = krealloc(srom_devices, (i+1) * sizeof(struct srom_dev), - GFP_KERNEL | __GFP_ZERO); + GFP_KERNEL); if (!new_srom_devices) { result = -ENOMEM; goto fail_mem; @@ -387,7 +383,9 @@ static int srom_init(void) i, devhdl); break; } - srom_devices[i].hv_devhdl = devhdl; + result = srom_setup_minor(&srom_devices[i], devhdl); + if (result != 0) + goto fail_mem; } srom_devs = i; @@ -431,9 +429,13 @@ static int srom_init(void) srom_class->dev_groups = srom_dev_groups; srom_class->devnode = srom_devnode; - /* Do per-partition initialization */ + /* Create per-partition devices */ for (i = 0; i < srom_devs; i++) { - result = srom_setup_minor(srom_devices + i, i); + struct device *dev = + device_create(srom_class, &srom_parent->dev, + MKDEV(srom_major, i), srom_devices + i, + "%d", i); + result = PTR_ERR_OR_ZERO(dev); if (result < 0) goto fail_class; } -- 2.7.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: possible krealloc with __GFP_ZERO defects 2016-07-28 18:11 ` possible krealloc with __GFP_ZERO defects Joe Perches 2016-07-28 19:07 ` [PATCH] tile-srom: avoid krealloc(... __GFP_ZERO) pattern Chris Metcalf @ 2016-08-05 11:37 ` Matt Fleming 2016-08-05 15:25 ` Joe Perches 1 sibling, 1 reply; 5+ messages in thread From: Matt Fleming @ 2016-08-05 11:37 UTC (permalink / raw) To: Joe Perches Cc: Chris Metcalf, Arnd Bergmann, Greg Kroah-Hartman, Ferruh Yigit, Dmitry Torokhov, Jaroslav Kysela, Takashi Iwai, LKML On Thu, 28 Jul, at 11:11:31AM, Joe Perches wrote: > (forwarding to the maintainers of other uses) > > On Thu, 2016-07-28 at 10:27 -0700, Joe Perches wrote: > > There is a defect in krealloc with __GFP_ZERO so this code in > > drivers/chat/tile-srom.c may not work properly: > > > > drivers/char/tile-srom.c- for (i = 0; ; i++) { > > drivers/char/tile-srom.c- int devhdl; > > drivers/char/tile-srom.c- char buf[20]; > > drivers/char/tile-srom.c- struct srom_dev *new_srom_devices = > > drivers/char/tile-srom.c- krealloc(srom_devices, (i+1) * sizeof(struct srom_dev), > > drivers/char/tile-srom.c: GFP_KERNEL | __GFP_ZERO); > > drivers/char/tile-srom.c- if (!new_srom_devices) { > > drivers/char/tile-srom.c- result = -ENOMEM; > > drivers/char/tile-srom.c- goto fail_mem; > > drivers/char/tile-srom.c- } > > drivers/char/tile-srom.c- srom_devices = new_srom_devices; > > > > http://linux-kernel.vger.kernel.narkive.com/xyiQV3vf/slab-krealloc-with-gfp-zero-defect > > Here are the other in-tree uses that may not work properly > > $ grep-2.5.4 -rP --include=*.[ch] -n "krealloc[^;]+__GFP_ZERO" * > drivers/firmware/efi/capsule-loader.c:87: temp_page = krealloc(cap_info->pages, > pages_needed * sizeof(void *), > GFP_KERNEL | __GFP_ZERO); > drivers/char/tile-srom.c:375: krealloc(srom_devices, (i+1) * sizeof(struct srom_dev), > GFP_KERNEL | __GFP_ZERO); > drivers/input/touchscreen/cyttsp4_core.c:521: p = krealloc(si->btn, si->si_ofs.btn_keys_size, > GFP_KERNEL|__GFP_ZERO); > drivers/input/touchscreen/cyttsp4_core.c:565: p = krealloc(si->xy_mode, si->si_ofs.mode_size, GFP_KERNEL|__GFP_ZERO); > drivers/input/touchscreen/cyttsp4_core.c:570: p = krealloc(si->xy_data, si->si_ofs.data_size, GFP_KERNEL|__GFP_ZERO); > drivers/input/touchscreen/cyttsp4_core.c:575: p = krealloc(si->btn_rec_data, > si->si_ofs.btn_rec_size * si->si_ofs.num_btns, > GFP_KERNEL|__GFP_ZERO); > sound/hda/array.c:28: nlist = krealloc(array->list, size, GFP_KERNEL | __GFP_ZERO); > sound/core/info.c:342: char *nbuf = krealloc(buf->buffer, PAGE_ALIGN(next), > GFP_KERNEL | __GFP_ZERO); Isn't this a bug in krealloc()? ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: possible krealloc with __GFP_ZERO defects 2016-08-05 11:37 ` possible krealloc with __GFP_ZERO defects Matt Fleming @ 2016-08-05 15:25 ` Joe Perches 0 siblings, 0 replies; 5+ messages in thread From: Joe Perches @ 2016-08-05 15:25 UTC (permalink / raw) To: Matt Fleming Cc: Chris Metcalf, Arnd Bergmann, Greg Kroah-Hartman, Ferruh Yigit, Dmitry Torokhov, Jaroslav Kysela, Takashi Iwai, LKML On Fri, 2016-08-05 at 12:37 +0100, Matt Fleming wrote: > On Thu, 28 Jul, at 11:11:31AM, Joe Perches wrote: > > > > (forwarding to the maintainers of other uses) > > > > On Thu, 2016-07-28 at 10:27 -0700, Joe Perches wrote: > > > > > > There is a defect in krealloc with __GFP_ZERO so this code in > > > drivers/chat/tile-srom.c may not work properly: > > > > > > drivers/char/tile-srom.c- for (i = 0; ; i++) { > > > drivers/char/tile-srom.c- int devhdl; > > > drivers/char/tile-srom.c- char buf[20]; > > > drivers/char/tile-srom.c- struct srom_dev *new_srom_devices = > > > drivers/char/tile-srom.c- krealloc(srom_devices, (i+1) * sizeof(struct srom_dev), > > > drivers/char/tile-srom.c: GFP_KERNEL | __GFP_ZERO); > > > drivers/char/tile-srom.c- if (!new_srom_devices) { > > > drivers/char/tile-srom.c- result = -ENOMEM; > > > drivers/char/tile-srom.c- goto fail_mem; > > > drivers/char/tile-srom.c- } > > > drivers/char/tile-srom.c- srom_devices = new_srom_devices; > > > > > > http://linux-kernel.vger.kernel.narkive.com/xyiQV3vf/slab-krealloc-with-gfp-zero-defect > > Here are the other in-tree uses that may not work properly > > > > $ grep-2.5.4 -rP --include=*.[ch] -n "krealloc[^;]+__GFP_ZERO" * > > drivers/firmware/efi/capsule-loader.c:87: temp_page = krealloc(cap_info->pages, > > pages_needed * sizeof(void *), > > GFP_KERNEL | __GFP_ZERO); > > drivers/char/tile-srom.c:375: krealloc(srom_devices, (i+1) * sizeof(struct srom_dev), > > GFP_KERNEL | __GFP_ZERO); > > drivers/input/touchscreen/cyttsp4_core.c:521: p = krealloc(si->btn, si->si_ofs.btn_keys_size, > > GFP_KERNEL|__GFP_ZERO); > > drivers/input/touchscreen/cyttsp4_core.c:565: p = krealloc(si->xy_mode, si->si_ofs.mode_size, GFP_KERNEL|__GFP_ZERO); > > drivers/input/touchscreen/cyttsp4_core.c:570: p = krealloc(si->xy_data, si->si_ofs.data_size, GFP_KERNEL|__GFP_ZERO); > > drivers/input/touchscreen/cyttsp4_core.c:575: p = krealloc(si->btn_rec_data, > > si->si_ofs.btn_rec_size * si->si_ofs.num_btns, > > GFP_KERNEL|__GFP_ZERO); > > sound/hda/array.c:28: nlist = krealloc(array->list, size, GFP_KERNEL | __GFP_ZERO); > > sound/core/info.c:342: char *nbuf = krealloc(buf->buffer, PAGE_ALIGN(next), > > GFP_KERNEL | __GFP_ZERO); > Isn't this a bug in krealloc()? Yes. Reported 3+ years ago. http://linux-kernel.vger.kernel.narkive.com/xyiQV3vf/slab-krealloc-with-gfp-zero-defect This sequence can return non-zeroed memory from the padding area of the original allocation. ptr = kzalloc(foo, GFP_KERNEL); if (!ptr) ... new_ptr = krealloc(ptr, foo + bar, GFP_KERNEL | __GFP_ZERO); If the realloc size is within the first actual allocation then the additional memory is not zeroed. If the realloc size is not within the original allocation size, any non-zeroed padding from the original allocation is overwriting newly allocated zeroed memory. Maybe someone more familiar with the alignment & padding can add the proper memset(,0,) for the __GFP_ZERO cases and also optimize kmalloc_track_caller to not use __GFP_ZERO, memcpy the current (non padded) size and zero the newly returned remainder if necessary. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-08-05 15:25 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-07-28 17:27 tile-srom and krealloc with __GFP_ZERO defect Joe Perches 2016-07-28 18:11 ` possible krealloc with __GFP_ZERO defects Joe Perches 2016-07-28 19:07 ` [PATCH] tile-srom: avoid krealloc(... __GFP_ZERO) pattern Chris Metcalf 2016-08-05 11:37 ` possible krealloc with __GFP_ZERO defects Matt Fleming 2016-08-05 15:25 ` Joe Perches
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).