lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <19141.34685.863491.329836@notabene.brown>
Date:	Fri, 2 Oct 2009 14:54:21 +1000
From:	Neil Brown <neilb@...e.de>
To:	David Rientjes <rientjes@...gle.com>
Cc:	Suresh Jayaraman <sjayaraman@...e.de>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org, linux-mm@...ck.org,
	netdev@...r.kernel.org, Miklos Szeredi <mszeredi@...e.cz>,
	Wouter Verhelst <w@...r.be>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	trond.myklebust@....uio.no
Subject: Re: [PATCH 30/31] Fix use of uninitialized variable in
 cache_grow()

On Thursday October 1, rientjes@...gle.com wrote:
> On Thu, 1 Oct 2009, Suresh Jayaraman wrote:
> 
> > From: Miklos Szeredi <mszeredi@...e.cz>
> > 
> > This fixes a bug in reserve-slub.patch.
> > 
> > If cache_grow() was called with objp != NULL then the 'reserve' local
> > variable wasn't initialized. This resulted in ac->reserve being set to
> > a rubbish value.  Due to this in some circumstances huge amounts of
> > slab pages were allocated (due to slab_force_alloc() returning true),
> > which caused atomic page allocation failures and slowdown of the
> > system.
> > 
> > Signed-off-by: Miklos Szeredi <mszeredi@...e.cz>
> > Signed-off-by: Suresh Jayaraman <sjayaraman@...e.de>
> > ---
> >  mm/slab.c |    5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> > 
> > Index: mmotm/mm/slab.c
> > ===================================================================
> > --- mmotm.orig/mm/slab.c
> > +++ mmotm/mm/slab.c
> > @@ -2760,7 +2760,7 @@ static int cache_grow(struct kmem_cache
> >  	size_t offset;
> >  	gfp_t local_flags;
> >  	struct kmem_list3 *l3;
> > -	int reserve;
> > +	int reserve = -1;
> >  
> >  	/*
> >  	 * Be lazy and only check for valid flags here,  keeping it out of the
> > @@ -2816,7 +2816,8 @@ static int cache_grow(struct kmem_cache
> >  	if (local_flags & __GFP_WAIT)
> >  		local_irq_disable();
> >  	check_irq_off();
> > -	slab_set_reserve(cachep, reserve);
> > +	if (reserve != -1)
> > +		slab_set_reserve(cachep, reserve);
> >  	spin_lock(&l3->list_lock);
> >  
> >  	/* Make slab active. */
> 
> Given the patch description, shouldn't this be a test for objp != NULL 
> instead, then?

In between those to patch hunks, cache_grow contains the code:
	if (!objp)
		objp = kmem_getpages(cachep, local_flags, nodeid, &reserve);
	if (!objp)
		goto failed;

We can no longer test if objp was NULL on entry to the function.
We could take a copy of objp on entry to the function, and test it
here.  But initialising 'reserve' to an invalid value is easier.



> 
> If so, it doesn't make sense because reserve will only be initialized when 
> objp == NULL in the call to kmem_getpages() from cache_grow().
> 
> 
> The title of the patch suggests this is just dealing with an uninitialized 
> auto variable so the anticipated change would be from "int reserve" to 
> "int uninitialized_var(result)".

That change is only appropriate when the compiler is issuing a
warning that the variable is used before it is initialised, but we
know that not to be the case.
In this situation, we know it *is* being used before it is
initialised, and so we need to initialise it to something.

Thanks,
NeilBrown
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