From: Joel Fernandes <joel@joelfernandes.org>
To: Jann Horn <jannh@google.com>
Cc: Kees Cook <keescook@chromium.org>,
"Paul E . McKenney" <paulmck@kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
James Morris <jamorris@linux.microsoft.com>,
kernel list <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Shakeel Butt <shakeelb@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [Linux-kernel-mentees] [PATCH] cred: Use RCU primitives to access RCU pointers
Date: Thu, 6 Feb 2020 11:49:38 -0500 [thread overview]
Message-ID: <20200206164938.GD55522@google.com> (raw)
In-Reply-To: <CAG48ez2+7L8YwejaLcm5MN7Z2DZ4d4H5CV6cUyo+j5S9b=tAtQ@mail.gmail.com>
On Thu, Feb 06, 2020 at 12:28:42PM +0100, Jann Horn wrote:
[snip]
> > > > > > > task_struct.cred doesn't actually have RCU semantics though, see
> > > > > > > commit d7852fbd0f0423937fa287a598bfde188bb68c22. For task_struct.cred,
> > > > > > > it would probably be more correct to remove the __rcu annotation?
> > > > > >
> > > > > > Hi Jann,
> > > > > >
> > > > > > I went through the commit you mentioned. If I understand it correctly,
> > > > > > ->cred was not being accessed concurrently (via RCU), hence, a non_rcu
> > > > > > flag was introduced, which determined if the clean-up should wait for
> > > > > > RCU grace-periods or not. And since, the changes were 'thread local'
> > > > > > there was no need to wait for an entire RCU GP to elapse.
> > > > >
> > > > > Yeah.
> > > > >
> > > > > > The commit too, as you said, mentions the removal of __rcu annotation.
> > > > > > However, simply removing the annotation won't work, as there are quite a
> > > > > > few instances where RCU primitives are used. Even get_current_cred()
> > > > > > uses RCU APIs to get a reference to ->cred.
> > > > >
> > > > > Luckily, there aren't too many places that directly access ->cred,
> > > > > since luckily there are helper functions like get_current_cred() that
> > > > > will do it for you. Grepping through the kernel, I see:
> > > [...]
> > > > > So actually, the number of places that already don't use RCU accessors
> > > > > is much higher than the number of places that use them.
> > > > >
> > > > > > So, currently, maybe we
> > > > > > should continue to use RCU APIs and leave the __rcu annotation in?
> > > > > > (Until someone who takes it on himself to remove __rcu annotation and
> > > > > > fix all the instances). Does that sound good? Or do you want me to
> > > > > > remove __rcu annotation and get the process started?
> > > > >
> > > > > I don't think it's a good idea to add more uses of RCU APIs for
> > > > > ->cred; you shouldn't "fix" warnings by making the code more wrong.
> > > > >
> > > > > If you want to fix this, I think it would be relatively easy to fix
> > > > > this properly - as far as I can tell, there are only seven places that
> > > > > you'll have to change, although you may have to split it up into three
> > > > > patches.
> > > >
> > > > Thank you for the detailed analysis. I'll try my best and send you a
> > > > patch.
> >
> > Amol, Jann, if I understand the discussion correctly, objects ->cred
> > point (the subjective creds) are never (or never need to be) RCU-managed.
> > This makes sense in light of the commit Jann pointed out
> > (d7852fbd0f0423937fa287a598bfde188bb68c22).
> >
> > How about the following diff as a starting point?
> >
> > 1. Remove all ->cred accessing happening through RCU primitive.
>
> Sounds good.
>
> > 2. Remove __rcu from task_struct ->cred
>
> Sounds good.
>
> > 3. Also I removed the whole non_rcu flag, and introduced a new put_cred_non_rcu() API
> > which places that task-synchronously use ->cred can overwrite. Callers
> > doing such accesses like access() can use this API instead.
>
> That's wrong, don't do that.
>
> ->cred is a reference without RCU semantics, ->real_cred is a
> reference with RCU semantics. If there have never been any references
> with RCU semantics to a specific instance of struct cred, then that
> instance can indeed be freed without an RCU grace period. But it would
> be possible for some filesystem code to take a reference to
> current->cred, and assign it to some pointer with RCU semantics
> somewhere, then drop that reference with put_cred() immediately before
> you reach put_cred_non_rcu(); with the result that despite using
> put_cred(), the other side doesn't get RCU semantics.
