Re: [PATCH 10/21] binder: do unlocked work in binder_alloc_new_buf()

From: Carlos Llamas
Date: Fri Dec 01 2023 - 02:11:01 EST

Next message: Carlos Llamas: "Re: [PATCH 13/21] binder: relocate low space calculation"
Previous message: Tian, Kevin: "RE: [PATCH v6 2/6] iommufd: Add IOMMU_HWPT_INVALIDATE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 07, 2023 at 09:08:18AM +0000, Alice Ryhl wrote:
> I found a few issues in this patch:
>
> Consolidating the overflow check into one if statement like this doesn't
> catch all cases of integer overflow. For example, if all three sizes are
> 9223372036854775816, then the computed size will be 9223372036854775832,
> so this would not trigger the overflow check.

Thanks for pointing this out, you are right.

I don't understand the reasoning behind using size_t for the uapi. It
just made things more complicated than needed. These sizes are much
larger than the maximum buffer size of SZ_4M.

Anyway, I've fixed this for v2.

>
> Carlos Llamas <cmllamas@xxxxxxxxxx> writes:
> > mutex_unlock(&alloc->mutex);
> > +
> > + if (IS_ERR(buffer))
> > + goto out;
> > +
> > + buffer->data_size = data_size;
> > + buffer->offsets_size = offsets_size;
> > + buffer->async_transaction = is_async;
> > + buffer->extra_buffers_size = extra_buffers_size;
> > + buffer->pid = pid;
>
> With this change, if there is a concurrent call to
> debug_low_async_space_locked, then there is a data race on the
> async_transaction field. Similarly for print_binder_buffer.
>
> Perhaps these writes should be moved before the mutex_unlock?

Also fixed, thanks!

--
Carlos Llamas

Next message: Carlos Llamas: "Re: [PATCH 13/21] binder: relocate low space calculation"
Previous message: Tian, Kevin: "RE: [PATCH v6 2/6] iommufd: Add IOMMU_HWPT_INVALIDATE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]