Date: Mon, 1 Feb 2016 14:19:35 -0800 From: Conrad Meyer <cem@FreeBSD.org> To: Warner Losh <imp@bsdimp.com> Cc: Mike Belopuhov <mike@belopuhov.com>, "freebsd-arch@freebsd.org" <arch@freebsd.org>, Ryan Stone <rysto32@gmail.com> Subject: Re: OpenBSD mallocarray Message-ID: <CAG6CVpUySF%2BbWKW7xvPMxOnYKs8KntSv0pX%2B=X00Qi7=DNithg@mail.gmail.com> In-Reply-To: <1EA0ECF5-D7AC-430E-957D-C4D49F9A872B@bsdimp.com> References: <CAB815ZafpqJoqr1oH8mDJM=0RxLptQJpoJLexw6P6zOi7oSXTQ@mail.gmail.com> <CAG6CVpWbaFOQ1GzE1qmZFodXg_xZafmCc0b1kUh=0%2BFAjLPRvA@mail.gmail.com> <CAFMmRNyNKOgDEY89dVB=dqYDq6XyQo=MQR%2BHPJ2=_0VdDKRvAw@mail.gmail.com> <20160201210256.GA29188@yamori.belopuhov.com> <1EA0ECF5-D7AC-430E-957D-C4D49F9A872B@bsdimp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 1, 2016 at 1:12 PM, Warner Losh <imp@bsdimp.com> wrote: > >> On Feb 1, 2016, at 2:02 PM, Mike Belopuhov <mike@belopuhov.com> wrote: >> Not quite. From the man page: >> >> M_CANFAIL >> >> In the M_WAITOK case, if not enough memory is available, >> return NULL instead of calling panic(9). If mallocarray() >> detects an overflow or malloc() detects an excessive >> allocation, return NULL instead of calling panic(9). > > Yea, we don=E2=80=99t want it calling panic. Ever. That turns an overflow > into a DoS. I disagree. The panic is essentially an assertion that malloc was passed valid arguments. We have similar invariants assertions throughout the kernel and it is the only sane thing to do with overflow + M_WAITOK. M_WAITOK callers today will do something equally stupid if they get a NULL result from mallocarray(). > Arguments should be properly checked Yes! That's why the assertion is a good thing. > At best, CANFAIL is a kludge to fail with a panic instead of an > overflow. No, that's backwards. In CANFAIL mode, mallocarray returns NULL instead of panicing immediately. It's a kludge so the caller doesn't have to do overflow checking. > That=E2=80=99s got to be at most a transient thing until all the > code that it is kludged into with out proper thought is fixed. You mean the panic? What fallback behavior would you prefer? If the caller requested an overflowing allocation, there really isn't anything sane to do besides immediately panic (again, for M_WAITOK). Even M_NOWAIT callers may or may not do something sane. Best, Conrad
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpUySF%2BbWKW7xvPMxOnYKs8KntSv0pX%2B=X00Qi7=DNithg>