Re: [PATCH bpf v3] net/xdp: fix zero-size allocation warning in xskq_create()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/6/23 4:24 PM, Andrew Kanner wrote:
Thanks for the explanation, so iiuc it means it will overflow the
struct_size() first because of the is_power_of_2(nentries) requirement?
Could you help adding some comment to explain? Thanks.

The overflow happens because there's no upper limit for nentries
(userspace input). Let me add more context, e.g. from net/xdp/xsk.c:

static int xsk_setsockopt(struct socket *sock, int level, int optname,
                           sockptr_t optval, unsigned int optlen)
{
[...]
                 if (copy_from_sockptr(&entries, optval, sizeof(entries)))
                         return -EFAULT;
[...]
                 err = xsk_init_queue(entries, q, false);
[...]
}

'entries' is passed to xsk_init_queue() and there're 2 checks: for 0
and is_power_of_2() only, no upper bound check:

static int xsk_init_queue(u32 entries, struct xsk_queue **queue,
                           bool umem_queue)
{
         struct xsk_queue *q;

         if (entries == 0 || *queue || !is_power_of_2(entries))
                 return -EINVAL;

         q = xskq_create(entries, umem_queue);
         if (!q)
                 return -ENOMEM;
[...]
}

The 'entries' value is next passed to struct_size() in
net/xdp/xsk_queue.c. If it's large enough - SIZE_MAX will be returned.

All make sense. I was mostly asking to add a comment at the "if (unlikely(size == SIZE_MAX)" check to explain this details on why checking SIZE_MAX is enough.




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux