From: Zi Yan <ziy@nvidia.com>
To: Ethan Carter Edwards <ethan@ethancedwards.com>
Cc: Hugh Dickins <hughd@google.com>,
Baolin Wang <baolin.wang@linux.alibaba.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] mm/shmem: fix uninitialized scalar variable
Date: Sat, 01 Mar 2025 12:05:36 -0500 [thread overview]
Message-ID: <B024C29C-96D4-4F92-B2EF-F01CB06B27DF@nvidia.com> (raw)
In-Reply-To: <20250301-entry_order_uninit-v1-1-3543b4e3fb28@ethancedwards.com>
On 1 Mar 2025, at 11:57, Ethan Carter Edwards wrote:
> int entry_order has the possibility of being uninitialized when
> returning. Initializing it to zero at declaration appeases coverity and
> reduces risk of returning nonsense.
How come?
After entry_order is declared, for (;;) begins. The first branch
is "if (!xa_is_value(old) || swp_to_radix_entry(swap) != old)", in
the then case, xas_set_err(&xas, -EEXIST), which makes
"if (!xas_nomem(&xas, gfp))" at the end of the for loop to break.
Then "if (xas_error(&xas))" will return -EEXIST. If the first then branch
is not taken, entry_order is assigned to xas_get_order(&xas).
Which code path would make entry_order uninitialized?
Thanks.
>
> Closes: https://scan7.scan.coverity.com/#/project-view/53698/11354?selectedIssue=1637878
> Fixes: 6dbc440b79b6 ("mm/shmem: use xas_try_split() in shmem_split_large_entry()")
> Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com>
> ---
> mm/shmem.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index d19d33e98320d5e0ccbc86616bb3ea30d29f0cc1..3718c71aba9304dd3ca8df137a19e0564b8aadb2 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -2153,7 +2153,8 @@ static int shmem_split_large_entry(struct inode *inode, pgoff_t index,
> {
> struct address_space *mapping = inode->i_mapping;
> XA_STATE_ORDER(xas, &mapping->i_pages, index, 0);
> - int split_order = 0, entry_order;
> + int split_order = 0;
> + int entry_order = 0;
> int i;
>
> /* Convert user data gfp flags to xarray node gfp flags */
>
> ---
> base-commit: c0eb65494e59d9834af7cbad983629e9017b25a1
> change-id: 20250301-entry_order_uninit-129251b1ac9f
>
> Best regards,
> --
> Ethan Carter Edwards <ethan@ethancedwards.com>
--
Best Regards,
Yan, Zi
prev parent reply other threads:[~2025-03-01 17:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-01 16:57 Ethan Carter Edwards
2025-03-01 17:05 ` Zi Yan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B024C29C-96D4-4F92-B2EF-F01CB06B27DF@nvidia.com \
--to=ziy@nvidia.com \
--cc=akpm@linux-foundation.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=ethan@ethancedwards.com \
--cc=hughd@google.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox