Received: by 2002:a05:7208:13ca:b0:7f:395a:35b6 with SMTP id r10csp22635rbe; Wed, 28 Feb 2024 09:21:53 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXOTxKZzLjIFrU8mSqpIRv2vHKJlRSoSMrGnrFucRxyT9PxccwJquTJZTtqJRNNf5aEHuiW0cFaEzNK08sh9AOz9uPttEA00beefgygVg== X-Google-Smtp-Source: AGHT+IGC1rHExQe6WO5l+949cp8AwbmjoLfO1cgdSNdzuKSClXXyT3D+588WDByX1Zmo3AoFj+Af X-Received: by 2002:a05:6830:1247:b0:6e4:87b0:c091 with SMTP id s7-20020a056830124700b006e487b0c091mr208757otp.26.1709140912808; Wed, 28 Feb 2024 09:21:52 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709140912; cv=pass; d=google.com; s=arc-20160816; b=X268GhvXBj6KUM4IAfQwmdBj3QzhgI8HopF/8OTn5WpuQQ1NqsthGHFEv8uQZtYFdP 4Jq1LtkXMasVvsHNFJShblelvntx1XWxK22j7NL2nzZs0/OfYwaVsiiHMfF8VMU+Ixxs LU77K5Sr7IC/pPe59z9eKlm2oiaz3EYdZDdp9e4ZxWS3J8HLHXKL+kpRRz9DOuWxkMnR xplqRnNwSb3rTI+tqitjejtCaoVgLKyuh/EqJm8hyL0cBhBtNmY2QXU5MVSIl9P1hfqN oNynN/E3w2XtTgLgyv07eLwmvBjHqfOyav6fI85+CoZfFng6FLgoMTRnQw89gegZp10h AFCQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=W1bHapS5+5iN8in9GHCNPDr+SpYos985v6N2aaB8ggk=; fh=CCYyRM4hZerQyf2zI94pwgGxxt7CIxOE3fYNrv6Fw+A=; b=THxOD++cBSr91tVspou60UuawexQUERQdYWrMh0cfEeY7QkXdyk3da4kbrVH2GGuX6 01wFN/cflo5D8THjTBzof1dL09CkaVZfMGTI0oZ8sI0vMbX9rUt2gfXHHsoUyH4KkuaZ ozceSqkuY5LW1zhuyfUeZDv7M4EnhtVk5/nzKmeqpnsThX94xSsIJEiwGm852ymqXUlo gtt2VPbIh7qOnMWvEdFkPCHhfH9uhW7s15gltmwgX/kdzfIxf70fv+wk5TgPmGCb5rSN HmW3SZIcmJ59Vrlz9B+57KzArssavkByCMAI/OQuO0QNIAwwxoNfkkdUo5LsUhWG+K0v FuRQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Dv0OfJNd; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-85428-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85428-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id b184-20020a6367c1000000b005dcb4f1acc6si7853611pgc.176.2024.02.28.09.21.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Feb 2024 09:21:52 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-85428-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Dv0OfJNd; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-85428-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85428-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 60868282151 for ; Wed, 28 Feb 2024 17:21:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 79CD915957C; Wed, 28 Feb 2024 17:21:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Dv0OfJNd" Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC1EB22EED for ; Wed, 28 Feb 2024 17:21:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709140896; cv=none; b=IfGB4qZknR1a6K5v7Kwho666EQEjx3U5XrQnuCEAFGmBpMz45T9M3v8YkaoBSjhkAsubPnEpuaLkqrWMikdA3CEVIwLKBgMHWqCxSosa+vZbYjPLnv3nsxEj3lc9tNbW47nmRlT3Beo4JhoZHv4sqX8Tu5diS2P5yMS52l7rEsE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709140896; c=relaxed/simple; bh=XM399Q8VLvXuDw5uzrGwivCMbFeJ4FieetH05IdWTBs=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Cso2JgkpGqeKx4FqpllS0jbN4kNU9rJyF8tr8TSHqMZ7LK6Df8DPKF3/Pg/oaMRa92lKcf9bRt9Zbd0JbAHGT3o7PbkSHpC2ofFTISt/KLsaTtvOtKEc+jLp/qPkJH5wF9E/u2fx5cPLv9zLe56pUw5M7A73OFNbu0mOGHbMn+4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=Dv0OfJNd; arc=none smtp.client-ip=209.85.210.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-6e4e7e25945so3363935b3a.1 for ; Wed, 28 Feb 2024 09:21:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709140894; x=1709745694; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=W1bHapS5+5iN8in9GHCNPDr+SpYos985v6N2aaB8ggk=; b=Dv0OfJNd0vjGvtw41wUvZJPEkqakxszi4xsSYKDq8yiapJgAOCmPm4J8os/LY5Z1ga 29m8v4MdT/04TpsqzLc2k/pFWm1SreFcjydJcdYat3/P2N/j5WnV3oW3YBnA0shtdbnU Acz84GK3WQceLojwLQUrIDSze1WWHLLhNRtPw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709140894; x=1709745694; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=W1bHapS5+5iN8in9GHCNPDr+SpYos985v6N2aaB8ggk=; b=SRpQDLOdtCo04BM1Qu0slWHF7GsAx+SweEcd+goXrecwH+2AAmOWxP/YWYRTz/wcPk LPWPa40hD6Ev4LpsSPnhBMC14VH6MokhNJzOAKSnwkxxbcQTudc2SRZRYq680Ei3yBr/ lEcuG76ugP7grpxpoXCwQNl4tvQQ9Y/T5Psp+0azqWDjXJEDjMJoADsUWiif6kcKzm2W mPS6o/HHP/s6Yt/8UATzAPZQXdhQExonIxttF8BudFvzXhvc3O7+izgAxaM0rDvgrhjQ JPcWftYsBmqw3LleztKwbJ4bQEAlyTSjaCE7QOjGbWs/7zZUQ24fN/TMToPlWfe8zlDP YV5Q== X-Forwarded-Encrypted: i=1; AJvYcCVYn6PMxV8s15ZD74P3Nyl32bqlgdjce5XfWgKgQy/EGVcsf97zkxrb69zE+esCErwmRYppqreURN4ZnCsw4UYGGtxyYG3C7EqkBAZf X-Gm-Message-State: AOJu0YyYsyvP8HP0iF4TmLzHMZKpiGVQyie/qq27OmEhoePw93NUFUW4 bfzcbpOULXfIjDF+MgnCXbPoZPDFzJL/siVL/eMfrmJncIj4Axx85HbD/DxhEQ== X-Received: by 2002:aa7:8650:0:b0:6e5:84f6:2a9e with SMTP id a16-20020aa78650000000b006e584f62a9emr91910pfo.31.1709140894116; Wed, 28 Feb 2024 09:21:34 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id it1-20020a056a00458100b006e583a649b4sm90257pfb.210.2024.02.28.09.21.