RE: [PATCH net] genetlink: Fix an error handling path in ctrl_dumppolicy_start()

From: Keller, Jacob E
Date: Mon Dec 12 2022 - 16:24:03 EST

Next message: Vipin Sharma: "Re: [PATCH v2] scripts/tags.sh: choose which directories to exclude from being indexed"
Previous message: Serge E. Hallyn: "Re: [PATCH] LoadPin: Ignore the "contents" argument of the LSM hooks"
In reply to: Jakub Kicinski: "Re: [PATCH net] genetlink: Fix an error handling path in ctrl_dumppolicy_start()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Jakub Kicinski <kuba@xxxxxxxxxx>
> Sent: Monday, December 12, 2022 1:10 PM
> To: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx>
> Cc: David S. Miller <davem@xxxxxxxxxxxxx>; Eric Dumazet
> <edumazet@xxxxxxxxxx>; Paolo Abeni <pabeni@xxxxxxxxxx>; Keller, Jacob E
> <jacob.e.keller@xxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx; kernel-
> janitors@xxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx
> Subject: Re: [PATCH net] genetlink: Fix an error handling path in
> ctrl_dumppolicy_start()
>
> On Mon, 12 Dec 2022 22:03:06 +0100 Christophe JAILLET wrote:
> > If this memory allocation fails, some resources need to be freed.
> > Add the missing goto to the error handling path.
> >
> > Fixes: b502b3185cd6 ("genetlink: use iterator in the op to policy map dumping")
> > Signed-off-by: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx>
> > ---
> > This patch is speculative.
> >
> > This function is a callback and I don't know how the core works and handles
> > such situation, so review with care!
>
> It's fine, the function has pretty much two completely separate paths.
> Dump all ops and dump a single op.
> Anything that allocs state before this point is on the single op path,
> while the iterator is only allocated for dump all.
> This should be evident from the return 0; at the end of the
> if (tb[CTRL_ATTR_OP])
>
> > More-over, should this kmalloc() be a kzalloc()?
> > genl_op_iter_init() below does not initialize all fields, be they are maybe
> > set correctly before uses.

I personally prefer using kzalloc even if we know its not necessary, except in cases where performance of the allocation matters. It helps reduce the burden of review as one doesn't need to think "was this initialized?" at least for the problem of leaking kernel internals.

I know there are also some tools like UBSAN and others which might be able to detect access to uninitialized memory, but I am not sure if they're capable enough at present to handle memory returned by kmalloc or not. If they are, then there could be advantage in detecting cases where you did fully expect initialization to be done.

>
> It's fine, op_iters are put on the stack without initializing, iter
> init must (and currently does) work without depending on zeroed memory.

The above said, I think the analysis here is correct and that kmalloc is ok here.

Thanks,
Jake

Next message: Vipin Sharma: "Re: [PATCH v2] scripts/tags.sh: choose which directories to exclude from being indexed"
Previous message: Serge E. Hallyn: "Re: [PATCH] LoadPin: Ignore the "contents" argument of the LSM hooks"
In reply to: Jakub Kicinski: "Re: [PATCH net] genetlink: Fix an error handling path in ctrl_dumppolicy_start()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]