From: ebiederm@xmission.com (Eric W. Biederman)
To: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Elena Reshetova <elena.reshetova@intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86@kernel.org" <x86@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: [kernel-hardening] Re: [PATCH 0/3] ipc subsystem refcounter conversions
Date: Mon, 29 May 2017 05:49:53 -0500 [thread overview]
Message-ID: <87a85wvsxa.fsf@xmission.com> (raw)
In-Reply-To: <20170529102442.gerbzxzixllen46q@hirez.programming.kicks-ass.net> (Peter Zijlstra's message of "Mon, 29 May 2017 12:24:42 +0200")
Peter Zijlstra <peterz@infradead.org> writes:
> On Mon, May 29, 2017 at 04:11:13AM -0500, Eric W. Biederman wrote:
>
>> Kees I I have a concern:
>>
>> __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r)
>> {
>> unsigned int new, val = atomic_read(&r->refs);
>>
>> do {
>> if (!val)
>> return false;
>>
>> if (unlikely(val == UINT_MAX))
>> return true;
>>
>> new = val + i;
>> if (new < val)
>> new = UINT_MAX;
>>
>> } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
>>
>> WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
>>
>> return true;
>> }
>>
>> Why in the world do you succeed when you the value saturates????
>
> Why not? On saturation the object will leak and returning a reference to
> it is always good.
>
>> From a code perspective that is bizarre. The code already has to handle
>> the case when the counter does not increment.
>
> I don't see it as bizarre, we turned an overflow/use-after-free into a
> leak. That's the primary mechanism here.
>
> As long as we have a reference to a leaked object, we might as well use
> it, its not going anywhere.
>
>> Fixing the return value would move refcount_t into the realm of
>> something that is desirable because it has bettern semantics and
>> is more useful just on a day to day correctness point of view. Even
>> ignoring the security implications.
>
> It changes the semantics between inc_not_zero() and inc(). It also
> complicates the semantics of inc_not_zero(), where currently the failure
> implies the count is 0 and means no-such-object, you complicate matters
> by basically returning 'busy'.
Busy is not a state of a reference count.
It is true I am suggesting treating something with a saturated reference
as not available. If that is what you mean by busy. But if it's
reference is zero it is also not available. So there is no practical
difference.
> That is a completely new class of failure that is actually hard to deal
> with, not to mention that it completely destroys refcount_inc_not_zero()
> being a 'simple' replacement for atomic_inc_not_zero().
>
> In case of the current failure, the no-such-object, we can fix that by
> creating said object. But what to do on 'busy' ? Surely you don't want
> to create another. You'd have to somehow retrofit something to wait on
> in every user.
Using little words.
A return of true from inc_not_zero means we took a reference.
A return of false means we did not take a reference.
The code already handles I took a reference or I did not take a
reference.
Therefore lying with refcount_t is not helpful. It takes failures
the code could easily handle and turns them into leaks.
At least that is how I have seen reference counts used. And those
are definitely the plane obivous semantics.
Your changes are definitely not drop in replacements for atomic_t in my
code.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Elena Reshetova <elena.reshetova@intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86@kernel.org" <x86@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@li>sts.openwall.com,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 0/3] ipc subsystem refcounter conversions
Date: Mon, 29 May 2017 05:49:53 -0500 [thread overview]
Message-ID: <87a85wvsxa.fsf@xmission.com> (raw)
In-Reply-To: <20170529102442.gerbzxzixllen46q@hirez.programming.kicks-ass.net> (Peter Zijlstra's message of "Mon, 29 May 2017 12:24:42 +0200")
Peter Zijlstra <peterz@infradead.org> writes:
> On Mon, May 29, 2017 at 04:11:13AM -0500, Eric W. Biederman wrote:
>
>> Kees I I have a concern:
>>
>> __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r)
>> {
>> unsigned int new, val = atomic_read(&r->refs);
>>
>> do {
>> if (!val)
>> return false;
>>
>> if (unlikely(val == UINT_MAX))
>> return true;
>>
>> new = val + i;
>> if (new < val)
>> new = UINT_MAX;
>>
>> } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
>>
>> WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
>>
>> return true;
>> }
>>
>> Why in the world do you succeed when you the value saturates????