>
> Just leave the whole ->non_rcu thing exactly as it was.
Can you point to an example in the kernel that actually uses ->cred this way?
I'm just curious. That is, reads task's ->cred pointer, and assigns it to an
RCU managed pointer?
I think such an example would be the point that the commit you mentioned
addresses. The commit basically says "as long as nobody does get_cred() on
the task_struct ->cred, we are good, but if somebody does do it, then we have
to deferred-free it". But I could not find such an example.
That said, I agree the removal of non_rcu can be considered out of scope for
this patch.
thanks,
- Joel
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Joel Fernandes <joel@joelfernandes.org>
To: Jann Horn <jannh@google.com>
Cc: Amol Grover <frextrite@gmail.com>,
David Howells <dhowells@redhat.com>,
Shakeel Butt <shakeelb@google.com>,
James Morris <jamorris@linux.microsoft.com>,
Oleg Nesterov <oleg@redhat.com>,
Kees Cook <keescook@chromium.org>,
Thomas Gleixner <tglx@linutronix.de>,
kernel list <linux-kernel@vger.kernel.org>,
linux-kernel-mentees@lists.linuxfoundation.org,
Madhuparna Bhowmik <madhuparnabhowmik04@gmail.com>,
"Paul E . McKenney" <paulmck@kernel.org>
Subject: Re: [PATCH] cred: Use RCU primitives to access RCU pointers
Date: Thu, 6 Feb 2020 11:49:38 -0500 [thread overview]
Message-ID: <20200206164938.GD55522@google.com> (raw)
In-Reply-To: <CAG48ez2+7L8YwejaLcm5MN7Z2DZ4d4H5CV6cUyo+j5S9b=tAtQ@mail.gmail.com>
On Thu, Feb 06, 2020 at 12:28:42PM +0100, Jann Horn wrote:
[snip]
> > > > > > > task_struct.cred doesn't actually have RCU semantics though, see
> > > > > > > commit d7852fbd0f0423937fa287a598bfde188bb68c22. For task_struct.cred,
> > > > > > > it would probably be more correct to remove the __rcu annotation?
> > > > > >
> > > > > > Hi Jann,
> > > > > >
> > > > > > I went through the commit you mentioned. If I understand it correctly,
> > > > > > ->cred was not being accessed concurrently (via RCU), hence, a non_rcu
> > > > > > flag was introduced, which determined if the clean-up should wait for
> > > > > > RCU grace-periods or not. And since, the changes were 'thread local'
> > > > > > there was no need to wait for an entire RCU GP to elapse.
> > > > >
> > > > > Yeah.
> > > > >
> > > > > > The commit too, as you said, mentions the removal of __rcu annotation.
> > > > > > However, simply removing the annotation won't work, as there are quite a
> > > > > > few instances where RCU primitives are used. Even get_current_cred()
> > > > > > uses RCU APIs to get a reference to ->cred.
> > > > >
> > > > > Luckily, there aren't too many places that directly access ->cred,
> > > > > since luckily there are helper functions like get_current_cred() that
> > > > > will do it for you. Grepping through the kernel, I see:
> > > [...]
> > > > > So actually, the number of places that already don't use RCU accessors
> > > > > is much higher than the number of places that use them.
> > > > >
> > > > > > So, currently, maybe we
> > > > > > should continue to use RCU APIs and leave the __rcu annotation in?
> > > > > > (Until someone who takes it on himself to remove __rcu annotation and
> > > > > > fix all the instances). Does that sound good? Or do you want me to
> > > > > > remove __rcu annotation and get the process started?
> > > > >
> > > > > I don't think it's a good idea to add more uses of RCU APIs for
> > > > > ->cred; you shouldn't "fix" warnings by making the code more wrong.
> > > > >
> > > > > If you want to fix this, I think it would be relatively easy to fix
> > > > > this properly - as far as I can tell, there are only seven places that
> > > > > you'll have to change, although you may have to split it up into three
> > > > > patches.
> > > >
> > > > Thank you for the detailed analysis. I'll try my best and send you a
> > > > patch.
> >
> > Amol, Jann, if I understand the discussion correctly, objects ->cred
> > point (the subjective creds) are never (or never need to be) RCU-managed.
> > This makes sense in light of the commit Jann pointed out
> > (d7852fbd0f0423937fa287a598bfde188bb68c22).
