Re: [PATCH] exfat: Fix use after free in exfat_load_upcase_table()

Re: [PATCH] exfat: Fix use after free in exfat_load_upcase_table()

[Markus Elfring]

> This code calls brelse(bh) and then dereferences "bh" on the next line
> resulting in a possible use after free.

There is an unfortunate function call sequence.


> The brelse() should just be moved down a line.

How do you think about a wording variant like the following?

   Thus move a call of the function “brelse” one line down.


Would you like to omit a word from the patch subject so that
a typo will be avoided there?

Regards,
Markus

Re: [PATCH] exfat: Fix use after free in exfat_load_upcase_table()

[Matthew Wilcox]

On Mon, Jun 08, 2020 at 05:07:33PM +0200, Markus Elfring wrote:
> > This code calls brelse(bh) and then dereferences "bh" on the next line
> > resulting in a possible use after free.
> 
> There is an unfortunate function call sequence.
> 
> 
> > The brelse() should just be moved down a line.
> 
> How do you think about a wording variant like the following?
> 
>    Thus move a call of the function “brelse” one line down.
> 
> 
> Would you like to omit a word from the patch subject so that
> a typo will be avoided there?

Markus, please go away.  This comment is entirely unhelpful.

Re: exfat: Fix use after free in exfat_load_upcase_table()

[Markus Elfring]

>>> The brelse() should just be moved down a line.
>>
>> How do you think about a wording variant like the following?
>>
>>    Thus move a call of the function “brelse” one line down.
>>
>>
>> Would you like to omit a word from the patch subject so that
>> a typo will be avoided there?
>
> Markus, please go away.  This comment is entirely unhelpful.

I hope that other contributors can get also more positive impressions
(as it happened before).

Regards,
Markus

Re: [PATCH] exfat: Fix use after free in exfat_load_upcase_table()

[Greg KH]

On Mon, Jun 08, 2020 at 05:07:33PM +0200, Markus Elfring wrote:
> > This code calls brelse(bh) and then dereferences "bh" on the next line
> > resulting in a possible use after free.
> 
> There is an unfortunate function call sequence.
> 
> 
> > The brelse() should just be moved down a line.
> 
> How do you think about a wording variant like the following?
> 
>    Thus move a call of the function “brelse” one line down.
> 
> 
> Would you like to omit a word from the patch subject so that
> a typo will be avoided there?

Hi,

This is the semi-friendly patch-bot of Greg Kroah-Hartman.

Markus, you seem to have sent a nonsensical or otherwise pointless
review comment to a patch submission on a Linux kernel developer mailing
list.  I strongly suggest that you not do this anymore.  Please do not
bother developers who are actively working to produce patches and
features with comments that, in the end, are a waste of time.

Patch submitter, please ignore Markus's suggestion; you do not need to
follow it at all.  The person/bot/AI that sent it is being ignored by
almost all Linux kernel maintainers for having a persistent pattern of
behavior of producing distracting and pointless commentary, and
inability to adapt to feedback.  Please feel free to also ignore emails
from them.

thanks,

greg k-h's patch email bot

Re: exfat: Improving exception handling in two functions

[Markus Elfring]

Hello,

I have taken another look at pointer usage after calls of the function “brelse”.
My source code analysis approach pointed implementation details
like the following out for further software development considerations.
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/fs/exfat/namei.c?id=3d155ae4358baf4831609c2f9cd09396a2b8badf#n1078

…
		epold = exfat_get_dentry(sb, p_dir, oldentry + 1, &old_bh,
			&sector_old);
		epnew = exfat_get_dentry(sb, p_dir, newentry + 1, &new_bh,
			&sector_new);
		if (!epold || !epnew)
			return -EIO;
…

I suggest to split such an error check.
How do you think about to release a buffer head object for the desired
exception handling if one of these function calls succeeded?

Would you like to adjust such code in the functions “exfat_rename_file”
and “exfat_move_file”?

Regards,
Markus

[PATCH] exfat: call brelse() on error path

[Dan Carpenter]

If the second exfat_get_dentry() call fails then we need to release
"old_bh" before returning.

Reported-by: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 fs/exfat/namei.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
index 5b0f35329d63e..fda92c824ff11 100644
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -1077,10 +1077,14 @@ static int exfat_rename_file(struct inode *inode, struct exfat_chain *p_dir,
 
 		epold = exfat_get_dentry(sb, p_dir, oldentry + 1, &old_bh,
 			&sector_old);
+		if (!epold)
+			return -EIO;
 		epnew = exfat_get_dentry(sb, p_dir, newentry + 1, &new_bh,
 			&sector_new);
-		if (!epold || !epnew)
+		if (!epnew) {
+			brelse(old_bh);
 			return -EIO;
+		}
 
 		memcpy(epnew, epold, DENTRY_SIZE);
 		exfat_update_bh(sb, new_bh, sync);
-- 
2.26.2

Re: [PATCH] exfat: call brelse() on error path

[Markus Elfring]

> If the second exfat_get_dentry() call fails then we need to release
> "old_bh" before returning.

Thanks you picked a bit of information up from my source code analysis
for a possible adjustment of the function “exfat_rename_file”.

exfat: Improving exception handling in two functions
https://lore.kernel.org/linux-fsdevel/208cba7b-e535-c8e0-5ac7-f15170117a7f@web.de/
https://lkml.org/lkml/2020/6/10/272

Would you like to adjust the implementation of the function “exfat_move_file”
in a similar way in a subsequent patch variant?

Regards,
Markus

Re: exfat: Improving exception handling in two functions

[Markus Elfring]

> My source code analysis approach pointed implementation details
> like the following out for further software development considerations.

The clarification of corresponding collateral evolution will be continued
with the update suggestion “exfat: call brelse() on error path”.
https://lore.kernel.org/linux-fsdevel/20200610095934.GA35167@mwanda/
https://lore.kernel.org/patchwork/patch/1254515/

Regards,
Markus

Re: exfat: Improving exception handling in two functions

[Greg KH]

On Wed, Jun 10, 2020 at 11:27:58AM +0200, Markus Elfring wrote:
> Hello,
> 
> I have taken another look at pointer usage after calls of the function “brelse”.
> My source code analysis approach pointed implementation details
> like the following out for further software development considerations.
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/fs/exfat/namei.c?id=155ae4358baf4831609c2f9cd09396a2b8badf#n1078
> 
> …
> 		epold = exfat_get_dentry(sb, p_dir, oldentry + 1, &old_bh,
> 			&sector_old);
> 		epnew = exfat_get_dentry(sb, p_dir, newentry + 1, &new_bh,
> 			&sector_new);
> 		if (!epold || !epnew)
> 			return -EIO;
> …
> 
> I suggest to split such an error check.
> How do you think about to release a buffer head object for the desired
> exception handling if one of these function calls succeeded?
> 
> Would you like to adjust such code in the functions “exfat_rename_file”
> and “exfat_move_file”?
> 
> Regards,
> Markus

Hi,

This is the semi-friendly patch-bot of Greg Kroah-Hartman.

Markus, you seem to have sent a nonsensical or otherwise pointless
review comment to a patch submission on a Linux kernel developer mailing
list.  I strongly suggest that you not do this anymore.  Please do not
bother developers who are actively working to produce patches and
features with comments that, in the end, are a waste of time.

Patch submitter, please ignore Markus's suggestion; you do not need to
follow it at all.  The person/bot/AI that sent it is being ignored by
almost all Linux kernel maintainers for having a persistent pattern of
behavior of producing distracting and pointless commentary, and
inability to adapt to feedback.  Please feel free to also ignore emails
from them.

thanks,

greg k-h's patch email bot

[PATCH v2] exfat: add missing brelse() calls on error paths

[Dan Carpenter]

If the second exfat_get_dentry() call fails then we need to release
"old_bh" before returning.  There is a similar bug in exfat_move_file().

