diff mbox series

[v2,07/13] ata: libata-core: Remove support for decreasing the number of ports

Message ID 20240626180031.4050226-22-cassel@kernel.org (mailing list archive)
State Superseded
Headers show
Series ata,libsas: Assign the unique id used for printing earlier | expand

Commit Message

Niklas Cassel June 26, 2024, 6 p.m. UTC
Commit f31871951b38 ("libata: separate out ata_host_alloc() and
ata_host_register()") added ata_host_alloc(), where the API allowed
a LLD to overallocate the number of ports supplied to ata_host_alloc(),
as long as the LLD decreased host->n_ports before calling
ata_host_register().

However, this functionally has never ever been used by a single LLD.

Because of the current API design, the assignment of ap->print_id is
deferred until registration time, which is bad, because that means that
the ata_port_*() print functions cannot be used by a LLD until after
registration time, which means that a LLD is forced to use a print
function that is non-port specific, even for a port specific error.

Remove the support for decreasing the number of ports, such that it will
be possible to assign ap->print_id earlier.

Signed-off-by: Niklas Cassel <cassel@kernel.org>
---
 drivers/ata/libata-core.c | 24 ++++++++++--------------
 include/linux/libata.h    |  2 +-
 2 files changed, 11 insertions(+), 15 deletions(-)

Comments

Niklas Cassel June 26, 2024, 7:30 p.m. UTC | #1
On Wed, Jun 26, 2024 at 08:00:37PM +0200, Niklas Cassel wrote:
> @@ -5908,12 +5903,13 @@ int ata_host_register(struct ata_host *host, const struct scsi_host_template *sh
>  		return -EINVAL;
>  	}
>  
> -	/* Blow away unused ports.  This happens when LLD can't
> -	 * determine the exact number of ports to allocate at
> -	 * allocation time.
> +	/*
> +	 * For a driver using ata_host_register(), the ports are allocated by
> +	 * ata_host_alloc(), which also allocates the host->ports array.
> +	 * The number of array elements must match host->n_ports.
>  	 */
>  	for (i = host->n_ports; host->ports[i]; i++)
> -		kfree(host->ports[i]);
> +		WARN_ON(host->ports[i]);

Nit:
Even though we replace the kfree() with a WARN_ON() here, the strictly
correct thing would have been for the earlier patch in this series:
"ata,scsi: libata-core: Add ata_port_free()" to have replaced the kfree()
with ata_port_free(), and then for this patch to replace the ata_port_free()
with a WARN_ON().


Kind regards,
Niklas
Damien Le Moal June 27, 2024, 1:30 a.m. UTC | #2
On 6/27/24 03:00, Niklas Cassel wrote:
> Commit f31871951b38 ("libata: separate out ata_host_alloc() and
> ata_host_register()") added ata_host_alloc(), where the API allowed
> a LLD to overallocate the number of ports supplied to ata_host_alloc(),
> as long as the LLD decreased host->n_ports before calling
> ata_host_register().
> 
> However, this functionally has never ever been used by a single LLD.
> 
> Because of the current API design, the assignment of ap->print_id is
> deferred until registration time, which is bad, because that means that
> the ata_port_*() print functions cannot be used by a LLD until after
> registration time, which means that a LLD is forced to use a print
> function that is non-port specific, even for a port specific error.
> 
> Remove the support for decreasing the number of ports, such that it will
> be possible to assign ap->print_id earlier.
> 
> Signed-off-by: Niklas Cassel <cassel@kernel.org>

With your own nit applied,

Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Hannes Reinecke June 27, 2024, 6:35 a.m. UTC | #3
On 6/26/24 20:00, Niklas Cassel wrote:
> Commit f31871951b38 ("libata: separate out ata_host_alloc() and
> ata_host_register()") added ata_host_alloc(), where the API allowed
> a LLD to overallocate the number of ports supplied to ata_host_alloc(),
> as long as the LLD decreased host->n_ports before calling
> ata_host_register().
> 
> However, this functionally has never ever been used by a single LLD.
> 
> Because of the current API design, the assignment of ap->print_id is
> deferred until registration time, which is bad, because that means that
> the ata_port_*() print functions cannot be used by a LLD until after
> registration time, which means that a LLD is forced to use a print
> function that is non-port specific, even for a port specific error.
> 
> Remove the support for decreasing the number of ports, such that it will
> be possible to assign ap->print_id earlier.
> 
> Signed-off-by: Niklas Cassel <cassel@kernel.org>
> ---
>   drivers/ata/libata-core.c | 24 ++++++++++--------------
>   include/linux/libata.h    |  2 +-
>   2 files changed, 11 insertions(+), 15 deletions(-)
> 
> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
> index 591020ea8989..a213a9c0d0a5 100644
> --- a/drivers/ata/libata-core.c
> +++ b/drivers/ata/libata-core.c
> @@ -5550,24 +5550,19 @@ EXPORT_SYMBOL_GPL(ata_host_put);
>   /**
>    *	ata_host_alloc - allocate and init basic ATA host resources
>    *	@dev: generic device this host is associated with
> - *	@max_ports: maximum number of ATA ports associated with this host
> + *	@n_ports: the number of ATA ports associated with this host
>    *
>    *	Allocate and initialize basic ATA host resources.  LLD calls
>    *	this function to allocate a host, initializes it fully and
>    *	attaches it using ata_host_register().
>    *
> - *	@max_ports ports are allocated and host->n_ports is
> - *	initialized to @max_ports.  The caller is allowed to decrease
> - *	host->n_ports before calling ata_host_register().  The unused
> - *	ports will be automatically freed on registration.
> - *
>    *	RETURNS:
>    *	Allocate ATA host on success, NULL on failure.
>    *
>    *	LOCKING:
>    *	Inherited from calling layer (may sleep).
>    */
> -struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
> +struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
>   {
>   	struct ata_host *host;
>   	size_t sz;
> @@ -5575,7 +5570,7 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
>   	void *dr;
>   
>   	/* alloc a container for our list of ATA ports (buses) */
> -	sz = sizeof(struct ata_host) + (max_ports + 1) * sizeof(void *);
> +	sz = sizeof(struct ata_host) + (n_ports + 1) * sizeof(void *);
>   	host = kzalloc(sz, GFP_KERNEL);
>   	if (!host)
>   		return NULL;
> @@ -5595,11 +5590,11 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
>   	spin_lock_init(&host->lock);
>   	mutex_init(&host->eh_mutex);
>   	host->dev = dev;
> -	host->n_ports = max_ports;
> +	host->n_ports = n_ports;
>   	kref_init(&host->kref);
>   
>   	/* allocate ports bound to this host */
> -	for (i = 0; i < max_ports; i++) {
> +	for (i = 0; i < n_ports; i++) {
>   		struct ata_port *ap;
>   
>   		ap = ata_port_alloc(host);
> @@ -5908,12 +5903,13 @@ int ata_host_register(struct ata_host *host, const struct scsi_host_template *sh
>   		return -EINVAL;
>   	}
>   
> -	/* Blow away unused ports.  This happens when LLD can't
> -	 * determine the exact number of ports to allocate at
> -	 * allocation time.
> +	/*
> +	 * For a driver using ata_host_register(), the ports are allocated by
> +	 * ata_host_alloc(), which also allocates the host->ports array.
> +	 * The number of array elements must match host->n_ports.
>   	 */
>   	for (i = host->n_ports; host->ports[i]; i++)
> -		kfree(host->ports[i]);
> +		WARN_ON(host->ports[i]);
>   
What a patently ugly check.
So you are relying on the caller to have zeroed the memory upfront.
But what happens if the caller allocated n_ports, zeroed the memory up 
to that point, and then filled in all 'ports' slots?
ports[n_ports - 1] is set to a pointer, but ports[n_ports] is _not_ 
allocated, and there is no guarantee it'll be zero.
Causing a memory overrun and all sorts of things.

This needs to go, as it's now pointless anyway.

Cheers,

Hannes
Niklas Cassel June 29, 2024, 12:24 p.m. UTC | #4
On Thu, Jun 27, 2024 at 08:35:49AM +0200, Hannes Reinecke wrote:
> On 6/26/24 20:00, Niklas Cassel wrote:
> > Commit f31871951b38 ("libata: separate out ata_host_alloc() and
> > ata_host_register()") added ata_host_alloc(), where the API allowed
> > a LLD to overallocate the number of ports supplied to ata_host_alloc(),
> > as long as the LLD decreased host->n_ports before calling
> > ata_host_register().
> > 
> > However, this functionally has never ever been used by a single LLD.
> > 
> > Because of the current API design, the assignment of ap->print_id is
> > deferred until registration time, which is bad, because that means that
> > the ata_port_*() print functions cannot be used by a LLD until after
> > registration time, which means that a LLD is forced to use a print
> > function that is non-port specific, even for a port specific error.
> > 
> > Remove the support for decreasing the number of ports, such that it will
> > be possible to assign ap->print_id earlier.
> > 
> > Signed-off-by: Niklas Cassel <cassel@kernel.org>
> > ---
> >   drivers/ata/libata-core.c | 24 ++++++++++--------------
> >   include/linux/libata.h    |  2 +-
> >   2 files changed, 11 insertions(+), 15 deletions(-)
> > 
> > diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
> > index 591020ea8989..a213a9c0d0a5 100644
> > --- a/drivers/ata/libata-core.c
> > +++ b/drivers/ata/libata-core.c
> > @@ -5550,24 +5550,19 @@ EXPORT_SYMBOL_GPL(ata_host_put);
> >   /**
> >    *	ata_host_alloc - allocate and init basic ATA host resources
> >    *	@dev: generic device this host is associated with
> > - *	@max_ports: maximum number of ATA ports associated with this host
> > + *	@n_ports: the number of ATA ports associated with this host
> >    *
> >    *	Allocate and initialize basic ATA host resources.  LLD calls
> >    *	this function to allocate a host, initializes it fully and
> >    *	attaches it using ata_host_register().
> >    *
> > - *	@max_ports ports are allocated and host->n_ports is
> > - *	initialized to @max_ports.  The caller is allowed to decrease
> > - *	host->n_ports before calling ata_host_register().  The unused
> > - *	ports will be automatically freed on registration.
> > - *
> >    *	RETURNS:
> >    *	Allocate ATA host on success, NULL on failure.
> >    *
> >    *	LOCKING:
> >    *	Inherited from calling layer (may sleep).
> >    */
> > -struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
> > +struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
> >   {
> >   	struct ata_host *host;
> >   	size_t sz;
> > @@ -5575,7 +5570,7 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
> >   	void *dr;
> >   	/* alloc a container for our list of ATA ports (buses) */
> > -	sz = sizeof(struct ata_host) + (max_ports + 1) * sizeof(void *);
> > +	sz = sizeof(struct ata_host) + (n_ports + 1) * sizeof(void *);
> >   	host = kzalloc(sz, GFP_KERNEL);
> >   	if (!host)
> >   		return NULL;
> > @@ -5595,11 +5590,11 @@ struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
> >   	spin_lock_init(&host->lock);
> >   	mutex_init(&host->eh_mutex);
> >   	host->dev = dev;
> > -	host->n_ports = max_ports;
> > +	host->n_ports = n_ports;
> >   	kref_init(&host->kref);
> >   	/* allocate ports bound to this host */
> > -	for (i = 0; i < max_ports; i++) {
> > +	for (i = 0; i < n_ports; i++) {
> >   		struct ata_port *ap;
> >   		ap = ata_port_alloc(host);
> > @@ -5908,12 +5903,13 @@ int ata_host_register(struct ata_host *host, const struct scsi_host_template *sh
> >   		return -EINVAL;
> >   	}
> > -	/* Blow away unused ports.  This happens when LLD can't
> > -	 * determine the exact number of ports to allocate at
> > -	 * allocation time.
> > +	/*
> > +	 * For a driver using ata_host_register(), the ports are allocated by
> > +	 * ata_host_alloc(), which also allocates the host->ports array.
> > +	 * The number of array elements must match host->n_ports.
> >   	 */
> >   	for (i = host->n_ports; host->ports[i]; i++)
> > -		kfree(host->ports[i]);
> > +		WARN_ON(host->ports[i]);
> What a patently ugly check.
> So you are relying on the caller to have zeroed the memory upfront.
> But what happens if the caller allocated n_ports, zeroed the memory up to
> that point, and then filled in all 'ports' slots?
> ports[n_ports - 1] is set to a pointer, but ports[n_ports] is _not_
> allocated, and there is no guarantee it'll be zero.
> Causing a memory overrun and all sorts of things.
> 
> This needs to go, as it's now pointless anyway.

For what it is worth, this ugly code was there before this patch :)

However, it seems that ata_host_alloc() allocates max_ports + 1:
https://github.com/torvalds/linux/blob/v6.10-rc5/drivers/ata/libata-core.c#L5568-L5570

So I think this should be safe....

But yes, super ugly...


Kind regards,
Niklas
diff mbox series

Patch

diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 591020ea8989..a213a9c0d0a5 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -5550,24 +5550,19 @@  EXPORT_SYMBOL_GPL(ata_host_put);
 /**
  *	ata_host_alloc - allocate and init basic ATA host resources
  *	@dev: generic device this host is associated with
- *	@max_ports: maximum number of ATA ports associated with this host
+ *	@n_ports: the number of ATA ports associated with this host
  *
  *	Allocate and initialize basic ATA host resources.  LLD calls
  *	this function to allocate a host, initializes it fully and
  *	attaches it using ata_host_register().
  *
- *	@max_ports ports are allocated and host->n_ports is
- *	initialized to @max_ports.  The caller is allowed to decrease
- *	host->n_ports before calling ata_host_register().  The unused
- *	ports will be automatically freed on registration.
- *
  *	RETURNS:
  *	Allocate ATA host on success, NULL on failure.
  *
  *	LOCKING:
  *	Inherited from calling layer (may sleep).
  */
-struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
+struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
 {
 	struct ata_host *host;
 	size_t sz;
@@ -5575,7 +5570,7 @@  struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
 	void *dr;
 
 	/* alloc a container for our list of ATA ports (buses) */
-	sz = sizeof(struct ata_host) + (max_ports + 1) * sizeof(void *);
+	sz = sizeof(struct ata_host) + (n_ports + 1) * sizeof(void *);
 	host = kzalloc(sz, GFP_KERNEL);
 	if (!host)
 		return NULL;
@@ -5595,11 +5590,11 @@  struct ata_host *ata_host_alloc(struct device *dev, int max_ports)
 	spin_lock_init(&host->lock);
 	mutex_init(&host->eh_mutex);
 	host->dev = dev;
-	host->n_ports = max_ports;
+	host->n_ports = n_ports;
 	kref_init(&host->kref);
 
 	/* allocate ports bound to this host */
-	for (i = 0; i < max_ports; i++) {
+	for (i = 0; i < n_ports; i++) {
 		struct ata_port *ap;
 
 		ap = ata_port_alloc(host);
@@ -5908,12 +5903,13 @@  int ata_host_register(struct ata_host *host, const struct scsi_host_template *sh
 		return -EINVAL;
 	}
 
-	/* Blow away unused ports.  This happens when LLD can't
-	 * determine the exact number of ports to allocate at
-	 * allocation time.
+	/*
+	 * For a driver using ata_host_register(), the ports are allocated by
+	 * ata_host_alloc(), which also allocates the host->ports array.
+	 * The number of array elements must match host->n_ports.
 	 */
 	for (i = host->n_ports; host->ports[i]; i++)
-		kfree(host->ports[i]);
+		WARN_ON(host->ports[i]);
 
 	/* give ports names and add SCSI hosts */
 	for (i = 0; i < host->n_ports; i++) {
diff --git a/include/linux/libata.h b/include/linux/libata.h
index 580971e11804..b7c5d3f33368 100644
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -1069,7 +1069,7 @@  extern int sata_std_hardreset(struct ata_link *link, unsigned int *class,
 			      unsigned long deadline);
 extern void ata_std_postreset(struct ata_link *link, unsigned int *classes);
 
-extern struct ata_host *ata_host_alloc(struct device *dev, int max_ports);
+extern struct ata_host *ata_host_alloc(struct device *dev, int n_ports);
 extern struct ata_host *ata_host_alloc_pinfo(struct device *dev,
 			const struct ata_port_info * const * ppi, int n_ports);
 extern void ata_host_get(struct ata_host *host);