* [PATCH 0/1] wait: using uninitialized member of wait queue @ 2010-10-05 8:47 Evgeny Kuznetsov 2010-10-05 8:47 ` [PATCH 1/1] " Evgeny Kuznetsov 2010-10-05 15:43 ` [PATCH 0/1] " Linus Torvalds 0 siblings, 2 replies; 7+ messages in thread From: Evgeny Kuznetsov @ 2010-10-05 8:47 UTC (permalink / raw) To: akpm, torvalds Cc: m.nazarewicz, mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel, ext-eugeny.kuznetsov Hi, Here is patch which fixes bug in /include/linux/wait.h file. Member "flags" of "wait_queue_t" struct is used in several places in kernel code without beeing initialized. "flags" is used in bitwise operations. If it contain dummy data then incorrect flags may be used later in code. Thanks, Best Regards, Evgeny Evgeny Kuznetsov (1): wait: using uninitialized member of wait queue include/linux/wait.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] wait: using uninitialized member of wait queue 2010-10-05 8:47 [PATCH 0/1] wait: using uninitialized member of wait queue Evgeny Kuznetsov @ 2010-10-05 8:47 ` Evgeny Kuznetsov 2010-10-05 10:41 ` Michał Nazarewicz 2010-10-05 15:43 ` [PATCH 0/1] " Linus Torvalds 1 sibling, 1 reply; 7+ messages in thread From: Evgeny Kuznetsov @ 2010-10-05 8:47 UTC (permalink / raw) To: akpm, torvalds Cc: m.nazarewicz, mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel, ext-eugeny.kuznetsov From: Evgeny Kuznetsov <ext-eugeny.kuznetsov@nokia.com> Member "flags" of "wait_queue_t" struct is used in several places in kernel code without beeing initialized. "flags" is used in bitwise operations. If "flags" not initialized then unexpected behaviour may have place. Incorrect flags maybe used later in code. Struct "wait_queue_t" is initialized in function "init_wait()". But "init_wait()" do not initialize "flag" member. Added initialization of "wait_queue_t.flags" with zero value into "init_wait". Signed-off-by: Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> --- include/linux/wait.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/include/linux/wait.h b/include/linux/wait.h index 0836ccc..3efc9f3 100644 --- a/include/linux/wait.h +++ b/include/linux/wait.h @@ -614,6 +614,7 @@ int wake_bit_function(wait_queue_t *wait, unsigned mode, int sync, void *key); (wait)->private = current; \ (wait)->func = autoremove_wake_function; \ INIT_LIST_HEAD(&(wait)->task_list); \ + (wait)->flags = 0; \ } while (0) /** -- 1.6.3.3 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wait: using uninitialized member of wait queue 2010-10-05 8:47 ` [PATCH 1/1] " Evgeny Kuznetsov @ 2010-10-05 10:41 ` Michał Nazarewicz 2010-10-05 11:00 ` Evgeny Kuznetsov 0 siblings, 1 reply; 7+ messages in thread From: Michał Nazarewicz @ 2010-10-05 10:41 UTC (permalink / raw) To: akpm, torvalds, Evgeny Kuznetsov Cc: mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel, ext-eugeny.kuznetsov On Tue, 05 Oct 2010 10:47:57 +0200, Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> wrote: > Member "flags" of "wait_queue_t" struct is used in several places in > kernel code without beeing initialized. "flags" is used in bitwise operations. ^^^^^^ -- "being" > If "flags" not initialized then unexpected behaviour may have place. > Incorrect flags maybe used later in code. > Struct "wait_queue_t" is initialized in function "init_wait()". But > "init_wait()" do not initialize "flag" member. ^^ -- does ^^^^ -- "flags" > Added initialization of "wait_queue_t.flags" with zero value into "init_wait". > diff --git a/include/linux/wait.h b/include/linux/wait.h > index 0836ccc..3efc9f3 100644 > --- a/include/linux/wait.h > +++ b/include/linux/wait.h > @@ -614,6 +614,7 @@ int wake_bit_function(wait_queue_t *wait, unsigned mode, int sync, void *key); > (wait)->private = current; \ > (wait)->func = autoremove_wake_function; \ > INIT_LIST_HEAD(&(wait)->task_list); \ > + (wait)->flags = 0; \ > } while (0) > /** I'd turn init_wait() into a static inline. Otherwise looks good to me. (Interestingly, init_wait() is used only in 3 places in the kernel and none uses flags.) -- Best regards, _ _ | Humble Liege of Serenely Enlightened Majesty of o' \,=./ `o | Computer Science, Michał "mina86" Nazarewicz (o o) +----[mina86*mina86.com]---[mina86*jabber.org]----ooO--(_)--Ooo-- ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wait: using uninitialized member of wait queue 2010-10-05 10:41 ` Michał Nazarewicz @ 2010-10-05 11:00 ` Evgeny Kuznetsov 2010-10-05 11:39 ` Michał Nazarewicz 0 siblings, 1 reply; 7+ messages in thread From: Evgeny Kuznetsov @ 2010-10-05 11:00 UTC (permalink / raw) To: ext Michał Nazarewicz Cc: akpm, torvalds, mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel Hi, 'wait_queue_t' is passed to prepare_to_wait() function where 'flags' is used, e.g: File: /mm/mempool.c void * mempool_alloc(mempool_t *pool, gfp_t gfp_mask) { ..... ..... init_wait(&wait); prepare_to_wait(&pool->wait, &wait, TASK_UNINTERRUPTIBLE); ..... } Best Regards, Evgeny On Tue, 2010-10-05 at 12:41 +0200, ext Michał Nazarewicz wrote: > On Tue, 05 Oct 2010 10:47:57 +0200, Evgeny Kuznetsov > <EXT-Eugeny.Kuznetsov@nokia.com> wrote: > > Member "flags" of "wait_queue_t" struct is used in several places > in > > kernel code without beeing initialized. "flags" is used in bitwise > operations. > ^^^^^^ -- "being" > > > If "flags" not initialized then unexpected behaviour may have place. > > Incorrect flags maybe used later in code. > > Struct "wait_queue_t" is initialized in function "init_wait()". But > > "init_wait()" do not initialize "flag" member. > ^^ -- does ^^^^ -- "flags" > > > Added initialization of "wait_queue_t.flags" with zero value into > "init_wait". > > > diff --git a/include/linux/wait.h b/include/linux/wait.h > > index 0836ccc..3efc9f3 100644 > > --- a/include/linux/wait.h > > +++ b/include/linux/wait.h > > @@ -614,6 +614,7 @@ int wake_bit_function(wait_queue_t *wait, > unsigned mode, int sync, void *key); > > (wait)->private = > current; \ > > (wait)->func = > autoremove_wake_function; \ > > INIT_LIST_HEAD(&(wait)->task_list); \ > > + (wait)->flags = > 0; \ > > } while (0) > > /** > > I'd turn init_wait() into a static inline. Otherwise looks good to > me. > (Interestingly, init_wait() is used only in 3 places in the kernel and > none uses flags.) > > -- > Best regards, _ _ > | Humble Liege of Serenely Enlightened Majesty of o' \,=./ `o > | Computer Science, Michał "mina86" Nazarewicz (o o) > +----[mina86*mina86.com]---[mina86*jabber.org]----ooO--(_)--Ooo-- ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] wait: using uninitialized member of wait queue 2010-10-05 11:00 ` Evgeny Kuznetsov @ 2010-10-05 11:39 ` Michał Nazarewicz 0 siblings, 0 replies; 7+ messages in thread From: Michał Nazarewicz @ 2010-10-05 11:39 UTC (permalink / raw) To: Evgeny Kuznetsov Cc: akpm, torvalds, mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel > On Tue, 2010-10-05 at 12:41 +0200, ext Michał Nazarewicz wrote: >> (Interestingly, init_wait() is used only in 3 places in the kernel and >> none uses flags.) On Tue, 05 Oct 2010 13:00:38 +0200, Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> wrote: > 'wait_queue_t' is passed to prepare_to_wait() function where 'flags' is > used, e.g: > File: /mm/mempool.c > void * mempool_alloc(mempool_t *pool, gfp_t gfp_mask) > { ..... > ..... > init_wait(&wait); > prepare_to_wait(&pool->wait, &wait, TASK_UNINTERRUPTIBLE); > ..... > } I meant that none of the callers initialized flags. I was initially concerned whether some caller that used init_wait() could set flags and expect that they won't be changed by the call to init_wait() -- this