Re: [RFC PATCH 07/11] drivers/android/binder: convert stats, transaction_log to counter_atomic

[Greg KH <gregkh@linuxfoundation.org>]

On Wed, Sep 23, 2020 at 12:04:58PM -0700, Kees Cook wrote:
> On Wed, Sep 23, 2020 at 07:10:27AM +0200, Greg KH wrote:
> > On Tue, Sep 22, 2020 at 07:43:36PM -0600, Shuah Khan wrote:
> > > counter_atomic is introduced to be used when a variable is used as
> > > a simple counter and doesn't guard object lifetimes. This clearly
> > > differentiates atomic_t usages that guard object lifetimes.
> > > 
> > > counter_atomic variables will wrap around to 0 when it overflows and
> > > should not be used to guard resource lifetimes, device usage and
> > > open counts that control state changes, and pm states.
> > > 
> > > stats tracks per-process binder statistics. Unsure if there is a chance
> > > of this overflowing, other than stats getting reset to 0. Convert it to
> > > use counter_atomic.
> > > 
> > > binder_transaction_log:cur is used to keep track of the current log entry
> > > location. Overflow is handled in the code. Since it is used as a
> > > counter, convert it to use counter_atomic.
> > > 
> > > This conversion doesn't change the oveflow wrap around behavior.
> > > 
> > > Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
> > > ---
> > >  drivers/android/binder.c          | 41 ++++++++++++++++---------------
> > >  drivers/android/binder_internal.h |  3 ++-
> > >  2 files changed, 23 insertions(+), 21 deletions(-)
> > > 
> > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> > > index f936530a19b0..11a0407c46df 100644
> > > --- a/drivers/android/binder.c
> > > +++ b/drivers/android/binder.c
> > > @@ -66,6 +66,7 @@
> > >  #include <linux/syscalls.h>
> > >  #include <linux/task_work.h>
> > >  #include <linux/sizes.h>
> > > +#include <linux/counters.h>
> > >  
> > >  #include <uapi/linux/android/binder.h>
> > >  #include <uapi/linux/android/binderfs.h>
> > > @@ -172,22 +173,22 @@ enum binder_stat_types {
> > >  };
> > >  
> > >  struct binder_stats {
> > > -	atomic_t br[_IOC_NR(BR_FAILED_REPLY) + 1];
> > > -	atomic_t bc[_IOC_NR(BC_REPLY_SG) + 1];
> > > -	atomic_t obj_created[BINDER_STAT_COUNT];
> > > -	atomic_t obj_deleted[BINDER_STAT_COUNT];
> > > +	struct counter_atomic br[_IOC_NR(BR_FAILED_REPLY) + 1];
> > > +	struct counter_atomic bc[_IOC_NR(BC_REPLY_SG) + 1];
> > > +	struct counter_atomic obj_created[BINDER_STAT_COUNT];
> > > +	struct counter_atomic obj_deleted[BINDER_STAT_COUNT];
> > 
> > These are just debugging statistics, no reason they have to be atomic
> > variables at all and they should be able to just be "struct counter"
> > variables instead.
> 
> But there's no reason for them _not_ to be atomic. Please let's keep
> this API as always safe. Why even provide a new foot-gun here?

These are debugging things, how can you shoot yourself in the foot with
that???

thanks,

greg k-h