On 10/27/22 08:31, Andi Kleen wrote:
>
>> +/* Calculate the actual TDMR_INFO size */
>> +static inline int cal_tdmr_size(void)
>> +{
>> + int tdmr_sz;
>> +
>> + /*
>> + * The actual size of TDMR_INFO depends on the maximum number
>> + * of reserved areas.
>> + */
>> + tdmr_sz = sizeof(struct tdmr_info);
>> + tdmr_sz += sizeof(struct tdmr_reserved_area) *
>> + tdx_sysinfo.max_reserved_per_tdmr;
>
> would seem safer to have a overflow check here.
tdmr_reserved_area is 16 bytes. To overflow a signed int, tdmr_sz would
need to be for an allocation >2GB. alloc_pages_exact() tops out at
supplying 4MB allocations.
So, sure, this breaks at max_reserved_per_tdmr>2^27, but it actually
breaks *EARLIER* at max_reserved_per_tdmr>2^18 because the page
allocator is borked.
Plus, max_reserved_per_tdmr is barely in double digits today. It's a
*LOOOOOOOOONG* way from either of those limits. If you want to add a
warning here, then go for it and enforce a sane value on
max_reserved_per_tdmr.
But, the overflow is *LITERALLY* an order of magnitude more obscure than
overwhelming the page allocator. Let's not clutter up the code with
silly checks like that.
