From: ebiederm@xmission.com (Eric W. Biederman)
To: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Davidlohr Bueso <dave@stgolabs.net>,
Elena Reshetova <elena.reshetova@intel.com>,
linux-kernel@vger.kernel.org, peterz@infradead.org,
gregkh@linuxfoundation.org, mingo@redhat.com,
adobriyan@gmail.com, serge@hallyn.com, arozansk@redhat.com,
keescook@chromium.org, Hans Liljestrand <ishkamiel@gmail.com>,
David Windsor <dwindsor@gmail.com>
Subject: Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
Date: Thu, 20 Jul 2017 07:34:55 -0500 [thread overview]
Message-ID: <878tjj8exc.fsf@xmission.com> (raw)
In-Reply-To: <20170720093402.55alnsgsodgs4mfk@gmail.com> (Ingo Molnar's message of "Thu, 20 Jul 2017 11:34:02 +0200")
Ingo Molnar <mingo@kernel.org> writes:
> * Andrew Morton <akpm@linux-foundation.org> wrote:
>
>> On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso <dave@stgolabs.net> wrote:
>>
>> > On Wed, 19 Jul 2017, Andrew Morton wrote:
>> >
>> > >I do rather dislike these conversions from the point of view of
>> > >performance overhead and general code bloat. But I seem to have lost
>> > >that struggle and I don't think any of these are fastpath(?).
>> >
>> > Well, since we now have fd25d19 (locking/refcount: Create unchecked atomic_t
>> > implementation), performance is supposed to be ok.
>>
>> Sure, things are OK for people who disable the feature.
>
> So with the WIP fast-refcount series from Kees:
>
> [PATCH v6 0/2] x86: Implement fast refcount overflow protection
>
> I believe the robustness difference between optimized-refcount_t and
> full-refcount_t will be marginal.
>
> I.e. we'll be able to have both higher API safety _and_ performance.
>
>> But for people who want to enable the feature we really should minimize the cost
>> by avoiding blindly converting sites which simply don't need it: simple, safe,
>> old, well-tested code. Why go and slow down such code? Need to apply some
>> common sense here...
>
> It's old, well-tested code _for existing, sane parameters_, until someone finds a
> decade old bug in one of these with an insane parameters no-one stumbled upon so
> far, and builds an exploit on top of it.
>
> Only by touching all these places do we have a chance to improve things measurably
> in terms of reducing the probability of bugs.
The more I hear people pushing the upsides of refcount_t without
considering the downsides the more I dislike it.
- refcount_t is really the wrong thing because it uses saturation
semantics. So by definition it includes a bug.
- refcount_t will only really prevent something if there is an extra
increment. That is not the kind of bug people are likely to make.
- refcount_t won't help if you have an extra decrement. The bad
use-after-free will still happen.
- refcount_t won't help if there is a memory stomp. As with an extra
decrement the bad use-after-free will still happen.
So all I see is a huge amount of code churn to implement a buggy (by
definition) refcounting API, that risks adding new bugs and only truly
helps with bugs that are unlikely in the first place.
I really don't think this is an obvious slam dunk.
Eric
next prev parent reply other threads:[~2017-07-20 12:43 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-07 8:59 [PATCH 0/3] v2 ipc subsystem refcount coversions Elena Reshetova
2017-07-07 8:59 ` [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t Elena Reshetova
2017-07-09 21:59 ` Eric W. Biederman
2017-07-10 6:48 ` Reshetova, Elena
2017-07-10 8:37 ` Eric W. Biederman
2017-07-10 9:34 ` Alexey Dobriyan
2017-07-10 11:19 ` Eric W. Biederman
2017-07-10 9:56 ` Reshetova, Elena
2017-07-10 11:26 ` Eric W. Biederman
2017-07-10 12:11 ` Reshetova, Elena
2017-07-10 20:32 ` Eric W. Biederman
2017-07-12 9:21 ` Reshetova, Elena
2017-07-19 22:35 ` Andrew Morton
2017-07-19 22:54 ` Davidlohr Bueso
2017-07-19 22:58 ` Andrew Morton
2017-07-19 23:11 ` Davidlohr Bueso
2017-07-19 23:20 ` Kees Cook
2017-07-20 0:32 ` Kees Cook
2017-07-20 9:34 ` Ingo Molnar
2017-07-20 12:34 ` Eric W. Biederman [this message]
2017-07-20 15:12 ` Kees Cook
2017-07-07 8:59 ` [PATCH 2/3] ipc: convert sem_undo_list.refcnt " Elena Reshetova
2017-07-07 8:59 ` [PATCH 3/3] ipc: convert kern_ipc_perm.refcount " Elena Reshetova
-- strict thread matches above, loose matches on Subject: below --
2017-02-20 11:29 [PATCH 0/3] ipc subsystem refcounter conversions Elena Reshetova
2017-02-20 11:29 ` [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t Elena Reshetova
2017-05-27 19:41 ` Kees Cook
2017-05-28 12:10 ` Manfred Spraul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878tjj8exc.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arozansk@redhat.com \
--cc=dave@stgolabs.net \
--cc=dwindsor@gmail.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=ishkamiel@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.