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Feb 2024 09:21:33 -0800 (PST) Date: Wed, 28 Feb 2024 09:21:33 -0800 From: Kees Cook To: Christophe Leroy Cc: "Edgecombe, Rick P" , "linux-s390@vger.kernel.org" , "linux-sh@vger.kernel.org" , "luto@kernel.org" , "dave.hansen@linux.intel.com" , "debug@rivosinc.com" , "akpm@linux-foundation.org" , "Liam.Howlett@oracle.com" , "mingo@redhat.com" , "linux-csky@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "tglx@linutronix.de" , "linux-mm@kvack.org" , "kirill.shutemov@linux.intel.com" , "linux-snps-arc@lists.infradead.org" , "linux-parisc@vger.kernel.org" , "loongarch@lists.linux.dev" , "hpa@zytor.com" , "peterz@infradead.org" , "sparclinux@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , "bp@alien8.de" , "linux-alpha@vger.kernel.org" , "linux-mips@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , "broonie@kernel.org" , "x86@kernel.org" Subject: Re: [PATCH v2 5/9] mm: Initialize struct vm_unmapped_area_info Message-ID: <202402280912.33AEE7A9CF@keescook> References: <20240226190951.3240433-1-rick.p.edgecombe@intel.com> <20240226190951.3240433-6-rick.p.edgecombe@intel.com> <94a2b919-e03b-4ade-b13e-7774849dc02b@csgroup.eu> <202402271004.7145FDB53F@keescook> <8265f804-4540-4858-adc3-a09c11a677eb@csgroup.eu> <91384b505cb78b9d9b71ad58e037c1ed8dfb10d1.camel@intel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Wed, Feb 28, 2024 at 01:22:09PM +0000, Christophe Leroy wrote: > [...] > My worry with initialisation at declaration is it often hides missing > assignments. Let's take following simple exemple: > > char *colour(int num) > { > char *name; > > if (num == 0) { > name = "black"; > } else if (num == 1) { > name = "white"; > } else if (num == 2) { > } else { > name = "no colour"; > } > > return name; > } > > Here, GCC warns about a missing initialisation of variable 'name'. Sometimes. :( We build with -Wno-maybe-uninitialized because GCC gets this wrong too often. Also, like with large structs like this, all uninit warnings get suppressed if anything takes it by reference. So, if before your "return name" statement above, you had something like: do_something(&name); it won't warn with any option enabled. > But if I declare it as > > char *name = "no colour"; > > Then GCC won't warn anymore that we are missing a value for when num is 2. > > During my life I have so many times spent huge amount of time > investigating issues and bugs due to missing assignments that were going > undetected due to default initialisation at declaration. I totally understand. If the "uninitialized" warnings were actually reliable, I would agree. I look at it this way: - initializations can be missed either in static initializers or via run time initializers. (So the risk of mistake here is matched -- though I'd argue it's easier to *find* static initializers when adding new struct members.) - uninitialized warnings are inconsistent (this becomes an unknown risk) - when a run time initializer is missed, the contents are whatever was on the stack (high risk) - what a static initializer is missed, the content is 0 (low risk) I think unambiguous state (always 0) is significantly more important for the safety of the system as a whole. Yes, individual cases maybe bad ("what uid should this be? root?!") but from a general memory safety perspective the value doesn't become potentially influenced by order of operations, leftover stack memory, etc. I'd agree, lifting everything into a static initializer does seem cleanest of all the choices. -Kees -- Kees Cook