[PATCH] kfifo: overflow of unsigned integer

[PATCH] kfifo: overflow of unsigned integer

[Cong WANG]

Kfifo is a ring-buffer in kernel which can be used as a lock-free way
for concurrent read/write when there are only one producer and one
consumer. Details of its design can be found in kernel/kfifo.c and
include/linux/kfifo.h.

You will find that the 'in' and 'out' fields of 'struct kfifo' are
both represented as 'unsigned int' and in most cases 'in' is larger
than 'out' and their difference will NOT be  over 'size'.

Now the problem is that 'in' will be *smaller* than 'out' when 'in'
overflows and 'out' doesn't (Yes, this may occur quietly.). This is
NOT what we expect, though it may not cause any serious problems if we
carefully use kfifo*() functions. And this is really a bug. This bug
affects the kernel since version 2.6.10. I have tested this patch on
x86 machines.

Signed-off-by: WANG Cong  <xiyou.wangcong@gmail.com>

---

--- kernel/kfifo.c.orig	2007-02-07 19:42:51.000000000 +0800
+++ kernel/kfifo.c	2007-02-07 19:43:31.000000000 +0800
@@ -24,6 +24,7 @@
 #include <linux/slab.h>
 #include <linux/err.h>
 #include <linux/kfifo.h>
+#include <linux/compiler.h>

 /**
  * kfifo_init - allocates a new FIFO using a preallocated buffer
@@ -120,6 +121,12 @@ unsigned int __kfifo_put(struct kfifo *f
 {
 	unsigned int l;

+	/*If only fifo->in overflows, let both overflow!*/
+	if (unlikely(fifo->in < fifo->out)) {
+		fifo->out += fifo->size;
+		fifo->in  += fifo->size;
+	}
+
 	len = min(len, fifo->size - fifo->in + fifo->out);

 	/*
@@ -166,6 +173,12 @@ unsigned int __kfifo_get(struct kfifo *f
 {
 	unsigned int l;

+	/*If only fifo->in overflows, let both overflow!*/
+	if (unlikely(fifo->in < fifo->out)) {
+		fifo->out += fifo->size;
+		fifo->in  += fifo->size;
+	}
+
 	len = min(len, fifo->in - fifo->out);

 	/*

Re: [PATCH] kfifo: overflow of unsigned integer

[Andrew Morton]

On Thu, 8 Feb 2007 17:07:28 +0800 "Cong WANG" <xiyou.wangcong@gmail.com> wrote:

> Kfifo is a ring-buffer in kernel which can be used as a lock-free way
> for concurrent read/write when there are only one producer and one
> consumer. Details of its design can be found in kernel/kfifo.c and
> include/linux/kfifo.h.
> 
> You will find that the 'in' and 'out' fields of 'struct kfifo' are
> both represented as 'unsigned int' and in most cases 'in' is larger
> than 'out' and their difference will NOT be  over 'size'.
> 
> Now the problem is that 'in' will be *smaller* than 'out' when 'in'
> overflows and 'out' doesn't (Yes, this may occur quietly.). This is
> NOT what we expect, though it may not cause any serious problems if we
> carefully use kfifo*() functions. And this is really a bug.

You seem to be saying that it's not a bug, but it's a bug.

Exactly what goes wrong?

> This bug
> affects the kernel since version 2.6.10. I have tested this patch on
> x86 machines.
> 
> Signed-off-by: WANG Cong  <xiyou.wangcong@gmail.com>
> 
> ---
> 
> --- kernel/kfifo.c.orig	2007-02-07 19:42:51.000000000 +0800
> +++ kernel/kfifo.c	2007-02-07 19:43:31.000000000 +0800
> @@ -24,6 +24,7 @@
>  #include <linux/slab.h>
>  #include <linux/err.h>
>  #include <linux/kfifo.h>
> +#include <linux/compiler.h>
> 
>  /**
>   * kfifo_init - allocates a new FIFO using a preallocated buffer
> @@ -120,6 +121,12 @@ unsigned int __kfifo_put(struct kfifo *f
>  {
>  	unsigned int l;
> 
> +	/*If only fifo->in overflows, let both overflow!*/
> +	if (unlikely(fifo->in < fifo->out)) {
> +		fifo->out += fifo->size;
> +		fifo->in  += fifo->size;
> +	}
> +

hm.   That would indicate that there's a problem elsewhere in the logic.

Re: [PATCH] kfifo: overflow of unsigned integer

[Cong WANG]

2007/2/9, Andrew Morton <akpm@linux-foundation.org>:
> On Thu, 8 Feb 2007 20:16:55 +0800 "Cong WANG" <xiyou.wangcong@gmail.com> wrote:
>
> > 2007/2/8, Andrew Morton <akpm@linux-foundation.org>:
> > > On Thu, 8 Feb 2007 17:07:28 +0800 "Cong WANG" <xiyou.wangcong@gmail.com> wrote:
> > >
> > > > Kfifo is a ring-buffer in kernel which can be used as a lock-free way
> > > > for concurrent read/write when there are only one producer and one
> > > > consumer. Details of its design can be found in kernel/kfifo.c and
> > > > include/linux/kfifo.h.
> > > >
> > > > You will find that the 'in' and 'out' fields of 'struct kfifo' are
> > > > both represented as 'unsigned int' and in most cases 'in' is larger
> > > > than 'out' and their difference will NOT be  over 'size'.
> > > >
> > > > Now the problem is that 'in' will be *smaller* than 'out' when 'in'
> > > > overflows and 'out' doesn't (Yes, this may occur quietly.). This is
> > > > NOT what we expect, though it may not cause any serious problems if we
> > > > carefully use kfifo*() functions. And this is really a bug.
> > >
> > > You seem to be saying that it's not a bug, but it's a bug.
> > >
> > > Exactly what goes wrong?
> >
> > I wrote a module on my machine to test this bug. And when the overflow
> > occurs, I cann't put any data into the fifo even though it is not
> > full.
>
> Why did you remove the mailing list?  Please don't do that.

Sorry. I used the poor 'reply'.

>
> I can't find any bug.
>
> I converted the code so that it'll run in userspace:
>
> http://userweb.kernel.org/~akpm/kfifo.c
> http://userweb.kernel.org/~akpm/kfifo.h
>
> Please see if you can reproduce the problem with that setup and then let's
> see if we can understand what's going on, and fix it.
>
>

Thanks for your work. And you are right.

I think the OLD /proc API which I used in my module confused my eyes.
I got completely lost by that. OLD /proc API is very bad, isn't it?

BTW, can you tell me which way do you use to exchange information
between user-space and kernel-space when debugging the kernel?

Thanks again! And have a nice day!