diff mbox

tuners: tda8290: reduce stack usage with kasan

Message ID CAK8P3a01sOsWSw4t-x6rv+9pzbfhZtEMc6iwV54Xq-48h6CN=Q@mail.gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Arnd Bergmann Dec. 12, 2017, 10:24 a.m. UTC
On Mon, Dec 11, 2017 at 10:17 PM, Michael Ira Krufky
<mkrufky@linuxtv.org> wrote:
> On Mon, Dec 11, 2017 at 2:34 PM, Joe Perches <joe@perches.com> wrote:
>> On Mon, 2017-12-11 at 13:06 +0100, Arnd Bergmann wrote:
>>> With CONFIG_KASAN enabled, we get a relatively large stack frame in one function
>>>
>>> drivers/media/tuners/tda8290.c: In function 'tda8290_set_params':
>>> drivers/media/tuners/tda8290.c:310:1: warning: the frame size of 1520 bytes is larger than 1024 bytes [-Wframe-larger-than=]
>>>
>>> With CONFIG_KASAN_EXTRA this goes up to
>>>
>>> drivers/media/tuners/tda8290.c: In function 'tda8290_set_params':
>>> drivers/media/tuners/tda8290.c:310:1: error: the frame size of 3200 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]
>>>
>>> We can significantly reduce this by marking local arrays as 'static const', and
>>> this should result in better compiled code for everyone.
>> []
>>> diff --git a/drivers/media/tuners/tda8290.c b/drivers/media/tuners/tda8290.c
>> []
>>> @@ -63,8 +63,8 @@ static int tda8290_i2c_bridge(struct dvb_frontend *fe, int close)
>>>  {
>>>       struct tda8290_priv *priv = fe->analog_demod_priv;
>>>
>>> -     unsigned char  enable[2] = { 0x21, 0xC0 };
>>> -     unsigned char disable[2] = { 0x21, 0x00 };
>>> +     static unsigned char  enable[2] = { 0x21, 0xC0 };
>>> +     static unsigned char disable[2] = { 0x21, 0x00 };
>>
>> Doesn't match commit message.
>>
>> static const or just static?
>>
>>> @@ -84,9 +84,9 @@ static int tda8295_i2c_bridge(struct dvb_frontend *fe, int close)
>>>  {
>>>       struct tda8290_priv *priv = fe->analog_demod_priv;
>>>
>>> -     unsigned char  enable[2] = { 0x45, 0xc1 };
>>> -     unsigned char disable[2] = { 0x46, 0x00 };
>>> -     unsigned char buf[3] = { 0x45, 0x01, 0x00 };
>>> +     static unsigned char  enable[2] = { 0x45, 0xc1 };
>>> +     static unsigned char disable[2] = { 0x46, 0x00 };
>>
>> etc.
>>
>>
>
>
> Joe is correct - they can be CONSTified. My bad -- a lot of the code I
> wrote many years ago has this problem -- I wasn't so stack-conscious
> back then.
>
> The bytes in `enable` / `disable` don't get changed, but they may be
> copied to another byte array that does get changed.  If would be best
> to make these `static const`

Right. This was an older patch of mine that I picked up again
after running into a warning that I had been ignoring for a while,
and I didn't double-check the message.

I actually thought about marking them 'const' here before sending
(without noticing the changelog text) and then ran into what must
have led me to drop the 'const' originally: tuner_i2c_xfer_send()
takes a non-const pointer. This can be fixed but it requires
an ugly cast:

        int ret = i2c_transfer(props->adap, msg, 2);

Should I submit it as a two-patch series with that added in, or update
the changelog to not mention 'const' instead?

       Arnd

Comments

Joe Perches Dec. 12, 2017, 11:42 a.m. UTC | #1
On Tue, 2017-12-12 at 11:24 +0100, Arnd Bergmann wrote:
> On Mon, Dec 11, 2017 at 10:17 PM, Michael Ira Krufky
> <mkrufky@linuxtv.org> wrote:
> > On Mon, Dec 11, 2017 at 2:34 PM, Joe Perches <joe@perches.com> wrote:
> > > On Mon, 2017-12-11 at 13:06 +0100, Arnd Bergmann wrote:
> > > > With CONFIG_KASAN enabled, we get a relatively large stack frame in one function
> > > > 
> > > > drivers/media/tuners/tda8290.c: In function 'tda8290_set_params':
> > > > drivers/media/tuners/tda8290.c:310:1: warning: the frame size of 1520 bytes is larger than 1024 bytes [-Wframe-larger-than=]
> > > > 
> > > > With CONFIG_KASAN_EXTRA this goes up to
> > > > 
> > > > drivers/media/tuners/tda8290.c: In function 'tda8290_set_params':
> > > > drivers/media/tuners/tda8290.c:310:1: error: the frame size of 3200 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]
> > > > 
> > > > We can significantly reduce this by marking local arrays as 'static const', and
> > > > this should result in better compiled code for everyone.
> > > 
> > > []
> > > > diff --git a/drivers/media/tuners/tda8290.c b/drivers/media/tuners/tda8290.c
> > > 
> > > []
> > > > @@ -63,8 +63,8 @@ static int tda8290_i2c_bridge(struct dvb_frontend *fe, int close)
> > > >  {
> > > >       struct tda8290_priv *priv = fe->analog_demod_priv;
> > > > 
> > > > -     unsigned char  enable[2] = { 0x21, 0xC0 };
> > > > -     unsigned char disable[2] = { 0x21, 0x00 };
> > > > +     static unsigned char  enable[2] = { 0x21, 0xC0 };
> > > > +     static unsigned char disable[2] = { 0x21, 0x00 };
> > > 
> > > Doesn't match commit message.
> > > 
> > > static const or just static?
> > > 
> > > > @@ -84,9 +84,9 @@ static int tda8295_i2c_bridge(struct dvb_frontend *fe, int close)
> > > >  {
> > > >       struct tda8290_priv *priv = fe->analog_demod_priv;
> > > > 
> > > > -     unsigned char  enable[2] = { 0x45, 0xc1 };
> > > > -     unsigned char disable[2] = { 0x46, 0x00 };
> > > > -     unsigned char buf[3] = { 0x45, 0x01, 0x00 };
> > > > +     static unsigned char  enable[2] = { 0x45, 0xc1 };
> > > > +     static unsigned char disable[2] = { 0x46, 0x00 };
> > > 
> > > etc.
> > > 
> > > 
> > 
> > 
> > Joe is correct - they can be CONSTified. My bad -- a lot of the code I
> > wrote many years ago has this problem -- I wasn't so stack-conscious
> > back then.
> > 
> > The bytes in `enable` / `disable` don't get changed, but they may be
> > copied to another byte array that does get changed.  If would be best
> > to make these `static const`
> 
> Right. This was an older patch of mine that I picked up again
> after running into a warning that I had been ignoring for a while,
> and I didn't double-check the message.
> 
> I actually thought about marking them 'const' here before sending
> (without noticing the changelog text) and then ran into what must
> have led me to drop the 'const' originally: tuner_i2c_xfer_send()
> takes a non-const pointer. This can be fixed but it requires
> an ugly cast:

Casting away const is always a horrible hack.

Until it could be changed, my preference would
be to update the changelog and perhaps add to
the changelog the reason why it can not be const
as detailed below.

ie: xfer_send and xfer_xend_recv both take a
    non-const unsigned char *

> diff --git a/drivers/media/tuners/tuner-i2c.h b/drivers/media/tuners/tuner-i2c.h
> index bda67a5a76f2..809466eec780 100644
> --- a/drivers/media/tuners/tuner-i2c.h
> +++ b/drivers/media/tuners/tuner-i2c.h
> @@ -34,10 +34,10 @@ struct tuner_i2c_props {
>  };
> 
>  static inline int tuner_i2c_xfer_send(struct tuner_i2c_props *props,
> -                                     unsigned char *buf, int len)
> +                                     const unsigned char *buf, int len)
>  {
>         struct i2c_msg msg = { .addr = props->addr, .flags = 0,
> -                              .buf = buf, .len = len };
> +                              .buf = (unsigned char *)buf, .len = len };
>         int ret = i2c_transfer(props->adap, &msg, 1);
> 
>         return (ret == 1) ? len : ret;
> @@ -54,11 +54,11 @@ static inline int tuner_i2c_xfer_recv(struct
> tuner_i2c_props *props,
>  }
> 
>  static inline int tuner_i2c_xfer_send_recv(struct tuner_i2c_props *props,
> -                                          unsigned char *obuf, int olen,
> +                                          const unsigned char *obuf, int olen,
>                                            unsigned char *ibuf, int ilen)
>  {
>         struct i2c_msg msg[2] = { { .addr = props->addr, .flags = 0,
> -                                   .buf = obuf, .len = olen },
> +                                   .buf = (unsigned char *)obuf, .len = olen },
>                                   { .addr = props->addr, .flags = I2C_M_RD,
>                                     .buf = ibuf, .len = ilen } };
>         int ret = i2c_transfer(props->adap, msg, 2);
> 
> Should I submit it as a two-patch series with that added in, or update
> the changelog to not mention 'const' instead?
> 
>        Arnd
Mauro Carvalho Chehab Dec. 12, 2017, 12:45 p.m. UTC | #2
Em Tue, 12 Dec 2017 03:42:32 -0800
Joe Perches <joe@perches.com> escreveu:

> > I actually thought about marking them 'const' here before sending
> > (without noticing the changelog text) and then ran into what must
> > have led me to drop the 'const' originally: tuner_i2c_xfer_send()
> > takes a non-const pointer. This can be fixed but it requires
> > an ugly cast:  
> 
> Casting away const is always a horrible hack.
> 
> Until it could be changed, my preference would
> be to update the changelog and perhaps add to
> the changelog the reason why it can not be const
> as detailed below.
> 
> ie: xfer_send and xfer_xend_recv both take a
>     non-const unsigned char *

Perhaps, on a separate changeset, we could change I2C routines to
accept const unsigned char pointers. This is unrelated to tda8290
KASAN fixes. So, it should go via I2C tree, and, once accepted
there, we can change V4L2 drivers (and other drivers) accordingly.


Thanks,
Mauro
Arnd Bergmann Dec. 12, 2017, 2:21 p.m. UTC | #3
On Tue, Dec 12, 2017 at 1:45 PM, Mauro Carvalho Chehab
<mchehab@kernel.org> wrote:
> Em Tue, 12 Dec 2017 03:42:32 -0800
> Joe Perches <joe@perches.com> escreveu:
>
>> > I actually thought about marking them 'const' here before sending
>> > (without noticing the changelog text) and then ran into what must
>> > have led me to drop the 'const' originally: tuner_i2c_xfer_send()
>> > takes a non-const pointer. This can be fixed but it requires
>> > an ugly cast:
>>
>> Casting away const is always a horrible hack.
>>
>> Until it could be changed, my preference would
>> be to update the changelog and perhaps add to
>> the changelog the reason why it can not be const
>> as detailed below.
>>
>> ie: xfer_send and xfer_xend_recv both take a
>>     non-const unsigned char *

Ok.

> Perhaps, on a separate changeset, we could change I2C routines to
> accept const unsigned char pointers. This is unrelated to tda8290
> KASAN fixes. So, it should go via I2C tree, and, once accepted
> there, we can change V4L2 drivers (and other drivers) accordingly.

I don't see how that would work unfortunately. i2c_msg contains
a pointer to the data, and that is used for both input and output,
including arrays like

        struct i2c_msg msgs[] = {
                {
                        .addr = dvo->slave_addr,
                        .flags = 0,
                        .len = 1,
                        .buf = &addr,
                },
                {
                        .addr = dvo->slave_addr,
                        .flags = I2C_M_RD,
                        .len = 1,
                        .buf = val,
                }
        };

that have one constant output pointer and one non-constant
input pointer. We could add an anonymous union for 'buf'
to make that two separate pointers, but that's barely any
better than the cast, and it would break the named initializers
in the example above, at least on older compilers. Adding
a second pointer to i2c_msg would add a bit of bloat and
also require tree-wide changes or ugly hacks.

