From: ebiederm@xmission.com (Eric W. Biederman)
To: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Elena Reshetova <elena.reshetova@intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86@kernel.org" <x86@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: [kernel-hardening] Re: [PATCH 0/3] ipc subsystem refcounter conversions
Date: Mon, 29 May 2017 06:39:44 -0500 [thread overview]
Message-ID: <8760gjvqm7.fsf@xmission.com> (raw)
In-Reply-To: <87o9ubvr0t.fsf@xmission.com> (Eric W. Biederman's message of "Mon, 29 May 2017 06:30:58 -0500")
ebiederm@xmission.com (Eric W. Biederman) writes:
> ebiederm@xmission.com (Eric W. Biederman) writes:
>
>> Peter Zijlstra <peterz@infradead.org> writes:
>>
>>> On Mon, May 29, 2017 at 04:11:13AM -0500, Eric W. Biederman wrote:
>>>
>>>> Kees I I have a concern:
>>>>
>>>> __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r)
>>>> {
>>>> unsigned int new, val = atomic_read(&r->refs);
>>>>
>>>> do {
>>>> if (!val)
>>>> return false;
>>>>
>>>> if (unlikely(val == UINT_MAX))
>>>> return true;
>>>>
>>>> new = val + i;
>>>> if (new < val)
>>>> new = UINT_MAX;
>>>>
>>>> } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
>>>>
>>>> WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
>>>>
>>>> return true;
>>>> }
>>>>
>>>> Why in the world do you succeed when you the value saturates????
>>>
>>> Why not? On saturation the object will leak and returning a reference to
>>> it is always good.
>>>
>>>> From a code perspective that is bizarre. The code already has to handle
>>>> the case when the counter does not increment.
>>>
>>> I don't see it as bizarre, we turned an overflow/use-after-free into a
>>> leak. That's the primary mechanism here.
>>>
>>> As long as we have a reference to a leaked object, we might as well use
>>> it, its not going anywhere.
>>>
>>>> Fixing the return value would move refcount_t into the realm of
>>>> something that is desirable because it has bettern semantics and
>>>> is more useful just on a day to day correctness point of view. Even
>>>> ignoring the security implications.
>>>
>>> It changes the semantics between inc_not_zero() and inc(). It also
>>> complicates the semantics of inc_not_zero(), where currently the failure
>>> implies the count is 0 and means no-such-object, you complicate matters
>>> by basically returning 'busy'.
>>
>> Busy is not a state of a reference count.
>>
>> It is true I am suggesting treating something with a saturated reference
>> as not available. If that is what you mean by busy. But if it's
>> reference is zero it is also not available. So there is no practical
>> difference.
>>
>>> That is a completely new class of failure that is actually hard to deal
>>> with, not to mention that it completely destroys refcount_inc_not_zero()
>>> being a 'simple' replacement for atomic_inc_not_zero().
>>>
>>> In case of the current failure, the no-such-object, we can fix that by
>>> creating said object. But what to do on 'busy' ? Surely you don't want
>>> to create another. You'd have to somehow retrofit something to wait on
>>> in every user.
>>
>> Using little words.
>>
>> A return of true from inc_not_zero means we took a reference.
>> A return of false means we did not take a reference.
>>
>> The code already handles I took a reference or I did not take a
>> reference.
>>
>> Therefore lying with refcount_t is not helpful. It takes failures
>> the code could easily handle and turns them into leaks.
>>
>> At least that is how I have seen reference counts used. And those
>> are definitely the plane obivous semantics.
>>
>> Your changes are definitely not drop in replacements for atomic_t in my
>> code.
>
> To clarify.
>
> If my code uses atomic_inc it does not expect a failure of any sort
> and saturate semantics are a fine replacement.
>
> If my code uses atomic_inc_not_zero it knows how to handle a failure
> to take a reference count. Making hiding the failure really bizarre.
>
> A must check function that hides a case I can handle and requires
> checking in a case where my code is built not to check is a drop in
> replacement for neither.
>
> So anyone who is proposing a refcount_t change as a drop in replacement
> for any code I maintain I will nack on sight because refcount_t is not
> currently a no-brain drop in replacement.
*Blink*
I failed to see that there is a refcount_inc. Too much noise in
the header file I suppose.
But implementing refcount_inc in terms of refcount_inc_not_zero is
totally broken. The two operations are not the same and the go to
different assumptions the code is making.
That explains why you think refcount_inc_not_zero should lie because
you are implementing refcount_inc with it. They are semantically very
different operations. Please separate them.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Elena Reshetova <elena.reshetova@intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86@kernel.org" <x86@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 0/3] ipc subsystem refcounter conversions
Date: Mon, 29 May 2017 06:39:44 -0500 [thread overview]
Message-ID: <8760gjvqm7.fsf@xmission.com> (raw)
In-Reply-To: <87o9ubvr0t.fsf@xmission.com> (Eric W. Biederman's message of "Mon, 29 May 2017 06:30:58 -0500")
ebiederm@xmission.com (Eric W. Biederman) writes:
> ebiederm@xmission.com (Eric W. Biederman) writes:
>
>> Peter Zijlstra <peterz@infradead.org> writes:
>>
>>> On Mon, May 29, 2017 at 04:11:13AM -0500, Eric W. Biederman wrote:
>>>
>>>> Kees I I have a concern:
>>>>
>>>> __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r)
>>>> {
>>>> unsigned int new, val = atomic_read(&r->refs);
>>>>
>>>> do {
>>>> if (!val)
>>>> return false;
>>>>
>>>> if (unlikely(val == UINT_MAX))
>>>> return true;
>>>>
>>>> new = val + i;
>>>> if (new < val)
>>>> new = UINT_MAX;
>>>>
>>>> } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
>>>>
>>>> WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
>>>>
>>>> return true;
>>>> }
>>>>
>>>> Why in the world do you succeed when you the value saturates????
>>>
>>> Why not? On saturation the object will leak and returning a reference to
>>> it is always good.
>>>
>>>> From a code perspective that is bizarre. The code already has to handle
>>>> the case when the counter does not increment.
>>>
>>> I don't see it as bizarre, we turned an overflow/use-after-free into a
>>> leak. That's the primary mechanism here.
>>>
>>> As long as we have a reference to a leaked object, we might as well use
>>> it, its not going anywhere.
>>>
>>>> Fixing the return value would move refcount_t into the realm of
>>>> something that is desirable because it has bettern semantics and
>>>> is more useful just on a day to day correctness point of view. Even
>>>> ignoring the security implications.
>>>
>>> It changes the semantics between inc_not_zero() and inc(). It also
>>> complicates the semantics of inc_not_zero(), where currently the failure
>>> implies the count is 0 and means no-such-object, you complicate matters
>>> by basically returning 'busy'.
>>
>> Busy is not a state of a reference count.
>>
>> It is true I am suggesting treating something with a saturated reference
>> as not available. If that is what you mean by busy. But if it's
>> reference is zero it is also not available. So there is no practical
>> difference.
>>
>>> That is a completely new class of failure that is actually hard to deal
>>> with, not to mention that it completely destroys refcount_inc_not_zero()
>>> being a 'simple' replacement for atomic_inc_not_zero().
>>>
>>> In case of the current failure, the no-such-object, we can fix that by
>>> creating said object. But what to do on 'busy' ? Surely you don't want
>>> to create another. You'd have to somehow retrofit something to wait on
>>> in every user.
>>
>> Using little words.
>>
>> A return of true from inc_not_zero means we took a reference.
>> A return of false means we did not take a reference.
>>
>> The code already handles I took a reference or I did not take a
>> reference.
>>
>> Therefore lying with refcount_t is not helpful. It takes failures
>> the code could easily handle and turns them into leaks.
>>
>> At least that is how I have seen reference counts used. And those
>> are definitely the plane obivous semantics.
>>
>> Your changes are definitely not drop in replacements for atomic_t in my
>> code.
>
> To clarify.
>
> If my code uses atomic_inc it does not expect a failure of any sort
> and saturate semantics are a fine replacement.
>
> If my code uses atomic_inc_not_zero it knows how to handle a failure
> to take a reference count. Making hiding the failure really bizarre.
>
> A must check function that hides a case I can handle and requires
> checking in a case where my code is built not to check is a drop in
> replacement for neither.
>
> So anyone who is proposing a refcount_t change as a drop in replacement
> for any code I maintain I will nack on sight because refcount_t is not
> currently a no-brain drop in replacement.
