| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c486a1cf98a8b9ad093270543e8d2007@gmail.com>
Date: Mon, 28 Oct 2024 13:04:10 +0100
From: matteomartelli3@...il.com
To: linux-kernel@...r.kernel.org
Cc: Peter Zijlstra <peterz@...radead.org>, Jonathan Cameron <jic23@...nel.org>, Marc Gonzalez <marc.w.gonzalez@...e.fr>, Peter Rosin <peda@...ntia.se>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Joe Perches <joe@...ches.com>, Rafael J. Wysocki <rafael@...nel.org>, linux-iio@...r.kernel.org
Subject: iio, syfs, devres: devm_kmalloc not aligned to pow2 size argument
Hi everyone,
I found an issue that might interest iio, sysfs and devres, about a
particular usage of devm_kmalloc() for buffers that later pass through
sysfs_emit() or sysfs_emit_at(). These sysfs helpers require the output
buffer to be PAGE_SIZE aligned since commit 2efc459d06f1 ("sysfs: Add
sysfs_emit and sysfs_emit_at to format sysfs output"). Such requirement
is satisfied when kmalloc(PAGE_SIZE, ...) is used but not when
devm_kmalloc(PAGE_SIZE,...) is used as it actually returns a pointer to
a buffer located after the devres metadata and thus aligned to
PAGE_SIZE+sizeof(struct devres).
Specifically, I came across this issue during some testing of the
pac1921 iio driver together with the iio-mux iio consumer driver, which
allocates a page sized buffer to copy the ext_info of the producer
pac1921 iio producer driver. To fill the buffer, the latter calls
iio_format_value(), and so sysfs_emit_at() which fails due to the buffer
not being page aligned. This pattern seems common for many iio drivers
which fill the ext_info attributes through sysfs_emit*() helpers, likely
necessary as they are exposed on sysfs.
I could reproduce the same error behavior with a minimal dummy char
device driver completely unrelated to iio. I will share the entire dummy
driver code if needed but essentially this is the only interesting part:
data->info_buf = devm_kzalloc(data->dev, PAGE_SIZE, GFP_KERNEL);
if (!data->info_buf)
return -ENOMEM;
if (offset_in_page(data->info_buf))
pr_err("dummy_test: buf not page algined\n");
When running this, the error message is printed out for the reason above.
I am not sure whether this should be addressed in the users of
devm_kmalloc() or in the devres implementation itself. I would say that
it would be more clear if devm_kmalloc() would return the pointer to the
size aligned buffer, as it would also comply to the following kmalloc
requirement (introduced in [1]):
The address of a chunk allocated with `kmalloc` is aligned to at least
ARCH_KMALLOC_MINALIGN bytes. For sizes of power of two bytes, the
alignment is also guaranteed to be at least to the respective size.
To do so I was thinking to try to move the devres metadata after the
data buffer, so that the latter would directly correspond to pointer
returned by kmalloc. I then found out that it had been already suggested
previously to address a memory optimization [2]. Thus I am reporting the
issue before submitting any patch as some discussions might be helpful
first.
I am sending this to who I think might be interested based on previous
related activity. Feel free to extend the cc list if needed.
[1]: https://lore.kernel.org/all/20190826111627.7505-3-vbabka@suse.cz/
[2]: https://lore.kernel.org/all/20191220140655.GN2827@hirez.programming.kicks-ass.net/
Best regard,
Matteo Martelli
Powered by blists - more mailing lists