From owner-dev-commits-src-main@freebsd.org Mon Jun 28 22:24:00 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7766A65DA80; Mon, 28 Jun 2021 22:24:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GDMb42nsvz4k6c; Mon, 28 Jun 2021 22:24:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3B8A756F2; Mon, 28 Jun 2021 22:24:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 15SMO05Q048695; Mon, 28 Jun 2021 22:24:00 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 15SMO08S048694; Mon, 28 Jun 2021 22:24:00 GMT (envelope-from git) Date: Mon, 28 Jun 2021 22:24:00 GMT Message-Id: <202106282224.15SMO08S048694@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Warner Losh Subject: git: 56e1161b09c3 - main - cam: fix UB behavior MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: imp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 56e1161b09c38c90d27182414f49d042046dded8 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2021 22:24:00 -0000 The branch main has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=56e1161b09c38c90d27182414f49d042046dded8 commit 56e1161b09c38c90d27182414f49d042046dded8 Author: Warner Losh AuthorDate: 2021-06-28 21:56:08 +0000 Commit: Warner Losh CommitDate: 2021-06-28 21:56:08 +0000 cam: fix UB behavior The trick of subtracting one from the poitner returned from malloc results in undefined behavior: >>C89: 3.3.6 Unless both the pointer operand and the result point to a >>member of the same array object, or one past the last member of the >>array object, the behavior is undefined. Instead, allocate 1 extra element and stop adjusting the pointer. While a little wasteful, the extra is in the noise on today's systems. Reviewed by: scottl@ Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D30847 --- sys/cam/cam_queue.c | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/sys/cam/cam_queue.c b/sys/cam/cam_queue.c index 074b0545a1fd..1bb1713d65c5 100644 --- a/sys/cam/cam_queue.c +++ b/sys/cam/cam_queue.c @@ -60,17 +60,16 @@ camq_init(struct camq *camq, int size) bzero(camq, sizeof(*camq)); camq->array_size = size; if (camq->array_size != 0) { - camq->queue_array = (cam_pinfo**)malloc(size*sizeof(cam_pinfo*), - M_CAMQ, M_NOWAIT); + /* + * Heap algorithms like everything numbered from 1, so + * allocate one more to account for 0 base. + */ + camq->queue_array = malloc((size + 1) * sizeof(cam_pinfo*), + M_CAMQ, M_NOWAIT); if (camq->queue_array == NULL) { printf("camq_init: - cannot malloc array!\n"); return (1); } - /* - * Heap algorithms like everything numbered from 1, so - * offset our pointer into the heap array by one element. - */ - camq->queue_array--; } return (0); } @@ -85,11 +84,6 @@ void camq_fini(struct camq *queue) { if (queue->queue_array != NULL) { - /* - * Heap algorithms like everything numbered from 1, so - * our pointer into the heap array is offset by one element. - */ - queue->queue_array++; free(queue->queue_array, M_CAMQ); } } @@ -102,8 +96,8 @@ camq_resize(struct camq *queue, int new_size) KASSERT(new_size >= queue->entries, ("camq_resize: " "New queue size can't accommodate queued entries (%d < %d).", new_size, queue->entries)); - new_array = (cam_pinfo **)malloc(new_size * sizeof(cam_pinfo *), - M_CAMQ, M_NOWAIT); + new_array = malloc((new_size + 1) * sizeof(cam_pinfo *), M_CAMQ, + M_NOWAIT); if (new_array == NULL) { /* Couldn't satisfy request */ return (CAM_RESRC_UNAVAIL); @@ -114,12 +108,11 @@ camq_resize(struct camq *queue, int new_size) * by one element. */ if (queue->queue_array != NULL) { - queue->queue_array++; bcopy(queue->queue_array, new_array, - queue->entries * sizeof(cam_pinfo *)); + (queue->entries + 1) * sizeof(cam_pinfo *)); free(queue->queue_array, M_CAMQ); } - queue->queue_array = new_array-1; + queue->queue_array = new_array; queue->array_size = new_size; return (CAM_REQ_CMP); }