> >
> > How about the following diff as a starting point?
> >
> > 1. Remove all ->cred accessing happening through RCU primitive.
>
> Sounds good.
>
> > 2. Remove __rcu from task_struct ->cred
>
> Sounds good.
>
> > 3. Also I removed the whole non_rcu flag, and introduced a new put_cred_non_rcu() API
> > which places that task-synchronously use ->cred can overwrite. Callers
> > doing such accesses like access() can use this API instead.
>
> That's wrong, don't do that.
>
> ->cred is a reference without RCU semantics, ->real_cred is a
> reference with RCU semantics. If there have never been any references
> with RCU semantics to a specific instance of struct cred, then that
> instance can indeed be freed without an RCU grace period. But it would
> be possible for some filesystem code to take a reference to
> current->cred, and assign it to some pointer with RCU semantics
> somewhere, then drop that reference with put_cred() immediately before
> you reach put_cred_non_rcu(); with the result that despite using
> put_cred(), the other side doesn't get RCU semantics.
>
> Just leave the whole ->non_rcu thing exactly as it was.
Can you point to an example in the kernel that actually uses ->cred this way?
I'm just curious. That is, reads task's ->cred pointer, and assigns it to an
RCU managed pointer?
I think such an example would be the point that the commit you mentioned
addresses. The commit basically says "as long as nobody does get_cred() on
the task_struct ->cred, we are good, but if somebody does do it, then we have
to deferred-free it". But I could not find such an example.
That said, I agree the removal of non_rcu can be considered out of scope for
this patch.
thanks,
- Joel
next prev parent reply other threads:[~2020-02-06 16:49 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-28 7:27 [Linux-kernel-mentees] [PATCH] cred: Use RCU primitives to access RCU pointers Amol Grover
2020-01-28 7:27 ` Amol Grover
2020-01-28 9:30 ` [Linux-kernel-mentees] " Jann Horn via Linux-kernel-mentees
2020-01-28 9:30 ` Jann Horn
2020-01-28 11:48 ` [Linux-kernel-mentees] " Oleg Nesterov
2020-01-28 11:48 ` Oleg Nesterov
2020-01-28 12:19 ` [Linux-kernel-mentees] " Jann Horn via Linux-kernel-mentees
2020-01-28 12:19 ` Jann Horn
2020-01-28 12:38 ` [Linux-kernel-mentees] " Oleg Nesterov
2020-01-28 12:38 ` Oleg Nesterov
2020-01-28 17:04 ` [Linux-kernel-mentees] " Amol Grover
2020-01-28 17:04 ` Amol Grover
2020-01-28 19:09 ` [Linux-kernel-mentees] " Jann Horn via Linux-kernel-mentees
2020-01-28 19:09 ` Jann Horn
2020-01-29 6:57 ` [Linux-kernel-mentees] " Amol Grover
2020-01-29 6:57 ` Amol Grover
2020-01-29 14:14 ` [Linux-kernel-mentees] " Jann Horn via Linux-kernel-mentees
2020-01-29 14:14 ` Jann Horn
2020-02-06 1:32 ` [Linux-kernel-mentees] " Joel Fernandes
2020-02-06 1:32 ` Joel Fernandes
2020-02-06 11:28 ` [Linux-kernel-mentees] " Jann Horn via Linux-kernel-mentees
2020-02-06 11:28 ` Jann Horn
2020-02-06 16:49 ` Joel Fernandes [this message]
2020-02-06 16:49 ` Joel Fernandes
2020-02-06 17:15 ` [Linux-kernel-mentees] " Jann Horn via Linux-kernel-mentees
2020-02-06 17:15 ` Jann Horn
2020-02-06 18:08 ` [Linux-kernel-mentees] " Joel Fernandes
2020-02-06 18:08 ` Joel Fernandes
2020-02-06 13:09 ` [Linux-kernel-mentees] " Amol Grover
2020-02-06 13:09 ` Amol Grover
2020-01-31 17:49 ` [Linux-kernel-mentees] " David Howells
2020-01-31 17:49 ` David Howells
2020-01-28 15:00 ` [Linux-kernel-mentees] " David Howells
2020-01-28 15:00 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200206164938.GD55522@google.com \
--to=joel@joelfernandes.org \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=paulmck@kernel.org \
--cc=shakeelb@google.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.