Fixes: 5f2aa075070c ("exfat: add inode operations")
Reported-by: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: fix exfat_move_file() as well.  Also add a Fixes tag.

 fs/exfat/namei.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
index 5b0f35329d63e..edd8023865a0e 100644
--- a/fs/exfat/namei.c
+++ b/fs/exfat/namei.c
@@ -1077,10 +1077,14 @@ static int exfat_rename_file(struct inode *inode, struct exfat_chain *p_dir,
 
 		epold = exfat_get_dentry(sb, p_dir, oldentry + 1, &old_bh,
 			&sector_old);
+		if (!epold)
+			return -EIO;
 		epnew = exfat_get_dentry(sb, p_dir, newentry + 1, &new_bh,
 			&sector_new);
-		if (!epold || !epnew)
+		if (!epnew) {
+			brelse(old_bh);
 			return -EIO;
+		}
 
 		memcpy(epnew, epold, DENTRY_SIZE);
 		exfat_update_bh(sb, new_bh, sync);
@@ -1161,10 +1165,14 @@ static int exfat_move_file(struct inode *inode, struct exfat_chain *p_olddir,
 
 	epmov = exfat_get_dentry(sb, p_olddir, oldentry + 1, &mov_bh,
 		&sector_mov);
+	if (!epmov)
+		return -EIO;
 	epnew = exfat_get_dentry(sb, p_newdir, newentry + 1, &new_bh,
 		&sector_new);
-	if (!epmov || !epnew)
+	if (!epnew) {
+		brelse(mov_bh);
 		return -EIO;
+	}
 
 	memcpy(epnew, epmov, DENTRY_SIZE);
 	exfat_update_bh(sb, new_bh, IS_DIRSYNC(inode));
-- 
2.26.2

Re: [PATCH v2] exfat: add missing brelse() calls on error paths

[Markus Elfring]

> If the second exfat_get_dentry() call fails then we need to release
> "old_bh" before returning.  There is a similar bug in exfat_move_file().

Would you like to convert any information from this change description
into an imperative wording?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?id[14671be58d0084e7e2d1cc9c2c36a94467f6e0#n151

Regards,
Markus

Re: [PATCH v2] exfat: add missing brelse() calls on error paths

[Dan Carpenter]

On Wed, Jun 10, 2020 at 08:12:46PM +0200, Markus Elfring wrote:
> > If the second exfat_get_dentry() call fails then we need to release
> > "old_bh" before returning.  There is a similar bug in exfat_move_file().
> 
> Would you like to convert any information from this change description
> into an imperative wording?
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?id[14671be58d0084e7e2d1cc9c2c36a94467f6e0#n151

I really feel like imperative doesn't add anything.  I understand that
some people feel really strongly about it, but I don't know why.  It
doesn't make commit messages more understandable.

The important thing is that the problem is clear, the fix is clear and
the runtime impact is clear.

regards,
dan carpenter

Re: [PATCH v2] exfat: add missing brelse() calls on error paths

[Markus Elfring]

>>> If the second exfat_get_dentry() call fails then we need to release
>>> "old_bh" before returning.  There is a similar bug in exfat_move_file().
>>
>> Would you like to convert any information from this change description
>> into an imperative wording?
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?id=5b14671be58d0084e7e2d1cc9c2c36a94467f6e0#n151
>
> I really feel like imperative doesn't add anything.  I understand that
> some people feel really strongly about it, but I don't know why.  It
> doesn't make commit messages more understandable.

Do you insist to deviate from the given guideline?


> The important thing is that the problem is clear, the fix is clear and
> the runtime impact is clear.

I have got further ideas to improve also this commit message.
I am curious if other contributors would like to add another bit of
patch review.

Regards,
Markus

Re: [PATCH v2] exfat: add missing brelse() calls on error paths

[Matthew Wilcox]

On Wed, Jun 10, 2020 at 08:56:26PM +0200, Markus Elfring wrote:
> >>> If the second exfat_get_dentry() call fails then we need to release
> >>> "old_bh" before returning.  There is a similar bug in exfat_move_file().
> >>
> >> Would you like to convert any information from this change description
> >> into an imperative wording?
> >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?id[14671be58d0084e7e2d1cc9c2c36a94467f6e0#n151
> >
> > I really feel like imperative doesn't add anything.  I understand that
> > some people feel really strongly about it, but I don't know why.  It
> > doesn't make commit messages more understandable.
> 
> Do you insist to deviate from the given guideline?
> 
> 
> > The important thing is that the problem is clear, the fix is clear and
> > the runtime impact is clear.
> 
> I have got further ideas to improve also this commit message.
> I am curious if other contributors would like to add another bit of
> patch review.

You're nitpicking commit messages.  This is exactly the kind of thing
which drives people away.  Dan's commit message is fine.

It's actually hilarious because your emails are so unclear that I
can't understand them.  I have no idea what "collateral evolution"
means and yet you use it in almost every email.  Why can't you use the
same terminology the rest of us use?

Re: exfat: add missing brelse() calls on error paths

[Markus Elfring]

> You're nitpicking commit messages.

I am occasionally trying to achieve corresponding improvements.


> This is exactly the kind of thing which drives people away.

Would you like to follow official patch process documentation?


> Dan's commit message is fine.

I have got the impression that he indicates another deviation from
a well-known requirement. I am curious under which circumstances
such a patch review concern will be taken into account finally.


> It's actually hilarious because your emails are so unclear that I
> can't understand them.

I find such feedback surprising and interesting.
I hope that we can reduce understanding difficulties together.


> I have no idea what "collateral evolution" means

This term expresses the situation that a single change can trigger
further changes.

Examples for programmers:
A)
* You add an argument to an used function.
* How many function calls will need related adjustments?

B)
* Some function calls can fail.
* How do you think about to complete error detection and the
  corresponding exception handling?


> and yet you use it in almost every email.

You exaggerate here.


> Why can't you use the same terminology the rest of us use?

I got also used to some wording approaches.
Which terminology variation do you prefer?

Regards,
Markus

RE: [PATCH v2] exfat: add missing brelse() calls on error paths

[Namjae Jeon]

> If the second exfat_get_dentry() call fails then we need to release "old_bh" before returning.  There
> is a similar bug in exfat_move_file().
> 
> Fixes: 5f2aa075070c ("exfat: add inode operations")
> Reported-by: Markus Elfring <Markus.Elfring@web.de>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied. Thanks!

Re: [PATCH v2] exfat: add missing brelse() calls on error paths

[Markus Elfring]

…
> +++ b/fs/exfat/namei.c
> @@ -1077,10 +1077,14 @@ static int exfat_rename_file(struct inode *inode, struct exfat_chain *p_dir,
>
>  		epold = exfat_get_dentry(sb, p_dir, oldentry + 1, &old_bh,
>  			&sector_old);
> +		if (!epold)
> +			return -EIO;
…

Can it become helpful to annotate such null pointer checks for branch prediction?
Would you like to indicate a likelihood in any way?

Regards,
Markus

Re: [PATCH v2] exfat: add missing brelse() calls on error paths

[Markus Elfring]

…
> +++ b/fs/exfat/namei.c
> @@ -1077,10 +1077,14 @@ static int exfat_rename_file(struct inode *inode, struct exfat_chain *p_dir,
>
>  		epold = exfat_get_dentry(sb, p_dir, oldentry + 1, &old_bh,
>  			&sector_old);
> +		if (!epold)
> +			return -EIO;
…

Will there be a need to reconsider the indentation for function call parameters
in such source files?
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/coding-style.rst?id=b29482fde649c72441d5478a4ea2c52c56d97a5e#n93

Regards,
Markus