turned out not to be the case. So essentially, I'm supporting your point. Sorry about the confusion. -- Best regards, _ _ | Humble Liege of Serenely Enlightened Majesty of o' \,=./ `o | Computer Science, Michał "mina86" Nazarewicz (o o) +----[mina86*mina86.com]---[mina86*jabber.org]----ooO--(_)--Ooo-- ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/1] wait: using uninitialized member of wait queue 2010-10-05 8:47 [PATCH 0/1] wait: using uninitialized member of wait queue Evgeny Kuznetsov 2010-10-05 8:47 ` [PATCH 1/1] " Evgeny Kuznetsov @ 2010-10-05 15:43 ` Linus Torvalds 2010-10-06 6:01 ` Evgeny Kuznetsov 1 sibling, 1 reply; 7+ messages in thread From: Linus Torvalds @ 2010-10-05 15:43 UTC (permalink / raw) To: Evgeny Kuznetsov Cc: akpm, m.nazarewicz, mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel On Tue, Oct 5, 2010 at 1:47 AM, Evgeny Kuznetsov <EXT-Eugeny.Kuznetsov@nokia.com> wrote: > > Here is patch which fixes bug in /include/linux/wait.h file. > Member "flags" of "wait_queue_t" struct is used in several places in > kernel code without beeing initialized. "flags" is used in bitwise > operations. If it contain dummy data then incorrect flags may be > used later in code. The patch looks fine, but do you have any case of this actually causing problems? Afaik, we do end up initializing the part of the flags field we care about (WQ_FLAG_EXCLUSIVE) in prepare_to_wait() (and add_wait_queue()), so it looks - from an admittedly very cursory read - as if this is a good cleanup but shouldn't actually be the cause of any actual bugs. So I'll apply it, but I just wondered if you had actually seen any semantic changes from it? Linus ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/1] wait: using uninitialized member of wait queue 2010-10-05 15:43 ` [PATCH 0/1] " Linus Torvalds @ 2010-10-06 6:01 ` Evgeny Kuznetsov 0 siblings, 0 replies; 7+ messages in thread From: Evgeny Kuznetsov @ 2010-10-06 6:01 UTC (permalink / raw) To: ext Linus Torvalds Cc: akpm, m.nazarewicz, mingo, gregkh, a.p.zijlstra, xiaosuo, linux-kernel On Tue, 2010-10-05 at 08:43 -0700, ext Linus Torvalds wrote: > On Tue, Oct 5, 2010 at 1:47 AM, Evgeny Kuznetsov > <EXT-Eugeny.Kuznetsov@nokia.com> wrote: > > > > Here is patch which fixes bug in /include/linux/wait.h file. > > Member "flags" of "wait_queue_t" struct is used in several places in > > kernel code without beeing initialized. "flags" is used in bitwise > > operations. If it contain dummy data then incorrect flags may be > > used later in code. > > The patch looks fine, but do you have any case of this actually > causing problems? Afaik, we do end up initializing the part of the > flags field we care about (WQ_FLAG_EXCLUSIVE) in prepare_to_wait() > (and add_wait_queue()), so it looks - from an admittedly very cursory > read - as if this is a good cleanup but shouldn't actually be the > cause of any actual bugs. > > So I'll apply it, but I just wondered if you had actually seen any > semantic changes from it? > > Linus I did not see any problems caused by uninitialized flag. But this is potential unsafe place (in case of future changes). Also there is initialization of all members but not 'flags' in init_wait() function. It is logical to initialize all data members. Thanks, Regards, Evgeny ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-10-06 6:05 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-10-05 8:47 [PATCH 0/1] wait: using uninitialized member of wait queue Evgeny Kuznetsov 2010-10-05 8:47 ` [PATCH 1/1] " Evgeny Kuznetsov 2010-10-05 10:41 ` Michał Nazarewicz 2010-10-05 11:00 ` Evgeny Kuznetsov 2010-10-05 11:39 ` Michał Nazarewicz 2010-10-05 15:43 ` [PATCH 0/1] " Linus Torvalds 2010-10-06 6:01 ` Evgeny Kuznetsov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox