On Mon 20-01-20 18:43:43, Daniel Axtens wrote: > kmalloc is sometimes compiled with an size that at compile time may be > equal to SIZE_MAX. > > For example, struct_size(struct, array member, array elements) returns the > size of a structure that has an array as the last element, containing a > given number of elements, or SIZE_MAX on overflow. > > However, struct_size operates in (arguably) unintuitive ways at compile time. > Consider the following snippet: > > struct foo { > int a; > int b[0]; > }; > > struct foo *alloc_foo(int elems) > { > struct foo *result; > size_t size = struct_size(result, b, elems); > if (__builtin_constant_p(size)) { > BUILD_BUG_ON(size == SIZE_MAX); > } > result = kmalloc(size, GFP_KERNEL); > return result; > } > > I expected that size would only be constant if alloc_foo() was called > within that translation unit with a constant number of elements, and the > compiler had decided to inline it. I'd therefore expect that 'size' is only > SIZE_MAX if the constant provided was a huge number. > > However, instead, this function hits the BUILD_BUG_ON, even if never > called. > > include/linux/compiler.h:394:38: error: call to ‘__compiletime_assert_32’ declared with attribute error: BUILD_BUG_ON failed: size == SIZE_MAX This sounds more like a bug to me. Have you tried to talk to compiler guys? > This is with gcc 9.2.1, and I've also observed it with an gcc 8 series > compiler. > > My best explanation of this is: > > - elems is a signed int, so a small negative number will become a very > large unsigned number when cast to a size_t, leading to overflow. > > - Then, the only way in which size can be a constant is if we hit the > overflow case, in which 'size' will be 'SIZE_MAX'. > > - So the compiler takes that value into the body of the if statement and > blows up. > > But I could be totally wrong. > > Anyway, this is relevant to slab.h because kmalloc() and kmalloc_node() > check if the supplied size is a constant and take a faster path if so. A > number of callers of those functions use struct_size to determine the size > of a memory allocation. Therefore, at compile time, those functions will go > down the constant path, specialising for the overflow case. > > When my next patch is applied, gcc will then throw a warning any time > kmalloc_large could be called with a SIZE_MAX size, as gcc deems SIZE_MAX > to be too big an allocation. > > So, make functions that check __builtin_constant_p check also against > SIZE_MAX in the constant path, and immediately return NULL if we hit it. I am not sure I am happy about an additional conditional path in the hot path of the allocator. Especially when we already have a check for KMALLOC_MAX_CACHE_SIZE. -- Michal Hocko SUSE Labs