* [PATCH 0/1] wait: using uninitialized member of wait queue
@ 2010-10-05 8:47 Evgeny Kuznetsov
2010-10-05 8:47 ` [PATCH 1/1] " Evgeny Kuznetsov
2010-10-05 15:43 ` [PATCH 0/1] " Linus Torvalds
0 siblings, 2 replies; 7+ messages in thread
From: Evgeny Kuznetsov @ 2010-10-05 8:47 UTC (permalink / raw)
To: akpm, torvalds
Cc: m.nazarewicz, mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel,
ext-eugeny.kuznetsov
Hi,
Here is patch which fixes bug in /include/linux/wait.h file.
Member "flags" of "wait_queue_t" struct is used in several places in
kernel code without beeing initialized. "flags" is used in bitwise
operations. If it contain dummy data then incorrect flags may be
used later in code.
Thanks,
Best Regards,
Evgeny
Evgeny Kuznetsov (1):
wait: using uninitialized member of wait queue
include/linux/wait.h | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] wait: using uninitialized member of wait queue
2010-10-05 8:47 [PATCH 0/1] wait: using uninitialized member of wait queue Evgeny Kuznetsov
@ 2010-10-05 8:47 ` Evgeny Kuznetsov
2010-10-05 10:41 ` Michał Nazarewicz
2010-10-05 15:43 ` [PATCH 0/1] " Linus Torvalds
1 sibling, 1 reply; 7+ messages in thread
From: Evgeny Kuznetsov @ 2010-10-05 8:47 UTC (permalink / raw)
To: akpm, torvalds
Cc: m.nazarewicz, mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel,
ext-eugeny.kuznetsov
From: Evgeny Kuznetsov <ext-eugeny.kuznetsov@nokia.com>
Member "flags" of "wait_queue_t" struct is used in several places in
kernel code without beeing initialized. "flags" is used in bitwise operations.
If "flags" not initialized then unexpected behaviour may have place.
Incorrect flags maybe used later in code.
Struct "wait_queue_t" is initialized in function "init_wait()". But
"init_wait()" do not initialize "flag" member.
Added initialization of "wait_queue_t.flags" with zero value into "init_wait".
Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com>
---
include/linux/wait.h | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/include/linux/wait.h b/include/linux/wait.h
index 0836ccc..3efc9f3 100644
--- a/include/linux/wait.h
+++ b/include/linux/wait.h
@@ -614,6 +614,7 @@ int wake_bit_function(wait_queue_t *wait, unsigned mode, int sync, void *key);
(wait)->private = current; \
(wait)->func = autoremove_wake_function; \
INIT_LIST_HEAD(&(wait)->task_list); \
+ (wait)->flags = 0; \
} while (0)
/**
--
1.6.3.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wait: using uninitialized member of wait queue
2010-10-05 8:47 ` [PATCH 1/1] " Evgeny Kuznetsov
@ 2010-10-05 10:41 ` Michał Nazarewicz
2010-10-05 11:00 ` Evgeny Kuznetsov
0 siblings, 1 reply; 7+ messages in thread
From: Michał Nazarewicz @ 2010-10-05 10:41 UTC (permalink / raw)
To: akpm, torvalds, Evgeny Kuznetsov
Cc: mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel,
ext-eugeny.kuznetsov
On Tue, 05 Oct 2010 10:47:57 +0200, Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> wrote:
> Member "flags" of "wait_queue_t" struct is used in several places in
> kernel code without beeing initialized. "flags" is used in bitwise operations.
^^^^^^ -- "being"
> If "flags" not initialized then unexpected behaviour may have place.
> Incorrect flags maybe used later in code.
> Struct "wait_queue_t" is initialized in function "init_wait()". But
> "init_wait()" do not initialize "flag" member.
^^ -- does ^^^^ -- "flags"
> Added initialization of "wait_queue_t.flags" with zero value into "init_wait".
> diff --git a/include/linux/wait.h b/include/linux/wait.h
> index 0836ccc..3efc9f3 100644
> --- a/include/linux/wait.h
> +++ b/include/linux/wait.h
> @@ -614,6 +614,7 @@ int wake_bit_function(wait_queue_t *wait, unsigned mode, int sync, void *key);
> (wait)->private = current; \
> (wait)->func = autoremove_wake_function; \
> INIT_LIST_HEAD(&(wait)->task_list); \
> + (wait)->flags = 0; \
> } while (0)
> /**
I'd turn init_wait() into a static inline. Otherwise looks good to me.
