| Message ID | fb712f802228ab4319891983164bf45e90d529e7.1635076200.git.christophe.jaillet@wanadoo.fr (mailing list archive) |
|---|---|
| State | Rejected |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | gve: Fix a possible invalid memory access | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Single patches do not need cover letters |
| netdev/fixes_present | success | Fixes tag not required for -next series |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | success | CCed 13 of 13 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Signed-off-by tag matches author and committer |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Fixes tag looks correct |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 8 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | No static functions without inline keyword in header files |
On Sun, Oct 24, 2021 at 7:52 AM Christophe JAILLET <christophe.jaillet@wanadoo.fr> wrote: > > It is spurious to allocate a bitmap for 'num_qpls' bits and record the > size of this bitmap with another value. > > 'qpl_map_size' is used in 'drivers/net/ethernet/google/gve/gve.h' with > 'find_[first|next]_zero_bit()'. > So, it looks that memory after the allocated 'qpl_id_map' could be > scanned. find_first_zero_bit takes a length argument in bits: /** * find_first_zero_bit - find the first cleared bit in a memory region * @addr: The address to start the search at * @size: The maximum number of bits to search qpl_map_size is passed to find_first_zero_bit. It does seem roundabout to compute first the number of longs needed to hold num_qpl bits BITS_TO_LONGS(num_qpls) then again compute the number of bits in this buffer * sizeof(unsigned long) * BITS_PER_BYTE Which will simply be num_qpls again. But, removing BITS_PER_BYTE does not arrive at the right number. > > Remove the '* BITS_PER_BYTE' to have allocation and length be the same. > > Fixes: f5cedc84a30d ("gve: Add transmit and receive support") > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> > --- > This patch is completely speculative and un-tested! > You'll be warned. > --- > drivers/net/ethernet/google/gve/gve_main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c > index 7647cd05b1d2..19fe9e9b62f5 100644 > --- a/drivers/net/ethernet/google/gve/gve_main.c > +++ b/drivers/net/ethernet/google/gve/gve_main.c > @@ -866,7 +866,7 @@ static int gve_alloc_qpls(struct gve_priv *priv) > } > > priv->qpl_cfg.qpl_map_size = BITS_TO_LONGS(num_qpls) * > - sizeof(unsigned long) * BITS_PER_BYTE; > + sizeof(unsigned long); > priv->qpl_cfg.qpl_id_map = kvcalloc(BITS_TO_LONGS(num_qpls), > sizeof(unsigned long), GFP_KERNEL); > if (!priv->qpl_cfg.qpl_id_map) { > -- > 2.30.2 >
Le 24/10/2021 à 15:51, Willem de Bruijn a écrit : > On Sun, Oct 24, 2021 at 7:52 AM Christophe JAILLET > <christophe.jaillet@wanadoo.fr> wrote: >> >> It is spurious to allocate a bitmap for 'num_qpls' bits and record the >> size of this bitmap with another value. >> >> 'qpl_map_size' is used in 'drivers/net/ethernet/google/gve/gve.h' with >> 'find_[first|next]_zero_bit()'. >> So, it looks that memory after the allocated 'qpl_id_map' could be >> scanned. > > find_first_zero_bit takes a length argument in bits: > > /** > * find_first_zero_bit - find the first cleared bit in a memory region > * @addr: The address to start the search at > * @size: The maximum number of bits to search > > qpl_map_size is passed to find_first_zero_bit. > > It does seem roundabout to compute first the number of longs needed to > hold num_qpl bits > > BITS_TO_LONGS(num_qpls) > > then again compute the number of bits in this buffer > > * sizeof(unsigned long) * BITS_PER_BYTE > > Which will simply be num_qpls again. > > But, removing BITS_PER_BYTE does not arrive at the right number. (* embarrassed *) So obvious. Thank you for taking time for the explanation on a so badly broken patch. I apologize for the noise and the waste of time :( BTW, why not just have 'priv->qpl_cfg.qpl_map_size = num_qpls;'? CJ > > >> >> Remove the '* BITS_PER_BYTE' to have allocation and length be the same. >> >> Fixes: f5cedc84a30d ("gve: Add transmit and receive support") >> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> >> --- >> This patch is completely speculative and un-tested! >> You'll be warned. >> --- >> drivers/net/ethernet/google/gve/gve_main.