*Blink*
I failed to see that there is a refcount_inc. Too much noise in
the header file I suppose.
But implementing refcount_inc in terms of refcount_inc_not_zero is
totally broken. The two operations are not the same and the go to
different assumptions the code is making.
That explains why you think refcount_inc_not_zero should lie because
you are implementing refcount_inc with it. They are semantically very
different operations. Please separate them.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Elena Reshetova <elena.reshetova@intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86@kernel.org" <x86@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 0/3] ipc subsystem refcounter conversions
Date: Mon, 29 May 2017 06:39:44 -0500 [thread overview]
Message-ID: <8760gjvqm7.fsf@xmission.com> (raw)
Message-ID: <20170529113944.-D1xuz6-VjhkcmQbM8uQtskWDnx-qOdRZhljbUbkEbs@z> (raw)
In-Reply-To: <87o9ubvr0t.fsf@xmission.com> (Eric W. Biederman's message of "Mon, 29 May 2017 06:30:58 -0500")
ebiederm@xmission.com (Eric W. Biederman) writes:
> ebiederm@xmission.com (Eric W. Biederman) writes:
>
>> Peter Zijlstra <peterz@infradead.org> writes:
>>
>>> On Mon, May 29, 2017 at 04:11:13AM -0500, Eric W. Biederman wrote:
>>>
>>>> Kees I I have a concern:
>>>>
>>>> __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r)
>>>> {
>>>> unsigned int new, val = atomic_read(&r->refs);
>>>>
>>>> do {
>>>> if (!val)
>>>> return false;
>>>>
>>>> if (unlikely(val == UINT_MAX))
>>>> return true;
>>>>
>>>> new = val + i;
>>>> if (new < val)
>>>> new = UINT_MAX;
>>>>
>>>> } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
>>>>
>>>> WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
>>>>
>>>> return true;
>>>> }
>>>>
>>>> Why in the world do you succeed when you the value saturates????
>>>
>>> Why not? On saturation the object will leak and returning a reference to
>>> it is always good.
>>>
>>>> From a code perspective that is bizarre. The code already has to handle
>>>> the case when the counter does not increment.
>>>
>>> I don't see it as bizarre, we turned an overflow/use-after-free into a
>>> leak. That's the primary mechanism here.
>>>
>>> As long as we have a reference to a leaked object, we might as well use
>>> it, its not going anywhere.
>>>
>>>> Fixing the return value would move refcount_t into the realm of
>>>> something that is desirable because it has bettern semantics and
>>>> is more useful just on a day to day correctness point of view. Even
>>>> ignoring the security implications.
>>>
>>> It changes the semantics between inc_not_zero() and inc(). It also
>>> complicates the semantics of inc_not_zero(), where currently the failure
>>> implies the count is 0 and means no-such-object, you complicate matters
>>> by basically returning 'busy'.
>>
>> Busy is not a state of a reference count.
>>
>> It is true I am suggesting treating something with a saturated reference
>> as not available. If that is what you mean by busy. But if it's
>> reference is zero it is also not available. So there is no practical
>> difference.
>>
>>> That is a completely new class of failure that is actually hard to deal
>>> with, not to mention that it completely destroys refcount_inc_not_zero()
>>> being a 'simple' replacement for atomic_inc_not_zero().
>>>
>>> In case of the current failure, the no-such-object, we can fix that by
>>> creating said object. But what to do on 'busy' ? Surely you don't want
>>> to create another. You'd have to somehow retrofit something to wait on
>>> in every user.
>>
>> Using little words.
>>
>> A return of true from inc_not_zero means we took a reference.
>> A return of false means we did not take a reference.
>>
>> The code already handles I took a reference or I did not take a
>> reference.
>>
>> Therefore lying with refcount_t is not helpful. It takes failures
>> the code could easily handle and turns them into leaks.
>>
>> At least that is how I have seen reference counts used. And those
>> are definitely the plane obivous semantics.
>>
>> Your changes are definitely not drop in replacements for atomic_t in my
>> code.
>
> To clarify.
>
> If my code uses atomic_inc it does not expect a failure of any sort
> and saturate semantics are a fine replacement.
>
> If my code uses atomic_inc_not_zero it knows how to handle a failure
> to take a reference count. Making hiding the failure really bizarre.