(Interestingly, init_wait() is used only in 3 places in the kernel and
none uses flags.)
--
Best regards, _ _
| Humble Liege of Serenely Enlightened Majesty of o' \,=./ `o
| Computer Science, Michał "mina86" Nazarewicz (o o)
+----[mina86*mina86.com]---[mina86*jabber.org]----ooO--(_)--Ooo--
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wait: using uninitialized member of wait queue
2010-10-05 10:41 ` Michał Nazarewicz
@ 2010-10-05 11:00 ` Evgeny Kuznetsov
2010-10-05 11:39 ` Michał Nazarewicz
0 siblings, 1 reply; 7+ messages in thread
From: Evgeny Kuznetsov @ 2010-10-05 11:00 UTC (permalink / raw)
To: ext Michał Nazarewicz
Cc: akpm, torvalds, mingo, gregkh, a.p.zijlstra, xiaosuo,
linux-kernel
Hi,
'wait_queue_t' is passed to prepare_to_wait() function where 'flags' is
used, e.g:
File: /mm/mempool.c
void * mempool_alloc(mempool_t *pool, gfp_t gfp_mask)
{ .....
.....
init_wait(&wait);
prepare_to_wait(&pool->wait, &wait, TASK_UNINTERRUPTIBLE);
.....
}
Best Regards,
Evgeny
On Tue, 2010-10-05 at 12:41 +0200, ext Michał Nazarewicz wrote:
> On Tue, 05 Oct 2010 10:47:57 +0200, Evgeny Kuznetsov
> <EXT-Eugeny.Kuznetsov@nokia.com> wrote:
> > Member "flags" of "wait_queue_t" struct is used in several places
> in
> > kernel code without beeing initialized. "flags" is used in bitwise
> operations.
> ^^^^^^ -- "being"
>
> > If "flags" not initialized then unexpected behaviour may have place.
> > Incorrect flags maybe used later in code.
> > Struct "wait_queue_t" is initialized in function "init_wait()". But
> > "init_wait()" do not initialize "flag" member.
> ^^ -- does ^^^^ -- "flags"
>
> > Added initialization of "wait_queue_t.flags" with zero value into
> "init_wait".
>
> > diff --git a/include/linux/wait.h b/include/linux/wait.h
> > index 0836ccc..3efc9f3 100644
> > --- a/include/linux/wait.h
> > +++ b/include/linux/wait.h
> > @@ -614,6 +614,7 @@ int wake_bit_function(wait_queue_t *wait,
> unsigned mode, int sync, void *key);
> > (wait)->private =
> current; \
> > (wait)->func =
> autoremove_wake_function; \
> > INIT_LIST_HEAD(&(wait)->task_list); \
> > + (wait)->flags =
> 0; \
> > } while (0)
> > /**
>
> I'd turn init_wait() into a static inline. Otherwise looks good to
> me.
> (Interestingly, init_wait() is used only in 3 places in the kernel and
> none uses flags.)
>
> --
> Best regards, _ _
> | Humble Liege of Serenely Enlightened Majesty of o' \,=./ `o
> | Computer Science, Michał "mina86" Nazarewicz (o o)
> +----[mina86*mina86.com]---[mina86*jabber.org]----ooO--(_)--Ooo--
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wait: using uninitialized member of wait queue
2010-10-05 11:00 ` Evgeny Kuznetsov
@ 2010-10-05 11:39 ` Michał Nazarewicz
0 siblings, 0 replies; 7+ messages in thread
From: Michał Nazarewicz @ 2010-10-05 11:39 UTC (permalink / raw)
To: Evgeny Kuznetsov
Cc: akpm, torvalds, mingo, gregkh, a.p.zijlstra, xiaosuo,
linux-kernel
> On Tue, 2010-10-05 at 12:41 +0200, ext Michał Nazarewicz wrote:
>> (Interestingly, init_wait() is used only in 3 places in the kernel and
>> none uses flags.)
On Tue, 05 Oct 2010 13:00:38 +0200, Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> wrote:
> 'wait_queue_t' is passed to prepare_to_wait() function where 'flags' is
> used, e.g:
> File: /mm/mempool.c
> void * mempool_alloc(mempool_t *pool, gfp_t gfp_mask)
> { .....
> .....
> init_wait(&wait);
> prepare_to_wait(&pool->wait, &wait, TASK_UNINTERRUPTIBLE);
> .....
