On 11/3/21 9:00 am, Hugh Dickins wrote:
> On Thu, 11 Mar 2021, Singh, Balbir wrote:
>> On 9/3/21 7:28 pm, Michal Hocko wrote:
>>> On Tue 09-03-21 09:37:29, Balbir Singh wrote:
>>>> On 4/3/21 6:40 pm, Zhou Guanghui wrote:
>>> [...]
>>>>> -#ifdef CONFIG_TRANSPARENT_HUGEPAGE
>>>>> /*
>>>>> - * Because page_memcg(head) is not set on compound tails, set it now.
>>>>> + * Because page_memcg(head) is not set on tails, set it now.
>>>>> */
>>>>> -void mem_cgroup_split_huge_fixup(struct page *head)
>>>>> +void split_page_memcg(struct page *head, unsigned int nr)
>>>>> {
>>>>
>>>> Do we need input validation on nr? Can nr be aribtrary or can we enforce
>>>>
>>>> VM_BUG_ON(!is_power_of_2(nr));
>>>
>>> In practice this will be power of 2 but why should we bother to sanitze
>>> that?
>>>
>>
>> Just when DEBUG_VM is enabled to ensure the contract is valid, given that
>> nr is now variable, we could end up with subtle bugs unless we can audit
>> all callers. Even the power of 2 check does not catch the fact that nr
>> is indeed what we expect, but it still checks a large range of invalid
>> inputs.
>
> I think you imagine this is something it's not.
>
> "all callers" are __split_huge_page() and split_page() (maybe Matthew
> will have a third caller, maybe not). It is not something drivers will
> be calling directly themselves, and it won't ever get EXPORTed to them.
>
Don't feel strongly about it if that is the case.
Thanks,
Balbir Singh