>
> A must check function that hides a case I can handle and requires
> checking in a case where my code is built not to check is a drop in
> replacement for neither.
>
> So anyone who is proposing a refcount_t change as a drop in replacement
> for any code I maintain I will nack on sight because refcount_t is not
> currently a no-brain drop in replacement.
*Blink*
I failed to see that there is a refcount_inc. Too much noise in
the header file I suppose.
But implementing refcount_inc in terms of refcount_inc_not_zero is
totally broken. The two operations are not the same and the go to
different assumptions the code is making.
That explains why you think refcount_inc_not_zero should lie because
you are implementing refcount_inc with it. They are semantically very
different operations. Please separate them.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Elena Reshetova <elena.reshetova@intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe\@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86\@kernel.org" <x86@kernel.org>,
Ingo Molnar <mingo@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>,
"kernel-hardening\@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 0/3] ipc subsystem refcounter conversions
Date: Mon, 29 May 2017 06:39:44 -0500 [thread overview]
Message-ID: <8760gjvqm7.fsf@xmission.com> (raw)
In-Reply-To: <87o9ubvr0t.fsf@xmission.com> (Eric W. Biederman's message of "Mon, 29 May 2017 06:30:58 -0500")
ebiederm@xmission.com (Eric W. Biederman) writes:
> ebiederm@xmission.com (Eric W. Biederman) writes:
>
>> Peter Zijlstra <peterz@infradead.org> writes:
>>
>>> On Mon, May 29, 2017 at 04:11:13AM -0500, Eric W. Biederman wrote:
>>>
>>>> Kees I I have a concern:
>>>>
>>>> __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r)
>>>> {
>>>> unsigned int new, val = atomic_read(&r->refs);
>>>>
>>>> do {
>>>> if (!val)
>>>> return false;
>>>>
>>>> if (unlikely(val == UINT_MAX))
>>>> return true;
>>>>
>>>> new = val + i;
>>>> if (new < val)
>>>> new = UINT_MAX;
>>>>
>>>> } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
>>>>
>>>> WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
>>>>
>>>> return true;
>>>> }
>>>>
>>>> Why in the world do you succeed when you the value saturates????
>>>
>>> Why not? On saturation the object will leak and returning a reference to
>>> it is always good.
>>>
>>>> From a code perspective that is bizarre. The code already has to handle
>>>> the case when the counter does not increment.
>>>
>>> I don't see it as bizarre, we turned an overflow/use-after-free into a
>>> leak. That's the primary mechanism here.
>>>
>>> As long as we have a reference to a leaked object, we might as well use
>>> it, its not going anywhere.
>>>
>>>> Fixing the return value would move refcount_t into the realm of
>>>> something that is desirable because it has bettern semantics and
>>>> is more useful just on a day to day correctness point of view. Even
>>>> ignoring the security implications.
>>>
>>> It changes the semantics between inc_not_zero() and inc(). It also
>>> complicates the semantics of inc_not_zero(), where currently the failure
>>> implies the count is 0 and means no-such-object, you complicate matters
>>> by basically returning 'busy'.
>>
>> Busy is not a state of a reference count.
>>
>> It is true I am suggesting treating something with a saturated reference
>> as not available. If that is what you mean by busy. But if it's
>> reference is zero it is also not available. So there is no practical
>> difference.
>>
>>> That is a completely new class of failure that is actually hard to deal
>>> with, not to mention that it completely destroys refcount_inc_not_zero()
>>> being a 'simple' replacement for atomic_inc_not_zero().
>>>
>>> In case of the current failure, the no-such-object, we can fix that by
>>> creating said object. But what to do on 'busy' ? Surely you don't want
>>> to create another. You'd have to somehow retrofit something to wait on
>>> in every user.
>>
>> Using little words.
>>
>> A return of true from inc_not_zero means we took a reference.
>> A return of false means we did not take a reference.
>>
>> The code already handles I took a reference or I did not take a
>> reference.
>>
>> Therefore lying with refcount_t is not helpful. It takes failures
>> the code could easily handle and turns them into leaks.
>>
>> At least that is how I have seen reference counts used. And those
>> are definitely the plane obivous semantics.
>>
>> Your changes are definitely not drop in replacements for atomic_t in my
>> code.
>
> To clarify.
