| Message ID | 20221027212506.3745164-1-pobrn@protonmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp472638wru;
Thu, 27 Oct 2022 14:52:41 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM4J4KFqnJD4tlNKLfXAS5wNf3KJQdoFKOMXJQCGZqau2xWRmjpW0ldUNHngNVMJN1z2Ryos
X-Received: by 2002:a05:6402:516e:b0:461:ebe2:f17d with SMTP id
d14-20020a056402516e00b00461ebe2f17dmr18992581ede.181.1666907560889;
Thu, 27 Oct 2022 14:52:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666907560; cv=none;
d=google.com; s=arc-20160816;
b=H6JWVId40Lsp9rZlpnGubbB1X99WTND1ctuxpndJXVs6noXDvkVC0gdc79YzJba0/C
24Z1eXlKjHFte/mnNSBFN6/++acdB1oBRBu6BcDTm0bQwb93CailFDSRQ09WCf2NYmtO
FdiYMROfXCBfeQlfp2oA1GcK2zLYBKHyN3MUZi8tO+m5otRkGvxGrzyTFgUTrYiGqq6F
ngI9ret6CoQYtcWH73R1WxZ8ZrPgxV6d9j3yt482kUpY6n9xJX0Ipnqlk7MeXdGr8OtK
D2CNI1uIB12SnvX1kzgfwLoezFLi5m7kFHtb2jKSLlVri32kO0JVdVq6TKiomiI44BK4
uWhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:feedback-id:message-id:subject:from:to:dkim-signature:date;
bh=qOqRsISaPy8WRtmUNjqUH5CrgfQe9GLu6VNSH2AUc/s=;
b=nQf+HgnrDESeY9978K5QaPl94ICvDKLcIS7NLjMovd0foacMiVAXoqLsj4vl/3VhHm
thMomFbaFRwWMvhK9arAbrREjofqsmuIm28nlMPX5udBX9D6wAA9q7EKOR51DKwAP8f6
a5F31hYcVytGM2SrLSX8JSBc9iv1x15GnU4Y1+Pm86x+O/evNSMd4FqG/pjNLd57djNj
v9o0qTP3yHaywqDrZKHH2DO98ECstFx+NQkpvUGVUOZeRQGsmEhRev+c3GFzlW0Xl7ck
lVhmZLoz7r2qHGJ/6G/MKkbN27YzkD22YH/NGVhuUKCasfFJpAlNeMtKVpoj2rLtetDn
mouQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3
header.b="FUFE/3cT";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)
header.from=protonmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
kx10-20020a170907774a00b00783e7d72fc0si632519ejc.272.2022.10.27.14.52.17;
Thu, 27 Oct 2022 14:52:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3
header.b="FUFE/3cT";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)
header.from=protonmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S236336AbiJ0VhW (ORCPT <rfc822;chrisfriedt@gmail.com>
+ 99 others); Thu, 27 Oct 2022 17:37:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40338 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S235481AbiJ0VhU (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 27 Oct 2022 17:37:20 -0400
Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch
[185.70.40.134])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB86972B44
for <linux-kernel@vger.kernel.org>;
Thu, 27 Oct 2022 14:37:19 -0700 (PDT)
Date: Thu, 27 Oct 2022 21:37:07 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1666906638; x=1667165838;
bh=qOqRsISaPy8WRtmUNjqUH5CrgfQe9GLu6VNSH2AUc/s=;
h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
b=FUFE/3cT8xKN0tQFmfifVFz88b0tVnn05nOWRJz6RMFuyIVoScOMtmZcjMgtziie4
MxG9YxlRRA1UA+hY94Ssevq51eqIh46gUNcIsadtfzTYTsZVlHpC7fLesKciU6Zt2+
xelEeKGl8MdkBdbMX89Cy5JKxYobSOmElEEIlc/nwZZS87l+SX1csliEIg+0w1GaKL
J/1bfTYwGQMKqorT/0kqwHcIrELVnln3hr54KNYGaKfGqAGOfjWnUUtGA+5GRn+Wna
wVDAEsyeFhjQgXgEVvxCh3jGB27z5s4QceGInX2XjKV0RTHO5sWb+OgCtp2YY6UGkZ
ZNYW9gCkxy3YQ==
To: linux-kernel@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>
From: =?utf-8?q?Barnab=C3=A1s_P=C5=91cze?= <pobrn@protonmail.com>
Subject: [PATCH v1] timerqueue: use rb_entry_safe() in timerqueue_getnext()
Message-ID: <20221027212506.3745164-1-pobrn@protonmail.com>
Feedback-ID: 20568564:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_PASS,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747879262448969040?=
X-GMAIL-MSGID: =?utf-8?q?1747879262448969040?=
|
| Series |
[v1] timerqueue: use rb_entry_safe() in timerqueue_getnext()
|
|
Commit Message
Barnabás Pőcze
Oct. 27, 2022, 9:37 p.m. UTC
When `timerqueue_getnext()` is called on an empty timerqueue
the returned rb_node pointer will be NULL. Using `rb_entry()`
on a potentially NULL pointer will only - coincidentally - work
if the offset of the rb_node member is 0. This is currently the
case for `timerqueue_node`, but should this ever change,
`timerqueue_getnext()` will no longer work correctly on empty
timerqueues. To avoid this, switch to using `rb_entry_safe()`.
