korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-16 00:34:20 +08:00
Code Issues Packages Projects Releases Wiki Activity
e7706c4bbf
linux/drivers/infiniband/core
History
Gustavo A. R. Silva aa4d540b41 RDMA/core: Fix multiple -Warray-bounds warnings 
GCC-13 (and Clang)[1] does not like to access a partially allocated
object, since it cannot reason about it for bounds checking.

In this case 140 bytes are allocated for an object of type struct
ib_umad_packet:

        packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL);

However, notice that sizeof(*packet) is only 104 bytes:

struct ib_umad_packet {
        struct ib_mad_send_buf *   msg;                  /*     0     8 */
        struct ib_mad_recv_wc *    recv_wc;              /*     8     8 */
        struct list_head           list;                 /*    16    16 */
        int                        length;               /*    32     4 */

        /* XXX 4 bytes hole, try to pack */

        struct ib_user_mad         mad __attribute__((__aligned__(8))); /*    40    64 */

        /* size: 104, cachelines: 2, members: 5 */
        /* sum members: 100, holes: 1, sum holes: 4 */
        /* forced alignments: 1, forced holes: 1, sum forced holes: 4 */
        /* last cacheline: 40 bytes */
} __attribute__((__aligned__(8)));

and 36 bytes extra bytes are allocated for a flexible-array member in
struct ib_user_mad:

include/rdma/ib_mad.h:
120 enum {
...
123         IB_MGMT_RMPP_HDR = 36,
... }

struct ib_user_mad {
        struct ib_user_mad_hdr     hdr;                  /*     0    64 */
        /* --- cacheline 1 boundary (64 bytes) --- */
        __u64                      data[] __attribute__((__aligned__(8))); /*    64     0 */

        /* size: 64, cachelines: 1, members: 2 */
        /* forced alignments: 1 */
} __attribute__((__aligned__(8)));

So we have sizeof(*packet) + IB_MGMT_RMPP_HDR == 140 bytes

Then the address of the flex-array member (for which only 36 bytes were
allocated) is casted and copied into a pointer to struct ib_rmpp_mad,
which, in turn, is of size 256 bytes:

        rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data;

struct ib_rmpp_mad {
        struct ib_mad_hdr          mad_hdr;              /*     0    24 */
        struct ib_rmpp_hdr         rmpp_hdr;             /*    24    12 */
        u8                         data[220];            /*    36   220 */

        /* size: 256, cachelines: 4, members: 3 */
};

The thing is that those 36 bytes allocated for flex-array member data
in struct ib_user_mad onlly account for the size of both struct ib_mad_hdr
and struct ib_rmpp_hdr, but nothing is left for array u8 data[220].
So, the compiler is legitimately complaining about accessing an object
for which not enough memory was allocated.

Apparently, the only members of struct ib_rmpp_mad that are relevant
(that are actually being used) in function ib_umad_write() are mad_hdr
and rmpp_hdr. So, instead of casting packet->mad.data to
(struct ib_rmpp_mad *) create a new structure

struct ib_rmpp_mad_hdr {
        struct ib_mad_hdr       mad_hdr;
        struct ib_rmpp_hdr      rmpp_hdr;
} __packed;

and cast packet->mad.data to (struct ib_rmpp_mad_hdr *).

Notice that

        IB_MGMT_RMPP_HDR == sizeof(struct ib_rmpp_mad_hdr) == 36 bytes

Refactor the rest of the code, accordingly.

Fix the following warnings seen under GCC-13 and -Warray-bounds:
drivers/infiniband/core/user_mad.c:564:50: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
drivers/infiniband/core/user_mad.c:566:42: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
drivers/infiniband/core/user_mad.c:618:25: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
drivers/infiniband/core/user_mad.c:622:44: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]