       Arnd
Joe Perches Dec. 12, 2017, 4:02 p.m. UTC | #4
On Tue, 2017-12-12 at 15:21 +0100, Arnd Bergmann wrote:
> On Tue, Dec 12, 2017 at 1:45 PM, Mauro Carvalho Chehab
> <mchehab@kernel.org> wrote:
> > Em Tue, 12 Dec 2017 03:42:32 -0800
> > Joe Perches <joe@perches.com> escreveu:
> > 
> > > > I actually thought about marking them 'const' here before sending
> > > > (without noticing the changelog text) and then ran into what must
> > > > have led me to drop the 'const' originally: tuner_i2c_xfer_send()
> > > > takes a non-const pointer. This can be fixed but it requires
> > > > an ugly cast:
> > > 
> > > Casting away const is always a horrible hack.
> > > 
> > > Until it could be changed, my preference would
> > > be to update the changelog and perhaps add to
> > > the changelog the reason why it can not be const
> > > as detailed below.
> > > 
> > > ie: xfer_send and xfer_xend_recv both take a
> > >     non-const unsigned char *
> 
> Ok.
> 
> > Perhaps, on a separate changeset, we could change I2C routines to
> > accept const unsigned char pointers. This is unrelated to tda8290
> > KASAN fixes. So, it should go via I2C tree, and, once accepted
> > there, we can change V4L2 drivers (and other drivers) accordingly.
> 
> I don't see how that would work unfortunately. i2c_msg contains
> a pointer to the data, and that is used for both input and output,
> including arrays like
> 
>         struct i2c_msg msgs[] = {
>                 {
>                         .addr = dvo->slave_addr,
>                         .flags = 0,
>                         .len = 1,
>                         .buf = &addr,
>                 },
>                 {
>                         .addr = dvo->slave_addr,
>                         .flags = I2C_M_RD,
>                         .len = 1,
>                         .buf = val,
>                 }
>         };
> 
> that have one constant output pointer and one non-constant
> input pointer. We could add an anonymous union for 'buf'
> to make that two separate pointers, but that's barely any
> better than the cast, and it would break the named initializers
> in the example above, at least on older compilers. Adding
> a second pointer to i2c_msg would add a bit of bloat and
> also require tree-wide changes or ugly hacks.

Perhaps add something like

struct i2c_msg_set {
	__u16 addr;		/* slave address			*/
	__u16 flags;
	__u16 len;		/* msg length				*/
	const __u8 *buf;	/* pointer to read-only msg data	*/
};

struct i2c_msg_get {
	__u16 addr;		/* slave address			*/
	__u16 flags;
	__u16 len;		/* msg length				*/
	__u8 *buf;		/* pointer to writeable msg data	*/
};

to the uapi include and use that where appropriate
but where a write then read is done via a single
i2c_msg array, it's not really feasible either.

Probably better to avoid any churn and just mark
all these as static rather than static const.
diff mbox

Patch

diff --git a/drivers/media/tuners/tuner-i2c.h b/drivers/media/tuners/tuner-i2c.h
index bda67a5a76f2..809466eec780 100644
--- a/drivers/media/tuners/tuner-i2c.h
+++ b/drivers/media/tuners/tuner-i2c.h
@@ -34,10 +34,10 @@  struct tuner_i2c_props {
 };

 static inline int tuner_i2c_xfer_send(struct tuner_i2c_props *props,
-                                     unsigned char *buf, int len)
+                                     const unsigned char *buf, int len)
 {
        struct i2c_msg msg = { .addr = props->addr, .flags = 0,
-                              .buf = buf, .len = len };
+                              .buf = (unsigned char *)buf, .len = len };
        int ret = i2c_transfer(props->adap, &msg, 1);

        return (ret == 1) ? len : ret;
@@ -54,11 +54,11 @@  static inline int tuner_i2c_xfer_recv(struct
tuner_i2c_props *props,
 }

 static inline int tuner_i2c_xfer_send_recv(struct tuner_i2c_props *props,
-                                          unsigned char *obuf, int olen,
+                                          const unsigned char *obuf, int olen,
                                           unsigned char *ibuf, int ilen)
 {
        struct i2c_msg msg[2] = { { .addr = props->addr, .flags = 0,
-                                   .buf = obuf, .len = olen },
+                                   .buf = (unsigned char *)obuf, .len = olen },
                                  { .addr = props->addr, .flags = I2C_M_RD,
                                    .buf = ibuf, .len = ilen } };