On Tue, Aug 11, 2020 at 10:57:02AM +0300, Dan Carpenter wrote:
On Mon, Aug 10, 2020 at 08:41:14PM +0200, Marion & Christophe JAILLET wrote:
Le 10/08/2020 à 17:42, Dan Carpenter a écrit :
On Sun, Aug 09, 2020 at 10:34:06PM +0200, Christophe JAILLET wrote:
When '*sgt' is allocated, we must allocated 'sizeof(**sgt)' bytes instead of 'sizeof(*sg)'. 'sg' (i.e. struct scatterlist) is smaller than 'sgt' (i.e struct sg_table), so this could lead to memory corruption.
The sizeof(*sg) is bigger than sizeof(**sgt) so this wastes memory but it won't lead to corruption.
11 struct scatterlist { 12 unsigned long page_link; 13 unsigned int offset; 14 unsigned int length; 15 dma_addr_t dma_address; 16 #ifdef CONFIG_NEED_SG_DMA_LENGTH 17 unsigned int dma_length; 18 #endif 19 }; 42 struct sg_table { 43 struct scatterlist *sgl; /* the list */ 44 unsigned int nents; /* number of mapped entries */ 45 unsigned int orig_nents; /* original size of list */ 46 };regards, dan carpenter
My bad. I read 'struct scatterlist sgl' (without the *) Thanks for the follow-up, Dan.
Doesn't smatch catch such mismatch? (I've not run smatch for a while, so it is maybe reported)
That's why I was investigating it, because Smatch didn't catch it.
Smatch would have warned if it led to memory corruption. Smatch also tries to detect struct mismatches as a separate check but for some reason it missed it. I'm not totally sure why yet. I suspect that it's a complicated internal reason where Sparse is the sizeof to a normal
s/is/changes/
number... It's a known issue and hard to fix.
regards, dan carpenter