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
---
include/linux/timerqueue.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.38.1
Comments
On Thu, Oct 27 2022 at 21:37, Barnabás Pőcze wrote: > When `timerqueue_getnext()` is called on an empty timerqueue > the returned rb_node pointer will be NULL. Using `rb_entry()` > on a potentially NULL pointer will only - coincidentally - work > if the offset of the rb_node member is 0. This is currently the > case for `timerqueue_node`, but should this ever change, > `timerqueue_getnext()` will no longer work correctly on empty > timerqueues. To avoid this, switch to using `rb_entry_safe()`. I agree with the change but not with the argumentation above. Whatever the current offset of node is does not matter at all, really. This is a blantant missing NULL pointer check which works by chance. So there is no weasel wording justfied about "coincidentally" and "might not longer work correctly". Just spell it out that this is a blantant bug and nothing else. Back then when that code got introduced rb_entry_safe() did not exist at all so it's even more obvious that this is simply a missing NULL pointer check, right? This also requires a Fixes: tag which flags the commit which introduces this bug. Thanks, tglx
Hi 2022. november 14., hétfő 1:17 keltezéssel, Thomas Gleixner írta: > On Thu, Oct 27 2022 at 21:37, Barnabás Pőcze wrote: > > > When `timerqueue_getnext()` is called on an empty timerqueue > > the returned rb_node pointer will be NULL. Using `rb_entry()` > > on a potentially NULL pointer will only - coincidentally - work > > if the offset of the rb_node member is 0. This is currently the > > case for `timerqueue_node`, but should this ever change, > > `timerqueue_getnext()` will no longer work correctly on empty > > timerqueues. To avoid this, switch to using `rb_entry_safe()`. > > I agree with the change but not with the argumentation above. > > Whatever the current offset of node is does not matter at all, > really. This is a blantant missing NULL pointer check which works by > chance. > > So there is no weasel wording justfied about "coincidentally" and "might > not longer work correctly". > > Just spell it out that this is a blantant bug and nothing else. I agree, I was just trying to describe why it has not caused any issues yet. Would this be better? When `timerqueue_getnext()` is called on an empty timer queue, it will use `rb_entry()` on a NULL pointer, which is invalid. Fix that by using `rb_entry_safe()` which handles NULL pointers. This has not caused any issues so far because the offset of the `rb_node` member in `timerqueue_node` is 0, so `rb_entry()` is essentially a no-op. > > Back then when that code got introduced rb_entry_safe() did not exist at > all so it's even more obvious that this is simply a missing NULL pointer > check, right? As far as I can tell it did exist and it was actually used when the offending change was committed (511885d7061e). > > This also requires a Fixes: tag which flags the commit which introduces > this bug. > > Thanks, > > tglx > Regards, Barnabás Pőcze
On Mon, Nov 14 2022 at 15:54, Barnabás Pőcze wrote: > 2022. november 14., hétfő 1:17 keltezéssel, Thomas Gleixner írta: >> On Thu, Oct 27 2022 at 21:37, Barnabás Pőcze wrote: > > When `timerqueue_getnext()` is called on an empty timer queue, it will > use `rb_entry()` on a NULL pointer, which is invalid. Fix that by using > `rb_entry_safe()` which handles NULL pointers. > > This has not caused any issues so far because the offset of the `rb_node` > member in `timerqueue_node` is 0, so `rb_entry()` is essentially a > no-op. Yes. Very precise and informative. >> Back then when that code got introduced rb_entry_safe() did not exist at >> all so it's even more obvious that this is simply a missing NULL pointer >> check, right? > > As far as I can tell it did exist and it was actually used > when the offending change was committed (511885d7061e). Hmm. I must have messed up when searching in the history. Thanks, tglx
diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h index 93884086f392..adc80e29168e 100644 --- a/include/linux/timerqueue.h +++ b/include/linux/timerqueue.h @@ -35,7 +35,7 @@ struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head) { struct rb_node *leftmost = rb_first_cached(&head->rb_root); - return rb_entry(leftmost, struct timerqueue_node, node); + return rb_entry_safe(leftmost, struct timerqueue_node, node); } static inline void timerqueue_init(struct timerqueue_node *node)