> }
I meant that none of the callers initialized flags. I was initially concerned
whether some caller that used init_wait() could set flags and expect that they
won't be changed by the call to init_wait() -- this turned out not to be the
case.
So essentially, I'm supporting your point. Sorry about the confusion.
--
Best regards, _ _
| Humble Liege of Serenely Enlightened Majesty of o' \,=./ `o
| Computer Science, Michał "mina86" Nazarewicz (o o)
+----[mina86*mina86.com]---[mina86*jabber.org]----ooO--(_)--Ooo--
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/1] wait: using uninitialized member of wait queue
2010-10-05 8:47 [PATCH 0/1] wait: using uninitialized member of wait queue Evgeny Kuznetsov
2010-10-05 8:47 ` [PATCH 1/1] " Evgeny Kuznetsov
@ 2010-10-05 15:43 ` Linus Torvalds
2010-10-06 6:01 ` Evgeny Kuznetsov
1 sibling, 1 reply; 7+ messages in thread
From: Linus Torvalds @ 2010-10-05 15:43 UTC (permalink / raw)
To: Evgeny Kuznetsov
Cc: akpm, m.nazarewicz, mingo, gregkh, a.p.zijlstra, xiaosuo,
linux-kernel
On Tue, Oct 5, 2010 at 1:47 AM, Evgeny Kuznetsov
<EXT-Eugeny.Kuznetsov@nokia.com> wrote:
>
> Here is patch which fixes bug in /include/linux/wait.h file.
> Member "flags" of "wait_queue_t" struct is used in several places in
> kernel code without beeing initialized. "flags" is used in bitwise
> operations. If it contain dummy data then incorrect flags may be
> used later in code.
The patch looks fine, but do you have any case of this actually
causing problems? Afaik, we do end up initializing the part of the
flags field we care about (WQ_FLAG_EXCLUSIVE) in prepare_to_wait()
(and add_wait_queue()), so it looks - from an admittedly very cursory
read - as if this is a good cleanup but shouldn't actually be the
cause of any actual bugs.
So I'll apply it, but I just wondered if you had actually seen any
semantic changes from it?
Linus
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/1] wait: using uninitialized member of wait queue
2010-10-05 15:43 ` [PATCH 0/1] " Linus Torvalds
@ 2010-10-06 6:01 ` Evgeny Kuznetsov
0 siblings, 0 replies; 7+ messages in thread
From: Evgeny Kuznetsov @ 2010-10-06 6:01 UTC (permalink / raw)
To: ext Linus Torvalds
Cc: akpm, m.nazarewicz, mingo, gregkh, a.p.zijlstra, xiaosuo,
linux-kernel
On Tue, 2010-10-05 at 08:43 -0700, ext Linus Torvalds wrote:
> On Tue, Oct 5, 2010 at 1:47 AM, Evgeny Kuznetsov
> <EXT-Eugeny.Kuznetsov@nokia.com> wrote:
> >
> > Here is patch which fixes bug in /include/linux/wait.h file.
> > Member "flags" of "wait_queue_t" struct is used in several places in
> > kernel code without beeing initialized. "flags" is used in bitwise
> > operations. If it contain dummy data then incorrect flags may be
> > used later in code.
>
> The patch looks fine, but do you have any case of this actually
> causing problems? Afaik, we do end up initializing the part of the
> flags field we care about (WQ_FLAG_EXCLUSIVE) in prepare_to_wait()
> (and add_wait_queue()), so it looks - from an admittedly very cursory
> read - as if this is a good cleanup but shouldn't actually be the
> cause of any actual bugs.
>
> So I'll apply it, but I just wondered if you had actually seen any
> semantic changes from it?
>
> Linus
I did not see any problems caused by uninitialized flag. But this is
potential unsafe place (in case of future changes).
Also there is initialization of all members but not 'flags' in
init_wait() function. It is logical to initialize all data members.
Thanks,
Regards,
Evgeny
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-10-06 6:05 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-05 8:47 [PATCH 0/1] wait: using uninitialized member of wait queue Evgeny Kuznetsov
2010-10-05 8:47 ` [PATCH 1/1] " Evgeny Kuznetsov
2010-10-05 10:41 ` Michał Nazarewicz
2010-10-05 11:00 ` Evgeny Kuznetsov
2010-10-05 11:39 ` Michał Nazarewicz
2010-10-05 15:43 ` [PATCH 0/1] " Linus Torvalds
2010-10-06 6:01 ` Evgeny Kuznetsov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox