From: Max Kellermann <max.kellermann@ionos.com>
To: Christian Brauner <brauner@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Hugh Dickins <hughd@google.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org
Subject: Re: [PATCH] pipe_fs_i.h: add pipe_buf_init()
Date: Wed, 20 Sep 2023 00:39:16 +0200 [thread overview]
Message-ID: <CAKPOu+8F2fZerfaD=-w68p6Hw5EGdjWdzj8F9OYBcQx_ara22w@mail.gmail.com> (raw)
In-Reply-To: <20230919-deeskalation-hinsehen-3b6765180d71@brauner>
On Tue, Sep 19, 2023 at 4:16 PM Christian Brauner <brauner@kernel.org> wrote:
> You're changing how the code currently works which is written in a way
> that ensures all fields are initialized to zero. The fact that currently
> nothing looks at private is irrelevant.
Two callers were previously using a designated intiializer which
implicitly zero-initializes unmentioned fields; but that was not
intentional, but accidental. It is true that these two call sites are
changed, now omitting the implicit (and unintended) initializer. If
you consider this a problem, I'll re-add it to those two callers. But
adding the "private" initializer to the new function would also change
how the code currently works - fot the other callers.
It's only relevant if the "private" field is part of some API
contract. If that API contract is undocumented, we should add
documentation - what is it? I'll write documentation.
> Following your argument below this might very easily be the cause for
> another CVE when something starts looking at this.
When something starts looking at this, the API contract changes, and
this one function needs to be adjusted.
Without this function, there is not one function, but an arbitrary
number of redundant copies of this initializing code which all need to
be fixed. As I said, only two copies of those currently do initialize
"private", the others do not. Therefore, my patch is strictly an
improvement, and is safer against those alleged future CVEs, which is
the very goal of my patch.
> Wouldn't it make more sense to have the pipe_buf_init() initialize the
> whole thing and for the place where it leaves buf->private untouched you
> can just do:
Would it? I don't think so, but if you insist, I'll add it.
I prefer to leave "private" uninitialized unless there is a reason to
initialize it, for the reason I stated in my previous reply.
next prev parent reply other threads:[~2023-09-19 22:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-19 8:07 Max Kellermann
2023-09-19 13:45 ` Christian Brauner
2023-09-19 13:55 ` Max Kellermann
2023-09-19 14:16 ` Christian Brauner
2023-09-19 22:39 ` Max Kellermann [this message]
2023-09-19 21:40 ` Randy Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKPOu+8F2fZerfaD=-w68p6Hw5EGdjWdzj8F9OYBcQx_ara22w@mail.gmail.com' \
--to=max.kellermann@ionos.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=hughd@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox