From: Peter Zijlstra <peterz@infradead.org>
To: Liljestrand Hans <ishkamiel@gmail.com>
Cc: "Reshetova, Elena" <elena.reshetova@intel.com>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Greg KH <gregkh@linuxfoundation.org>,
Kees Cook <keescook@chromium.org>,
"will.deacon@arm.com" <will.deacon@arm.com>,
Boqun Feng <boqun.feng@gmail.com>,
David Windsor <dwindsor@gmail.com>,
"aik@ozlabs.ru" <aik@ozlabs.ru>,
"david@gibson.dropbear.id.au" <david@gibson.dropbear.id.au>
Subject: [kernel-hardening] Re: Conversion from atomic_t to refcount_t: summary of issues
Date: Wed, 7 Dec 2016 14:52:41 +0100 [thread overview]
Message-ID: <20161207135241.GI3107@twins.programming.kicks-ass.net> (raw)
In-Reply-To: <1480693474.28515.56.camel@cs-046.org.aalto.fi>
On Fri, Dec 02, 2016 at 05:44:34PM +0200, Liljestrand Hans wrote:
>
> Then there's at least include/net/ip_vs.h that does unchecked decs and
> instead has this dedicated free function that checks for negative values
> (so with unsigned refcount it is broken anyway, guess we could do a
> conditional dec with a _read, but then its no longer atomic):
>
> http://lxr.free-electrons.com/source/include/net/ip_vs.h#L1424
>
> static inline void ip_vs_dest_put_and_free(struct ip_vs_dest *dest)
> {
> if (atomic_dec_return(&dest->refcnt) < 0)
> kfree(dest);
> }
This looks like one that uses -1 to free, so doing a +1 on the entire
scheme would restore 'sanity', but that's fairly thick code and I
couldn't say for sure.
> Then there's cases that check for the first increment, like here (maybe
> something like inc_and_one could allow these without too much leeway?):
>
> http://lxr.free-electrons.com/source/drivers/tty/serial/zs.c#L764
>
> irq_guard = atomic_add_return(1, &scc->irq_guard);
> if (irq_guard == 1) {
>
> http://lxr.free-electrons.com/source/drivers/usb/gadget/function/f_fs.c#L1497
>
> if (atomic_add_return(1, &ffs->opened) == 1 &&
> ffs->state == FFS_DEACTIVATED) {
>
>
> And finally some cases with other uses/values:
>
> http://lxr.free-electrons.com/source/drivers/staging/lustre/lustre/ptlrpc/client.c#L3081
>
> if (atomic_inc_return(&req->rq_refcount) == 2)
Greg already went through these, they're not proper refcounts.
> http://lxr.free-electrons.com/source/kernel/bpf/syscall.c#L231
>
> if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) {
I think this one already got discussed, its a custom refcount limit
scheme (with holes in).
All in all I'm not inclined to add {add,sub.inc,dec}_return() to
refcount, as previously stated, they don't make sense.
next prev parent reply other threads:[~2016-12-07 13:52 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-28 11:56 [kernel-hardening] Conversion from atomic_t to refcount_t: summary of issues Reshetova, Elena
2016-11-28 12:13 ` [kernel-hardening] " Peter Zijlstra
2016-11-28 12:44 ` Peter Zijlstra
2016-11-28 12:48 ` Peter Zijlstra
2016-11-28 14:12 ` [kernel-hardening] " Reshetova, Elena
2016-11-29 3:19 ` [kernel-hardening] " Alexey Kardashevskiy
2016-11-29 9:31 ` Peter Zijlstra
2016-11-30 0:23 ` Alexey Kardashevskiy
2016-11-29 15:35 ` [kernel-hardening] " Reshetova, Elena
2016-11-29 15:47 ` Peter Zijlstra
2016-12-01 19:15 ` [kernel-hardening] " Peter Zijlstra
2016-12-01 21:31 ` David Windsor
2016-12-01 23:03 ` Peter Zijlstra
2016-12-01 23:20 ` Kees Cook
2016-12-01 23:29 ` David Windsor
2016-12-02 1:17 ` Boqun Feng
2016-12-02 20:25 ` David Windsor
2016-12-07 13:24 ` Peter Zijlstra
2016-12-07 19:03 ` David Windsor
2016-12-09 14:48 ` David Windsor
2016-12-07 13:36 ` Peter Zijlstra
2016-12-01 23:20 ` David Windsor
2016-12-07 13:21 ` Peter Zijlstra
2016-12-02 15:44 ` Liljestrand Hans
2016-12-02 16:14 ` Greg KH
2016-12-07 13:52 ` Peter Zijlstra [this message]
2016-12-07 15:59 ` David Windsor
2016-12-07 16:26 ` Peter Zijlstra
2016-12-07 16:31 ` David Windsor
2016-12-16 12:10 ` [kernel-hardening] " Reshetova, Elena
2016-12-16 14:01 ` [kernel-hardening] " Peter Zijlstra
2016-12-19 7:55 ` [kernel-hardening] " Reshetova, Elena
2016-12-19 10:12 ` [kernel-hardening] " Peter Zijlstra
2016-12-20 9:13 ` [kernel-hardening] " Reshetova, Elena
2016-12-20 9:30 ` [kernel-hardening] " Greg KH
2016-12-20 9:40 ` [kernel-hardening] " Reshetova, Elena
2016-12-20 9:51 ` [kernel-hardening] " Greg KH
2016-12-20 9:55 ` [kernel-hardening] " Reshetova, Elena
2016-12-20 10:26 ` [kernel-hardening] " Greg KH
2016-12-20 9:41 ` Peter Zijlstra
2016-12-20 9:58 ` [kernel-hardening] " Reshetova, Elena
2016-12-20 10:55 ` [kernel-hardening] " Liljestrand Hans
2016-12-20 13:13 ` Peter Zijlstra
2016-12-20 13:35 ` Reshetova, Elena
2016-12-20 15:20 ` Liljestrand Hans
2016-12-20 15:52 ` Peter Zijlstra
2017-01-10 14:58 ` Peter Zijlstra
2016-12-07 14:13 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161207135241.GI3107@twins.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=aik@ozlabs.ru \
--cc=boqun.feng@gmail.com \
--cc=david@gibson.dropbear.id.au \
--cc=dwindsor@gmail.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=ishkamiel@gmail.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.