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c >> index 7647cd05b1d2..19fe9e9b62f5 100644 >> --- a/drivers/net/ethernet/google/gve/gve_main.c >> +++ b/drivers/net/ethernet/google/gve/gve_main.c >> @@ -866,7 +866,7 @@ static int gve_alloc_qpls(struct gve_priv *priv) >> } >> >> priv->qpl_cfg.qpl_map_size = BITS_TO_LONGS(num_qpls) * >> - sizeof(unsigned long) * BITS_PER_BYTE; >> + sizeof(unsigned long); >> priv->qpl_cfg.qpl_id_map = kvcalloc(BITS_TO_LONGS(num_qpls), >> sizeof(unsigned long), GFP_KERNEL); >> if (!priv->qpl_cfg.qpl_id_map) { >> -- >> 2.30.2 >> >
On Sun, Oct 24, 2021 at 10:58 AM Christophe JAILLET <christophe.jaillet@wanadoo.fr> wrote: > > Le 24/10/2021 à 15:51, Willem de Bruijn a écrit : > > On Sun, Oct 24, 2021 at 7:52 AM Christophe JAILLET > > <christophe.jaillet@wanadoo.fr> wrote: > >> > >> It is spurious to allocate a bitmap for 'num_qpls' bits and record the > >> size of this bitmap with another value. > >> > >> 'qpl_map_size' is used in 'drivers/net/ethernet/google/gve/gve.h' with > >> 'find_[first|next]_zero_bit()'. > >> So, it looks that memory after the allocated 'qpl_id_map' could be > >> scanned. > > > > find_first_zero_bit takes a length argument in bits: > > > > /** > > * find_first_zero_bit - find the first cleared bit in a memory region > > * @addr: The address to start the search at > > * @size: The maximum number of bits to search > > > > qpl_map_size is passed to find_first_zero_bit. > > > > It does seem roundabout to compute first the number of longs needed to > > hold num_qpl bits > > > > BITS_TO_LONGS(num_qpls) > > > > then again compute the number of bits in this buffer > > > > * sizeof(unsigned long) * BITS_PER_BYTE > > > > Which will simply be num_qpls again. > > > > But, removing BITS_PER_BYTE does not arrive at the right number. > > (* embarrassed *) > > So obvious. > Thank you for taking time for the explanation on a so badly broken patch. > > I apologize for the noise and the waste of time :( No worries, it happens. Thanks for reviewing code. > > BTW, why not just have 'priv->qpl_cfg.qpl_map_size = num_qpls;'? Yes, that seems more straightforward to me too.
diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c index 7647cd05b1d2..19fe9e9b62f5 100644 --- a/drivers/net/ethernet/google/gve/gve_main.c +++ b/drivers/net/ethernet/google/gve/gve_main.c @@ -866,7 +866,7 @@ static int gve_alloc_qpls(struct gve_priv *priv) } priv->qpl_cfg.qpl_map_size = BITS_TO_LONGS(num_qpls) * - sizeof(unsigned long) * BITS_PER_BYTE; + sizeof(unsigned long); priv->qpl_cfg.qpl_id_map = kvcalloc(BITS_TO_LONGS(num_qpls), sizeof(unsigned long), GFP_KERNEL); if (!priv->qpl_cfg.qpl_id_map) {
It is spurious to allocate a bitmap for 'num_qpls' bits and record the size of this bitmap with another value. 'qpl_map_size' is used in 'drivers/net/ethernet/google/gve/gve.h' with 'find_[first|next]_zero_bit()'. So, it looks that memory after the allocated 'qpl_id_map' could be scanned. Remove the '* BITS_PER_BYTE' to have allocation and length be the same. Fixes: f5cedc84a30d ("gve: Add transmit and receive support") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> --- This patch is completely speculative and un-tested! You'll be warned. --- drivers/net/ethernet/google/gve/gve_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)