Received: by 2002:ab2:3141:0:b0:1ed:23cc:44d1 with SMTP id i1csp655151lqg; Fri, 1 Mar 2024 17:51:34 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXdD2uVDPBUlc+6kolXlovJFNaOknEAchUR5v3q+Lz8Ov4HOLNZjUNQz1Hq1L3MY0RFF0W5/B+fw5/aY7O7gkgyPbtfFq8ZQD8VwyB5eA== X-Google-Smtp-Source: AGHT+IEmuKyzm0060ycF/LpeswDiWPZe0GWqJ0LcdV2wmUXzCGigHTVJiQXmUJ99PL4bKXZGE8Yx X-Received: by 2002:a05:6870:f21f:b0:220:d34d:8b3e with SMTP id t31-20020a056870f21f00b00220d34d8b3emr1743482oao.45.1709344294485; Fri, 01 Mar 2024 17:51:34 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709344294; cv=pass; d=google.com; s=arc-20160816; b=XEgcPt+CEm2Jq/NubmPE5giBX95Pp0og4b/QtmKU5jMpoQUR7HLIjT99YqKlKE36L/ IYSmeySKxifmZb8cE7WP31XgNB6VaTK5U3k+BmdrMxb9YAUfxXN386N7Glu/BDP6CpXC EREX/tqOMlQUi4jJg8NtCeViDrlE9B7KAYrLwnBt6MPSUhdIyQW4cMBvLgdHF81gogIa cYBp5miKlHeGHeyuyPmZ4icthOdMwq8tkdmQkvk9qng7DE3DAMglQ9lUKdBHKFmMduNJ STMY+RqlA2heCuC1Yn9X1xAX5kNxH+r+XcoO/RX4Mik6Cf6RXSDK6HTli9+Rvn5vphGY nJTg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=1JOHRODJmattJBY3YtQ+51tfBSOEI55kux6+SckPNNk=; fh=HCL4Q+5zPH8mBHiYXimmteZKwYZ23CMuOgX3bMYFnQM=; b=GRXTOHLI5wNgbzJVMWfuXEhLkQSNv1k0C0dl56tXS0Ajpt4vTRBmsK9iLWiDBedv4q SM9QoXva9Jbtxi2v08Y7NutCD8UKzdForOvJOh8jRJLhVfHZj0CsMkRHZvm8wNtIORL8 BB4YJrhQ6ubmoTeiLdthqMFII5vXvj4FDFO2czCTlKUfcaFA0XkXwHANb8ya+0XThVwu jpvebjztp40y74rmsI5SGgLbCcNEeKg8ourTHWWLXn4X0TgymFVqJNX1WyxWbkxBLVUo XXQSrChIyKOrrv679r0UnLmromoKnPSNy22vew4JxZz0s1s1HNlCOyBdMngH4tAuB/em cf+g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=TIc1hC1B; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-89303-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-89303-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id c16-20020ac87d90000000b0042ed87479f2si708798qtd.592.2024.03.01.17.51.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Mar 2024 17:51:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-89303-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=TIc1hC1B; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-89303-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-89303-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id D9D8F1C215F0 for ; Sat, 2 Mar 2024 01:51:31 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 91ACC7462; Sat, 2 Mar 2024 01:51:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="TIc1hC1B" Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E352BC8FF for ; Sat, 2 Mar 2024 01:51:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.175 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709344271; cv=none; b=iN21llWYanXQgN+yerFXKrmDKRDV5EHGOTYhJBKyVuVCtZ8686tNbOzhguYSqj5mpaaoIYJWwBBgH+TfiaKI/cT8ZOBY9jvoYkc+H8DBcCd+0g20ZsLD0k3w+jn+ZsxiO8ny+9V2LIBqdOhOkLPfDfOaMsFkQ+7mKFUalVO8GbE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709344271; c=relaxed/simple; bh=/8oSmkPc0IaP5CM6+fKqf9jvC9DwK8RXxd3zPN60QIw=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=tTvt9NzdZYaqDy1HBpP0ZMUmeU3wyhb2kexzrpizgf1Q6gagNN2cnEpwCR/EbADhQjTP+NHOU+KAFZhZeXN3r7Fvn8JNMB8K4m4OWiMaurnVQGHdQGbKlS5jkDVRit0r0+ummEoCP3dszezeYtxjjKpq8dm5jODJ4r6Ddad/YxI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=TIc1hC1B; arc=none smtp.client-ip=209.85.210.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-6da9c834646so2390172b3a.3 for ; Fri, 01 Mar 2024 17:51:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709344269; x=1709949069; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=1JOHRODJmattJBY3YtQ+51tfBSOEI55kux6+SckPNNk=; b=TIc1hC1BaG2C6O48gHCVwqAMREqybRwL/38QZkQjs8birZpqFdZpqCIImbYMYW7Eiv jRPIv6GZBhjfsVtfypwxiChRkpef7DVwQMyj5nOOLNLueAgFL8DiRBb4+OjSwCy83w58 nhEfdX/lBy3gXtmcU7KGWUmYplpKX5RVOBkGM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709344269; x=1709949069; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1JOHRODJmattJBY3YtQ+51tfBSOEI55kux6+SckPNNk=; b=o0H9NbZwsTE94e8TAnRGZqp9fBdejTGTtC1LxEonK6Gn96zK0K5a/Xeny0wfeQI7jS yi6LOVzTotJ6UKkhhEgA1X6mCnZ2nKxYIgAs9OZwIGDcIdnGGzLo+8acEYB3ETbEUv0a hf5Ye53ianxumChwacDWRuEumvwf7A4+5n2S8qUqnxGilDbk+IAI7EmLX31rYLhyZDpD SMnFvfdfAntPpzgjYXqcnMPURh4kkQ5CtFY8yiP66WB6i8rVpDC/sVLP5dOeL0uqos2o d0crsb5pmJYwO6nhft38PEm6J/itNSnf6NP9aF1gHf78PmG/5V3opDy+PyMkA8CeVSfJ LpCA== X-Forwarded-Encrypted: i=1; AJvYcCXPsKmVymDCOaG/xt2rORiyp57hCNb8H+54fWwP0U9QKsxGwoiu7zxdfYwlT26LP3BNvT40R8NJ6mPhJA1onmRp7p1fnXSIJiIcbRtx X-Gm-Message-State: AOJu0YyMDJwA9vX/aACvuJjgt5lU9vlE0/4xfWcBQgFA93MQ03+W1tz+ de9aFPPOiXmDILUJSue/aLeVs852igVoq1gnGi0RFsd3NIPLiqQW2/U1G7Q4Fg== X-Received: by 2002:a05:6a20:e11f:b0:1a0:ef1e:a5a7 with SMTP id kr31-20020a056a20e11f00b001a0ef1ea5a7mr3447528pzb.4.1709344269211; Fri, 01 Mar 2024 17:51:09 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id rm12-20020a17090b3ecc00b002993f72ed02sm3845854pjb.34.2024.03.01.17.51.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Mar 2024 17:51:08 -0800 (PST) Date: Fri, 1 Mar 2024 17:51:08 -0800 From: Kees Cook To: "Edgecombe, Rick P" Cc: "christophe.leroy@csgroup.eu" , "linux-kernel@vger.kernel.org" , "x86@kernel.org" , "luto@kernel.org" , "dave.hansen@linux.intel.com" , "debug@rivosinc.com" , "akpm@linux-foundation.org" , "linux-sh@vger.kernel.org" , "linux-csky@vger.kernel.org" , "mingo@redhat.com" , "kirill.shutemov@linux.intel.com" , "tglx@linutronix.de" , "linux-parisc@vger.kernel.org" , "loongarch@lists.linux.dev" , "linux-mm@kvack.org" , "linux-snps-arc@lists.infradead.org" , "Liam.Howlett@oracle.com" , "hpa@zytor.com" , "peterz@infradead.org" , "linuxppc-dev@lists.ozlabs.org" , "bp@alien8.de" , "linux-s390@vger.kernel.org" , "linux-alpha@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" , "linux-mips@vger.kernel.org" , "sparclinux@vger.kernel.org" , "broonie@kernel.org" Subject: Re: [PATCH v2 5/9] mm: Initialize struct vm_unmapped_area_info Message-ID: <202403011747.9ECFAD060B@keescook> References: <20240226190951.3240433-1-rick.p.edgecombe@intel.com> <20240226190951.3240433-6-rick.p.edgecombe@intel.com> <94a2b919-e03b-4ade-b13e-7774849dc02b@csgroup.eu> <202402271004.7145FDB53F@keescook> <8265f804-4540-4858-adc3-a09c11a677eb@csgroup.eu> <91384b505cb78b9d9b71ad58e037c1ed8dfb10d1.camel@intel.com> <202402280912.33AEE7A9CF@keescook> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Sat, Mar 02, 2024 at 12:47:08AM +0000, Edgecombe, Rick P wrote: > On Wed, 2024-02-28 at 09:21 -0800, Kees Cook wrote: > > I totally understand. If the "uninitialized" warnings were actually > > reliable, I would agree. I look at it this way: > > > > - initializations can be missed either in static initializers or via > > ? run time initializers. (So the risk of mistake here is matched -- > > ? though I'd argue it's easier to *find* static initializers when > > adding > > ? new struct members.) > > - uninitialized warnings are inconsistent (this becomes an unknown > > risk) > > - when a run time initializer is missed, the contents are whatever > > was > > ? on the stack (high risk) > > - what a static initializer is missed, the content is 0 (low risk) > > > > I think unambiguous state (always 0) is significantly more important > > for > > the safety of the system as a whole. Yes, individual cases maybe bad > > ("what uid should this be? root?!") but from a general memory safety > > perspective the value doesn't become potentially influenced by order > > of > > operations, leftover stack memory, etc. > > > > I'd agree, lifting everything into a static initializer does seem > > cleanest of all the choices. > > Hi Kees, > > Well, I just gave this a try. It is giving me flashbacks of when I last > had to do a tree wide change that I couldn't fully test and the > breakage was caught by Linus. Yeah, testing isn't fun for these kinds of things. This is traditionally why the "obviously correct" changes tend to have an easier time landing (i.e. adding "= {}" to all of them). > Could you let me know if you think this is additionally worthwhile > cleanup outside of the guard gap improvements of this series? Because I > was thinking a more cowardly approach could be a new vm_unmapped_area() > variant that takes the new start gap member as a separate argument > outside of struct vm_unmapped_area_info. It would be kind of strange to > keep them separate, but it would be less likely to bump something. I think you want a new member -- AIUI, that's what that struct is for. Looking at this resulting set of patches, I do kinda think just adding the "= {}" in a single patch is more sensible. Having to split things that are know at the top of the function from the stuff known at the existing initialization time is rather awkward. Personally, I think a single patch that sets "= {}" for all of them and drop the all the "= 0" or "= NULL" assignments would be the cleanest way to go. -Kees -- Kees Cook