lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251116071454.GD147495@unreal>
Date: Sun, 16 Nov 2025 09:14:54 +0200
From: Leon Romanovsky <leon@...nel.org>
To: David Laight <david.laight.linux@...il.com>
Cc: Jens Axboe <axboe@...nel.dk>, Keith Busch <kbusch@...nel.org>,
	Christoph Hellwig <hch@....de>, Sagi Grimberg <sagi@...mberg.me>,
	linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-nvme@...ts.infradead.org
Subject: Re: [PATCH 1/2] nvme-pci: Use size_t for length fields to handle
 larger sizes

On Sat, Nov 15, 2025 at 10:28:50PM +0000, David Laight wrote:
> On Sat, 15 Nov 2025 20:05:47 +0200
> Leon Romanovsky <leon@...nel.org> wrote:
> 
> > On Sat, Nov 15, 2025 at 05:33:41PM +0000, David Laight wrote:
> > > On Sat, 15 Nov 2025 18:22:45 +0200
> > > Leon Romanovsky <leon@...nel.org> wrote:
> > >   
> > > > From: Leon Romanovsky <leonro@...dia.com>
> > > > 
> > > > This patch changes the length variables from unsigned int to size_t.
> > > > Using size_t ensures that we can handle larger sizes, as size_t is
> > > > always equal to or larger than the previously used u32 type.  
> > > 
> > > Where are requests larger than 4GB going to come from?  
> > 
> > The main goal is to reuse phys_vec structure. It is going to represent PCI
> > regions exposed through VFIO DMABUF interface. Their length is more than u32.
> 
> Unless you actually need to have the same structure (because some function
> is used in both places) there isn't really any need to have a single structure
> for a a phy_addr:length pair.

Actually, we do plan to use them. In RDMA and probably in DMA API also,
as I was suggested to provide general DMA map function, which will
perform mapping for array of phys_vecs.

> Indeed keeping them separate can even remove bugs.

Or introduce, it depends on the situation.

> 
> For instance (I think) blk_map_iter_next() returns an addr:len pair
> that is only only used for the following sg_set_page() call - which
> has separate parameters for phys_to_page(addr) and len.

It is temporary, because we needed to use old SG interface. At some
point of time (after we will finish discussion/implementation of VFIO
and DMABUF), the blk_rq_map_*_sg() routines that are used for RDMA will 
be changed to do not use SG at all.

> So unless there are other place it is used it doesn't need to be
> the same structure at all.
> (Other people might disagree...)

Yes, VFIO, DMABUF and RDMA are other places, so it is better to move
that struct phys_vec to general place now, so in next cycle we will
be able to reuse it.

> 
> > 
> > >   
> > > > Originally, u32 was used because blk-mq-dma code evolved from
> > > > scatter-gather implementation, which uses unsigned int to describe length.
> > > > This change will also allow us to reuse the existing struct phys_vec in places
> > > > that don't need scatter-gather.
> > > > 
> > > > Signed-off-by: Leon Romanovsky <leonro@...dia.com>
> > > > ---
> > > >  block/blk-mq-dma.c      | 14 +++++++++-----
> > > >  drivers/nvme/host/pci.c |  4 ++--
> > > >  2 files changed, 11 insertions(+), 7 deletions(-)
> > > > 
> > > > diff --git a/block/blk-mq-dma.c b/block/blk-mq-dma.c
> > > > index e9108ccaf4b0..cc3e2548cc30 100644
> > > > --- a/block/blk-mq-dma.c
> > > > +++ b/block/blk-mq-dma.c
> > > > @@ -8,7 +8,7 @@
> > > >  
> > > >  struct phys_vec {
> > > >  	phys_addr_t	paddr;
> > > > -	u32		len;
> > > > +	size_t		len;
> > > >  };
> > > >  
> > > >  static bool __blk_map_iter_next(struct blk_map_iter *iter)
> > > > @@ -112,8 +112,8 @@ static bool blk_rq_dma_map_iova(struct request *req, struct device *dma_dev,
> > > >  		struct phys_vec *vec)
> > > >  {
> > > >  	enum dma_data_direction dir = rq_dma_dir(req);
> > > > -	unsigned int mapped = 0;
> > > >  	unsigned int attrs = 0;
> > > > +	size_t mapped = 0;
> > > >  	int error;
> > > >  
> > > >  	iter->addr = state->addr;
> > > > @@ -296,8 +296,10 @@ int __blk_rq_map_sg(struct request *rq, struct scatterlist *sglist,
> > > >  	blk_rq_map_iter_init(rq, &iter);
> > > >  	while (blk_map_iter_next(rq, &iter, &vec)) {
> > > >  		*last_sg = blk_next_sg(last_sg, sglist);
> > > > -		sg_set_page(*last_sg, phys_to_page(vec.paddr), vec.len,
> > > > -				offset_in_page(vec.paddr));
> > > > +
> > > > +		WARN_ON_ONCE(overflows_type(vec.len, unsigned int));  
> > > 
> > > I'm not at all sure you need that test.
> > > blk_map_iter_next() has to guarantee that vec.len is valid.
> > > (probably even less than a page size?)
> > > Perhaps this code should be using a different type for the addr:len pair?  
> > 
> > I added this test for future proof, this is why it doesn't "return" on
> > overflow, but prints dump stack and continues. It can't happen.
> 
> No, on a large number of installed systems it prints the stack an panicks.

It will print such stack if vec.len is more than u32, which is not
supposed to be. 

> Were it to continue the effect would be all wrong anyway.
> But blk_map_iter_next() guarantees to return a sane length.

It is not guarantee. If I understand it correctly, the guarantee comes
from upper layer which limits request size because of SG limitations.

> 
> > 
> > >   
> > > > +		sg_set_page(*last_sg, phys_to_page(vec.paddr),
> > > > +			    (unsigned int)vec.len, offset_in_page(vec.paddr));  
> > > 
> > > You definitely don't need the explicit cast.  
> > 
> > We degrade type from u64 to u32. Why don't we need cast?
> 
> Because you don't need to cast pretty much all integer conversions.
> Any warnings compilers might output for such assignments really are best
> disabled.
> The more casts you add to code to remove 'silly' compiler warnings the
> harder it is to find the ones that actually have a desired effect and/or
> unwanted effects that are actually bugs.
> 
> I'm busy trying to fix a load of min_t(u32, a, b) which mask off high
> significant bits from u64 values.
> The casts got added (implicitly by using min_t() instead of min()) because
> min() required the types match - and in a lot of cases the programmer
> picked the type of the result not that of the larger parameter.
> Others are just cut&paste of another line.
> But the effect is the same, the casts add bugs rather than making the
> code better.
> 
> I've even seen:
> 	uchar_buf[0] = (unsigned char)(int_val & 0xff);
> (Presumably written to avoid compiler warnings.)
> and looked at the object code to find the compiler (not gcc) anded the
> value with 0xff for the '& 0xff', anded it with 0xff again for the cast
> and then did a memory write of the low bits.
> 
> casts could easily be the next 'bug'...

I have no such strong feelings about cast here and can remove it.

Thanks

> 
> 	David
> 
> > 
> > Thanks
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