Link: https://github.com/KSPP/linux/issues/273
Link: https://godbolt.org/z/oYWaGM4Yb [1]
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/r/ZBpB91qQcB10m3Fw@work
Signed-off-by: Leon Romanovsky <leon@kernel.org>
2023-03-23 12:19:01 +02:00
..
addr.c RDMA/core: Delete useless module.h include 2022-01-28 13:03:12 -04:00
agent.c
agent.h
cache.c RDMA/core: fix repeated words in comments 2022-10-24 14:47:19 +03:00
cgroup.c
cm_msgs.h RDMA/core: Add necessary spaces 2021-04-12 14:52:22 -03:00
cm_trace.c RDMA/cm: Replace pr_debug() call sites with tracepoints 2020-08-24 19:41:41 -03:00
cm_trace.h trace: Relocate event helper files 2022-12-10 11:01:12 -05:00
cm.c RDMA/cm: Make QP FLUSHABLE for supported device 2022-12-09 19:36:02 -04:00
cma_configfs.c IB: move from strlcpy with unused retval to strscpy 2022-08-21 14:18:02 +03:00
cma_priv.h RDMA/core: Add an rb_tree that stores cm_ids sorted by ifindex and remote IP 2022-06-16 09:54:35 +03:00
cma_trace.c
cma_trace.h trace: Relocate event helper files 2022-12-10 11:01:12 -05:00
cma.c RDMA/cma: Distinguish between sockaddr_in and sockaddr_in6 by size 2023-02-16 11:20:20 -04:00
core_priv.h RDMA/core: Create clean QP creations interface for uverbs 2021-08-03 15:26:19 -03:00
counters.c RDMA/counter: Add optional counter support 2021-10-12 12:48:05 -03:00
cq.c RDMA/core: Delete useless module.h include 2022-01-28 13:03:12 -04:00
device.c Driver Core changes for 6.2-rc1 2022-12-16 03:54:54 -08:00
ib_core_uverbs.c
iwcm.c RDMA/iwcm: Release resources if iw_cm module initialization fails 2021-07-30 10:01:40 -03:00
iwcm.h RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private 2021-06-08 14:35:44 -03:00
iwpm_msg.c RDMA/iwpm: Rely on the rdma_nl_[un]register() to ensure that requests are valid 2021-07-30 10:01:41 -03:00
iwpm_util.c RDMA/iwpm: Remove redundant initialization of pointer err_str 2021-10-12 13:11:46 -03:00
iwpm_util.h RDMA/core: Delete useless module.h include 2022-01-28 13:03:12 -04:00
lag.c RDMA/core: Remove 'device' argument from rdma_build_skb() 2022-08-28 14:29:07 +03:00
mad_priv.h RDMA/core: Remove refcount from struct ib_mad_snoop_private 2021-06-08 14:43:28 -03:00
mad_rmpp.c RDMA/core: Remove redundant spaces 2021-04-12 14:56:48 -03:00
mad_rmpp.h
mad.c IB/mad: Don't call to function that might sleep while in atomic context 2022-11-10 10:57:15 +02:00
Makefile RDMA/umem: Support importing dma-buf as user memory region 2021-01-20 16:07:52 -04:00
mr_pool.c
multicast.c RDMA/core: Use refcount_t instead of atomic_t on refcount of mcast_port 2021-06-08 14:45:07 -03:00
netlink.c RDMA/core: Fix incorrect print format specifier 2021-06-21 15:38:30 -03:00
nldev.c Linux 6.1-rc8 2022-12-09 15:52:17 -04:00
opa_smi.h RDMA: Support more than 255 rdma ports 2021-03-26 09:31:21 -03:00
packer.c
rdma_core.c RDMA: Correct duplicated words in comments 2022-06-24 16:52:28 -03:00
rdma_core.h IB/uverbs: Introduce create/destroy QP commands over ioctl 2020-05-21 20:39:36 -03:00
restrack.c RDMA/restrack: Release MR restrack when delete 2022-11-15 09:56:32 +02:00
restrack.h RDMA/restrack: Improve readability in task name management 2020-09-22 19:47:35 -03:00
roce_gid_mgmt.c IB: Fix repeated words 'the the' comments 2022-07-22 12:02:29 -03:00
rw.c RDMA/rw: drop pci_p2pdma_[un]map_sg() 2022-07-26 07:28:07 -04:00
sa_query.c RDMA/cma: Refactor the inbound/outbound path records process flow 2023-01-10 10:49:50 +02:00
sa.h RDMA: Support more than 255 rdma ports 2021-03-26 09:31:21 -03:00
security.c IB/core: Removed port validity check from ib_get_cached_subnet_prefix 2021-06-21 20:49:32 -03:00
smi.c RDMA: Support more than 255 rdma ports 2021-03-26 09:31:21 -03:00
smi.h RDMA: Support more than 255 rdma ports 2021-03-26 09:31:21 -03:00
sysfs.c RDMA/core: Make sure "ib_port" is valid when access sysfs node 2022-11-15 09:56:39 +02:00
trace.c RDMA/core: Clean up tracepoint headers 2020-07-06 14:54:46 -03:00
ucma.c RDMA/core: Rename rdma_route.num_paths field to num_pri_alt_paths 2022-09-22 12:35:13 +03:00
ud_header.c RDMA/core: Fix incorrect print format specifier 2021-06-21 15:38:30 -03:00
umem_dmabuf.c RDMA/umem: Use dma-buf locked API to solve deadlock 2023-01-31 10:24:49 -04:00
umem_odp.c Linux 6.0 2022-10-06 19:48:45 -03:00
umem.c RDMA/umem: remove FOLL_FORCE usage 2022-11-30 15:58:58 -08:00
user_mad.c RDMA/core: Fix multiple -Warray-bounds warnings 2023-03-23 12:19:01 +02:00
uverbs_cmd.c IB: Set IOVA/LENGTH on IB_MR in core/uverbs layers 2022-09-22 12:46:39 +03:00
uverbs_ioctl.c RDMA/core: Add UVERBS_ATTR_RAW_FD 2022-09-27 10:15:24 -03:00
uverbs_main.c driver core: make struct class.devnode() take a const * 2022-11-24 17:12:27 +01:00
uverbs_marshall.c RDMA/core: Don't infoleak GRH fields 2022-01-05 16:30:19 -04:00
uverbs_std_types_async_fd.c RDMA/core: Make FD destroy callback void 2020-11-12 12:32:17 -04:00
uverbs_std_types_counters.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types_cq.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types_device.c RDMA/uverbs: Fix a NULL vs IS_ERR() bug 2021-05-19 15:32:07 -03:00
uverbs_std_types_dm.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types_flow_action.c RDMA/core: Delete IPsec flow action logic from the core 2022-04-09 08:25:06 +03:00
uverbs_std_types_mr.c RDMA/uverbs: Track dmabuf memory regions 2021-08-19 09:59:53 -03:00
uverbs_std_types_qp.c IB/uverbs: fix the typo of optional 2022-10-19 09:46:45 +03:00
uverbs_std_types_srq.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types_wq.c RDMA/core: Postpone uobject cleanup on failure till FD close 2020-11-12 12:32:17 -04:00
uverbs_std_types.c RDMA/core: Make FD destroy callback void 2020-11-12 12:32:17 -04:00
uverbs_uapi.c RDMA/uverbs: Check for null return of kmalloc_array 2022-01-05 14:16:53 -04:00
uverbs.h RDMA/core: Use refcount_t instead of atomic_t on refcount of ib_uverbs_device 2021-06-08 15:04:36 -03:00
verbs.c RDMA/core: Fix ib block iterator counter overflow 2023-01-10 12:21:39 +02:00