>
> If my code uses atomic_inc it does not expect a failure of any sort
> and saturate semantics are a fine replacement.
>
> If my code uses atomic_inc_not_zero it knows how to handle a failure
> to take a reference count. Making hiding the failure really bizarre.
>
> A must check function that hides a case I can handle and requires
> checking in a case where my code is built not to check is a drop in
> replacement for neither.
>
> So anyone who is proposing a refcount_t change as a drop in replacement
> for any code I maintain I will nack on sight because refcount_t is not
> currently a no-brain drop in replacement.
*Blink*
I failed to see that there is a refcount_inc. Too much noise in
the header file I suppose.
But implementing refcount_inc in terms of refcount_inc_not_zero is
totally broken. The two operations are not the same and the go to
different assumptions the code is making.
That explains why you think refcount_inc_not_zero should lie because
you are implementing refcount_inc with it. They are semantically very
different operations. Please separate them.
Eric
next prev parent reply other threads:[~2017-05-29 11:39 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-20 11:29 [PATCH 0/3] ipc subsystem refcounter conversions Elena Reshetova
2017-02-20 11:29 ` [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t Elena Reshetova
2017-05-27 19:41 ` Kees Cook
2017-05-28 12:10 ` Manfred Spraul
2017-02-20 11:29 ` [PATCH 2/3] ipc: convert sem_undo_list.refcnt " Elena Reshetova
2017-05-27 19:44 ` Kees Cook
2017-02-20 11:29 ` [PATCH 3/3] ipc: convert ipc_rcu.refcount " Elena Reshetova
2017-05-27 19:47 ` Kees Cook
2017-02-20 11:42 ` [PATCH 0/3] ipc subsystem refcounter conversions Andy Shevchenko
2017-02-20 12:30 ` Reshetova, Elena
2017-02-22 15:41 ` Davidlohr Bueso
2017-03-04 0:23 ` Andrew Morton
2017-03-06 9:51 ` Reshetova, Elena
2017-05-27 19:58 ` [kernel-hardening] " Kees Cook
2017-05-27 19:58 ` Kees Cook
2017-05-27 19:58 ` Kees Cook
2017-05-29 8:39 ` [kernel-hardening] " Christoph Hellwig
2017-05-29 8:39 ` Christoph Hellwig
2017-05-29 8:39 ` Christoph Hellwig
2017-05-29 9:11 ` [kernel-hardening] " Eric W. Biederman
2017-05-29 9:11 ` Eric W. Biederman
2017-05-29 9:11 ` Eric W. Biederman
2017-05-29 9:11 ` Eric W. Biederman
2017-05-29 10:24 ` [kernel-hardening] " Peter Zijlstra
2017-05-29 10:24 ` Peter Zijlstra
2017-05-29 10:49 ` [kernel-hardening] " Eric W. Biederman
2017-05-29 10:49 ` Eric W. Biederman
2017-05-29 10:49 ` Eric W. Biederman
2017-05-29 10:49 ` Eric W. Biederman
2017-05-29 11:30 ` [kernel-hardening] " Eric W. Biederman
2017-05-29 11:30 ` Eric W. Biederman
2017-05-29 11:30 ` Eric W. Biederman
2017-05-29 11:30 ` Eric W. Biederman
2017-05-29 11:39 ` Eric W. Biederman [this message]
2017-05-29 11:39 ` Eric W. Biederman
2017-05-29 11:39 ` Eric W. Biederman
2017-05-29 11:39 ` Eric W. Biederman
2017-05-29 12:23 ` [kernel-hardening] " Peter Zijlstra
2017-05-29 12:23 ` Peter Zijlstra
2017-05-29 12:23 ` Peter Zijlstra
2017-05-29 15:43 ` [kernel-hardening] " Peter Zijlstra
2017-05-29 15:43 ` Peter Zijlstra
2017-05-29 15:43 ` Peter Zijlstra
2017-05-29 12:13 ` [kernel-hardening] " Peter Zijlstra
2017-05-29 12:13 ` Peter Zijlstra
2017-05-29 12:13 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8760gjvqm7.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=arozansk@redhat.com \
--cc=axboe@kernel.dk \
--cc=dave@stgolabs.net \
--cc=davem@davemloft.net \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=serge@hallyn.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.