[PATCH] ERR_PTR: if errno value is known at compile time, make sure it's valid

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ERR_PTR: if errno value is known at compile time, make sure it's valid
@ 2008-05-22 16:50 Marcin Slusarz
  2008-05-22 16:50 ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is valid argument Marcin Slusarz
  0 siblings, 1 reply; 4+ messages in thread
From: Marcin Slusarz @ 2008-05-22 16:50 UTC (permalink / raw)
  To: LKML
  Cc: Andrew Morton, Christoph Hellwig, Al Viro, Alexey Dobriyan,
	Johannes Weiner

ERR_PTR is easy to call with wrong argument (positive errno),
and this error lead to catastrophic event - oops or kernel panic
(dereference of invalid pointer).

As most of error handling code paths are rarely tested, this kind of
bug can be hidden for years. Currently there are > 1400 calls of ERR_PTR
with constant argument.

Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Johannes Weiner <hannes@saeurebad.de>
---
 include/linux/err.h |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/include/linux/err.h b/include/linux/err.h
index ec87f31..4773ed3 100644
--- a/include/linux/err.h
+++ b/include/linux/err.h
@@ -18,12 +18,21 @@
 #ifndef __ASSEMBLY__
 
 #define IS_ERR_VALUE(x) unlikely((x) >= (unsigned long)-MAX_ERRNO)
+#define VALID_ERR_PTR_ARG(error) (error == 0 || IS_ERR_VALUE(error))
 
-static inline void *ERR_PTR(long error)
+static inline void *__ERR_PTR(long error)
 {
 	return (void *) error;
 }
 
+/*
+ * implementation note: we have to make it a macro, otherwise
+ * gcc won't break the build on wrong argument
+ */
+#define ERR_PTR(error) (BUILD_BUG_ON(__builtin_constant_p(error) && \
+					!VALID_ERR_PTR_ARG(error)), \
+			__ERR_PTR(error))
+
 static inline long PTR_ERR(const void *ptr)
 {
 	return (long) ptr;
-- 
1.5.4.5


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH] ERR_PTR: warn when ERR_PTR parameter is valid argument
  2008-05-22 16:50 [PATCH] ERR_PTR: if errno value is known at compile time, make sure it's valid Marcin Slusarz
@ 2008-05-22 16:50 ` Marcin Slusarz
  2008-05-22 16:58   ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is invalid Marcin Slusarz
  2008-05-27 20:04   ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is valid argument Andrew Morton
  0 siblings, 2 replies; 4+ messages in thread
From: Marcin Slusarz @ 2008-05-22 16:50 UTC (permalink / raw)
  To: LKML
  Cc: Andrew Morton, Christoph Hellwig, Al Viro, Alexey Dobriyan,
	Johannes Weiner

Check at runtime whether error argument of ERR_PTR is valid.
It can catch bugs which possibly lead to oops or panic earlier.

Currently there are > 600 calls of ERR_PTR with non-constant argument.

Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Johannes Weiner <hannes@saeurebad.de>
---
 include/linux/err.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/include/linux/err.h b/include/linux/err.h
index 4773ed3..f7e098e 100644
--- a/include/linux/err.h
+++ b/include/linux/err.h
@@ -3,6 +3,7 @@
 
 #include <linux/compiler.h>
 
+#include <asm/bug.h>
 #include <asm/errno.h>
 
 /*
@@ -22,6 +23,7 @@
 
 static inline void *__ERR_PTR(long error)
 {
+	WARN_ON(!VALID_ERR_PTR_ARG(error));
 	return (void *) error;
 }
 
-- 
1.5.4.5


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] ERR_PTR: warn when ERR_PTR parameter is invalid
  2008-05-22 16:50 ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is valid argument Marcin Slusarz
@ 2008-05-22 16:58   ` Marcin Slusarz
  2008-05-27 20:04   ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is valid argument Andrew Morton
  1 sibling, 0 replies; 4+ messages in thread
From: Marcin Slusarz @ 2008-05-22 16:58 UTC (permalink / raw)
  To: LKML
  Cc: Andrew Morton, Christoph Hellwig, Al Viro, Alexey Dobriyan,
	Johannes Weiner

Sorry, wrong patch title. Should be:
"ERR_PTR: warn when ERR_PTR parameter is invalid"

I forgot to add that this patch sould be applied after:
"vfs: fix ERR_PTR abuse in generic_readlink"
http://lkml.org/lkml/2008/5/18/316
which is alredy in -mm

Cheers,
Marcin

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ERR_PTR: warn when ERR_PTR parameter is valid argument
  2008-05-22 16:50 ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is valid argument Marcin Slusarz
  2008-05-22 16:58   ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is invalid Marcin Slusarz
@ 2008-05-27 20:04   ` Andrew Morton
  1 sibling, 0 replies; 4+ messages in thread
From: Andrew Morton @ 2008-05-27 20:04 UTC (permalink / raw)
  To: Marcin Slusarz; +Cc: linux-kernel, hch, viro, adobriyan, hannes

On Thu, 22 May 2008 18:50:19 +0200
Marcin Slusarz <marcin.slusarz@gmail.com> wrote:

> Check at runtime whether error argument of ERR_PTR is valid.
> It can catch bugs which possibly lead to oops or panic earlier.
> 
> Currently there are > 600 calls of ERR_PTR with non-constant argument.
> 
> Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Al Viro <viro@ZenIV.linux.org.uk>
> Cc: Alexey Dobriyan <adobriyan@gmail.com>
> Cc: Johannes Weiner <hannes@saeurebad.de>
> ---
>  include/linux/err.h |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/include/linux/err.h b/include/linux/err.h
> index 4773ed3..f7e098e 100644
> --- a/include/linux/err.h
> +++ b/include/linux/err.h
> @@ -3,6 +3,7 @@
>  
>  #include <linux/compiler.h>
>  
> +#include <asm/bug.h>
>  #include <asm/errno.h>
>  
>  /*
> @@ -22,6 +23,7 @@
>  
>  static inline void *__ERR_PTR(long error)
>  {
> +	WARN_ON(!VALID_ERR_PTR_ARG(error));
>  	return (void *) error;
>  }

It would be regrettable to add source-level complexity and runtime cost
to detect this particular bug.  I think it would be better to do this
via static source-code checking if at all possible.

Is there _any_ legitimate use of non-negative EFOO?  There might be
some baroque bits of code which are using non-negative constants in a
non-buggy fashion, but I bet they could be reworked to use negative
constants.

In which case I'd have thought that a script which

a) extracts all the EFOO identifiers from include/*/errno.h and

b) greps the tree for non-negative uses of those

would have 100% coverage?

We might need to touch up some code sites to avoid triggering false
positives and make that script's life a bit easier, but that's fine.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2008-05-27 20:04 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-22 16:50 [PATCH] ERR_PTR: if errno value is known at compile time, make sure it's valid Marcin Slusarz
2008-05-22 16:50 ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is valid argument Marcin Slusarz
2008-05-22 16:58   ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is invalid Marcin Slusarz
2008-05-27 20:04   ` [PATCH] ERR_PTR: warn when ERR_PTR parameter is valid argument Andrew Morton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox