From: Junio C Hamano <gitster@pobox.com>
To: David Turner <dturner@twopensource.com>
Cc: git mailing list <git@vger.kernel.org>, Duy Nguyen <pclouds@gmail.com>
Subject: Re: [PATCH 0/1] merge: fix cache_entry use-after-free
Date: Fri, 09 Oct 2015 15:51:23 -0700 [thread overview]
Message-ID: <xmqqfv1joduc.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <1444428963.8836.36.camel@twopensource.com> (David Turner's message of "Fri, 09 Oct 2015 18:16:03 -0400")
David Turner <dturner@twopensource.com> writes:
>> > + assert(removed == dir);
>> > + drop_ce_ref(dir->ce);
>>
>> This is curious. In remove_name_hash() you do not have the
>> corresponding assert. Why is it necessary here (or is it
>> unnecessary over there)?
>
> It is unnecessary in any case: it's an assert rather than a check for an
> expected (or even unexpected) case. That just happens to be where Keith
> first managed to track down the use-after free, so that's where he
> happened to put the assert while trying to debug it. I'm in general in
> favor of more asserts rather than fewer, so I would prefer to keep it
> in. But I can remove it if you like.
OK, it was just the inconsistency between the two made them look
curious, as if one of them is more likely to get broken, or the
patch author was not so sure about the assumption, or something.
>> > + add_ce_ref(ce);
>> > add_name_hash(istate, ce);
>> > }
>>
>> What happens to the existing entry that used to be istate->cache[nr],
>> which may or may not be 'ce' that is replacing it?
>>
>> It turns out that all three calling sites are safe, but it is not
>> immediately obvious why. Perhaps some comment in front of the
>> function is in order, to warn those who may have to add a new caller
>> or restructure the existing calling chain, that istate->cache[nr] is
>> expected not to hold a live reference when the function is called,
>> or something?
>
> Happy to add it if you want, but to me it was clear without because if
> there were a value in istate->cache[nr], that old value would be leaked.
OK, that's sort-of-cheating, but is a sound short-cut ;-).
>> > + if (old != istate->split_index->base->cache[new->index - 1]) {
>> > + struct cache_entry *ce = istate->split_index->base->cache[new->index - 1];
>> > + drop_ce_ref(ce);
>> > + }
>> > istate->split_index->base->cache[new->index - 1] = new;
>>
>> Does 'new' already have the right refcount at this point?
>
> I spoke to Keith, and he thinks we do need an add_ce_ref there. I'll fix
> that on the reroll. Duy, do you agree?
prev parent reply other threads:[~2015-10-09 22:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-08 18:47 [PATCH 0/1] merge: fix cache_entry use-after-free David Turner
2015-10-08 18:47 ` David Turner
2015-10-08 20:00 ` Junio C Hamano
2015-10-09 22:16 ` David Turner
2015-10-09 22:51 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqfv1joduc.fsf@gitster.mtv.corp.google.com \
--to=gitster@pobox.com \
--cc=dturner@twopensource.com \
--cc=git@vger.kernel.org \
--cc=pclouds@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).