From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161495AbcHEPZ7 (ORCPT ); Fri, 5 Aug 2016 11:25:59 -0400 Received: from smtprelay0074.hostedemail.com ([216.40.44.74]:50120 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753931AbcHEPZ6 (ORCPT ); Fri, 5 Aug 2016 11:25:58 -0400 X-Session-Marker: 6A6F6540706572636865732E636F6D X-Spam-Summary: 50,0,0,,d41d8cd98f00b204,joe@perches.com,:::::::::::::::::,RULES_HIT:41:355:379:541:599:967:973:988:989:1260:1263:1277:1311:1313:1314:1345:1359:1373:1437:1515:1516:1518:1534:1543:1593:1594:1711:1730:1747:1777:1792:2393:2525:2553:2561:2564:2682:2685:2828:2859:2933:2937:2939:2942:2945:2947:2951:2954:2975:3000:3022:3138:3139:3140:3141:3142:3354:3622:3865:3866:3867:3868:3870:3871:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4321:5007:6119:8603:8985:9010:9025:9388:9405:10004:10400:10848:11026:11232:11256:11257:11658:11783:11889:11914:12043:12296:12438:12517:12519:12682:12740:13161:13229:13439:13894:14089:14090:14096:14097:14106:14181:14659:14721:21080:21433:30012:30054:30090:30091,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:none,Custom_rules:0:0:0,LFtime:12,LUA_SUMMARY:none X-HE-Tag: night60_6dcfbfcf53e40 X-Filterd-Recvd-Size: 4458 Message-ID: <1470410753.28648.2.camel@perches.com> Subject: Re: possible krealloc with __GFP_ZERO defects From: Joe Perches To: Matt Fleming Cc: Chris Metcalf , Arnd Bergmann , Greg Kroah-Hartman , Ferruh Yigit , Dmitry Torokhov , Jaroslav Kysela , Takashi Iwai , LKML Date: Fri, 05 Aug 2016 08:25:53 -0700 In-Reply-To: <20160805113701.GO3636@codeblueprint.co.uk> References: <1469726831.3998.44.camel@perches.com> <1469729491.3998.58.camel@perches.com> <20160805113701.GO3636@codeblueprint.co.uk> Content-Type: text/plain; charset="ISO-8859-1" X-Mailer: Evolution 3.18.5.2-0ubuntu3 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2016-08-05 at 12:37 +0100, Matt Fleming wrote: > On Thu, 28 Jul, at 11:11:31AM, Joe Perches wrote: > > > > (forwarding to the maintainers of other uses) > > > > On Thu, 2016-07-28 at 10:27 -0700, Joe Perches wrote: > > > > > > There is a defect in krealloc with __GFP_ZERO so this code in > > > drivers/chat/tile-srom.c may not work properly: > > > > > > drivers/char/tile-srom.c-       for (i = 0; ; i++) { > > > drivers/char/tile-srom.c-               int devhdl; > > > drivers/char/tile-srom.c-               char buf[20]; > > > drivers/char/tile-srom.c-               struct srom_dev *new_srom_devices = > > > drivers/char/tile-srom.c-                       krealloc(srom_devices, (i+1) * sizeof(struct srom_dev), > > > drivers/char/tile-srom.c:                                GFP_KERNEL | __GFP_ZERO); > > > drivers/char/tile-srom.c-               if (!new_srom_devices) { > > > drivers/char/tile-srom.c-                       result = -ENOMEM; > > > drivers/char/tile-srom.c-                       goto fail_mem; > > > drivers/char/tile-srom.c-               } > > > drivers/char/tile-srom.c-               srom_devices = new_srom_devices; > > > > > > http://linux-kernel.vger.kernel.narkive.com/xyiQV3vf/slab-krealloc-with-gfp-zero-defect > > Here are the other in-tree uses that may not work properly > > > > $ grep-2.5.4 -rP --include=*.[ch] -n "krealloc[^;]+__GFP_ZERO" * > > drivers/firmware/efi/capsule-loader.c:87: temp_page = krealloc(cap_info->pages, > >      pages_needed * sizeof(void *), > >      GFP_KERNEL | __GFP_ZERO); > > drivers/char/tile-srom.c:375: krealloc(srom_devices, (i+1) * sizeof(struct srom_dev), > >  GFP_KERNEL | __GFP_ZERO); > > drivers/input/touchscreen/cyttsp4_core.c:521: p = krealloc(si->btn, si->si_ofs.btn_keys_size, > > GFP_KERNEL|__GFP_ZERO); > > drivers/input/touchscreen/cyttsp4_core.c:565: p = krealloc(si->xy_mode, si->si_ofs.mode_size, GFP_KERNEL|__GFP_ZERO); > > drivers/input/touchscreen/cyttsp4_core.c:570: p = krealloc(si->xy_data, si->si_ofs.data_size, GFP_KERNEL|__GFP_ZERO); > > drivers/input/touchscreen/cyttsp4_core.c:575: p = krealloc(si->btn_rec_data, > > si->si_ofs.btn_rec_size * si->si_ofs.num_btns, > > GFP_KERNEL|__GFP_ZERO); > > sound/hda/array.c:28: nlist = krealloc(array->list, size, GFP_KERNEL | __GFP_ZERO); > > sound/core/info.c:342: char *nbuf = krealloc(buf->buffer, PAGE_ALIGN(next), > >       GFP_KERNEL | __GFP_ZERO); > Isn't this a bug in krealloc()? Yes.  Reported 3+ years ago. http://linux-kernel.vger.kernel.narkive.com/xyiQV3vf/slab-krealloc-with-gfp-zero-defect This sequence can return non-zeroed memory from the padding area of the original allocation. ptr = kzalloc(foo, GFP_KERNEL); if (!ptr) ... new_ptr = krealloc(ptr, foo + bar, GFP_KERNEL | __GFP_ZERO); If the realloc size is within the first actual allocation then the additional memory is not zeroed. If the realloc size is not within the original allocation size, any non-zeroed padding from the original allocation is overwriting newly allocated zeroed memory. Maybe someone more familiar with the alignment & padding can add the proper memset(,0,) for the __GFP_ZERO cases and also optimize kmalloc_track_caller to not use __GFP_ZERO, memcpy the current (non padded) size and zero the newly returned remainder if necessary.