lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <cf9573c2-5fb7-4417-8ff0-eef4172621fb@kernel.org>
Date: Sat, 8 Nov 2025 10:49:34 -0500
From: Chuck Lever <cel@...nel.org>
To: NeilBrown <neil@...wn.name>, David Laight <david.laight.linux@...il.com>
Cc: "stable@...r.kernel.org" <stable@...r.kernel.org>,
 Andrew Morton <akpm@...ux-foundation.org>,
 David Laight <David.Laight@...LAB.COM>,
 Linux NFS Mailing List <linux-nfs@...r.kernel.org>,
 Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
 speedcracker@...mail.com
Subject: Re: Compile Error fs/nfsd/nfs4state.o - clamp() low limit slotsize
 greater than high limit total_avail/scale_factor

On 11/7/25 5:49 PM, NeilBrown wrote:
> On Fri, 07 Nov 2025, David Laight wrote:
>> On Fri, 07 Nov 2025 22:17:20 +1100
>> NeilBrown <neilb@...mail.net> wrote:
>>
>>> On Fri, 07 Nov 2025, David Laight wrote:
>>>> On Thu, 6 Nov 2025 09:33:28 -0500
>>>> Chuck Lever <cel@...nel.org> wrote:
>>>>   
>>>>> FYI
>>>>>
>>>>> https://bugzilla.kernel.org/show_bug.cgi?id=220745  
>>>>
>>>> Ugg - that code is horrid.
>>>> It seems to have got deleted since, but it is:
>>>>
>>>> 	u32 slotsize = slot_bytes(ca);
>>>> 	u32 num = ca->maxreqs;
>>>> 	unsigned long avail, total_avail;
>>>> 	unsigned int scale_factor;
>>>>
>>>> 	spin_lock(&nfsd_drc_lock);
>>>> 	if (nfsd_drc_max_mem > nfsd_drc_mem_used)
>>>> 		total_avail = nfsd_drc_max_mem - nfsd_drc_mem_used;
>>>> 	else
>>>> 		/* We have handed out more space than we chose in
>>>> 		 * set_max_drc() to allow.  That isn't really a
>>>> 		 * problem as long as that doesn't make us think we
>>>> 		 * have lots more due to integer overflow.
>>>> 		 */
>>>> 		total_avail = 0;
>>>> 	avail = min((unsigned long)NFSD_MAX_MEM_PER_SESSION, total_avail);
>>>> 	/*
>>>> 	 * Never use more than a fraction of the remaining memory,
>>>> 	 * unless it's the only way to give this client a slot.
>>>> 	 * The chosen fraction is either 1/8 or 1/number of threads,
>>>> 	 * whichever is smaller.  This ensures there are adequate
>>>> 	 * slots to support multiple clients per thread.
>>>> 	 * Give the client one slot even if that would require
>>>> 	 * over-allocation--it is better than failure.
>>>> 	 */
>>>> 	scale_factor = max_t(unsigned int, 8, nn->nfsd_serv->sv_nrthreads);
>>>>
>>>> 	avail = clamp_t(unsigned long, avail, slotsize,
>>>> 			total_avail/scale_factor);
>>>> 	num = min_t(int, num, avail / slotsize);
>>>> 	num = max_t(int, num, 1);
>>>>
>>>> Lets rework it a bit...
>>>> 	if (nfsd_drc_max_mem > nfsd_drc_mem_used) {
>>>> 		total_avail = nfsd_drc_max_mem - nfsd_drc_mem_used;
>>>> 		avail = min(NFSD_MAX_MEM_PER_SESSION, total_avail);
>>>> 		avail = clamp(avail, n + sizeof(xxx), total_avail/8)
>>>> 	} else {
>>>> 		total_avail = 0;
>>>> 		avail = 0;
>>>> 		avail = clamp(0, n + sizeof(xxx), 0);
>>>> 	}
>>>>
>>>> Neither of those clamp() are sane at all - should be clamp(val, lo, hi)
>>>> with 'lo <= hi' otherwise the result is dependant on the order of the
>>>> comparisons.
>>>> The compiler sees the second one and rightly bleats.  
>>>
>>> In fact only gcc-9 bleats.
>>
>> That is probably why it didn't get picked up earlier.
>>
>>> gcc-7 gcc-10 gcc-13 gcc-15
>>> all seem to think it is fine.
>>
>> Which, of course, it isn't...
> 
> I've now had a proper look at your analysis of the code - thanks.
> 
> I agree that the code is unclear (at best) and that if it were still
> upstream I would want to fix it.  However is does function correctly.
> 
> As you say, when min > max, the result of clamp(val, min, max) depends
> on the order of comparison, and we know what the order of comparison is
> because we can look at the code for clamp().
> 
> Currently it is 
> 
> 	((val) >= (hi) ? (hi) : ((val) <= (lo) ? (lo) : (val)))
> 
> which will use max when max is below val and min.
> Previously it was 
> 	min((typeof(val))max(val, lo), hi)
> which also will use max when it is below val and min
> 
> Before that it was 
> #define clamp_t(type, val, min, max) ({                \
>        type __val = (val);                     \
>        type __min = (min);                     \
>        type __max = (max);                     \
>        __val = __val < __min ? __min: __val;   \
>        __val > __max ? __max: __val; })
> 
> which also uses max when that is less that val and min.
> 
> So I think the nfsd code has always worked correctly.  That is not
> sufficient for mainline - there we want it to also be robust and
> maintainable. But for stable kernels it should be sufficient.
> Adding a patch to "stable" kernels which causes working code to fail to
> compile does not seem, to me, to be in the spirit of "stability".
> (Have the "clamp" checking in mainline, finding problems there,
> and backporting the fixes to stable seems to me to be the best way
> to use these checking improvements to improve "stable").

I agree with Neil. The LTS code was building and working rather
universally until recently. The less risky approach is to leave this
code unchanged and seek another remedy for the OP.


-- 
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