>
> Why not? On saturation the object will leak and returning a reference to
> it is always good.
>
>> From a code perspective that is bizarre. The code already has to handle
>> the case when the counter does not increment.
>
> I don't see it as bizarre, we turned an overflow/use-after-free into a
> leak. That's the primary mechanism here.
>
> As long as we have a reference to a leaked object, we might as well use
> it, its not going anywhere.
>
>> Fixing the return value would move refcount_t into the realm of
>> something that is desirable because it has bettern semantics and
>> is more useful just on a day to day correctness point of view. Even
>> ignoring the security implications.
>
> It changes the semantics between inc_not_zero() and inc(). It also
> complicates the semantics of inc_not_zero(), where currently the failure
> implies the count is 0 and means no-such-object, you complicate matters
> by basically returning 'busy'.
Busy is not a state of a reference count.
It is true I am suggesting treating something with a saturated reference
as not available. If that is what you mean by busy. But if it's
reference is zero it is also not available. So there is no practical
difference.
> That is a completely new class of failure that is actually hard to deal
> with, not to mention that it completely destroys refcount_inc_not_zero()
> being a 'simple' replacement for atomic_inc_not_zero().
>
> In case of the current failure, the no-such-object, we can fix that by
> creating said object. But what to do on 'busy' ? Surely you don't want
> to create another. You'd have to somehow retrofit something to wait on
> in every user.
Using little words.
A return of true from inc_not_zero means we took a reference.
A return of false means we did not take a reference.
The code already handles I took a reference or I did not take a
reference.
Therefore lying with refcount_t is not helpful. It takes failures
the code could easily handle and turns them into leaks.
At least that is how I have seen reference counts used. And those
are definitely the plane obivous semantics.
Your changes are definitely not drop in replacements for atomic_t in my
code.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Elena Reshetova <elena.reshetova@intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86@kernel.org" <x86@kernel.org>, Ingo Molnar <mingo@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 0/3] ipc subsystem refcounter conversions
Date: Mon, 29 May 2017 05:49:53 -0500 [thread overview]
Message-ID: <87a85wvsxa.fsf@xmission.com> (raw)
Message-ID: <20170529104953.iwfUTAlDBAuyo6zSDwm7_-FT7sU2WyzAwxmcMVPvHIo@z> (raw)
In-Reply-To: <20170529102442.gerbzxzixllen46q@hirez.programming.kicks-ass.net> (Peter Zijlstra's message of "Mon, 29 May 2017 12:24:42 +0200")
Peter Zijlstra <peterz@infradead.org> writes:
> On Mon, May 29, 2017 at 04:11:13AM -0500, Eric W. Biederman wrote:
>
>> Kees I I have a concern:
>>
>> __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r)
>> {
>> unsigned int new, val = atomic_read(&r->refs);
>>
>> do {
>> if (!val)
>> return false;
>>
>> if (unlikely(val == UINT_MAX))
>> return true;
>>
>> new = val + i;
>> if (new < val)
>> new = UINT_MAX;
>>
>> } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
>>
>> WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
>>
>> return true;
>> }
>>
>> Why in the world do you succeed when you the value saturates????
>
> Why not? On saturation the object will leak and returning a reference to
> it is always good.
>
>> From a code perspective that is bizarre. The code already has to handle
>> the case when the counter does not increment.
>
> I don't see it as bizarre, we turned an overflow/use-after-free into a
> leak. That's the primary mechanism here.
>
> As long as we have a reference to a leaked object, we might as well use
> it, its not going anywhere.
>
>> Fixing the return value would move refcount_t into the realm of
>> something that is desirable because it has bettern semantics and
>> is more useful just on a day to day correctness point of view. Even
>> ignoring the security implications.
>
> It changes the semantics between inc_not_zero() and inc(). It also
> complicates the semantics of inc_not_zero(), where currently the failure
> implies the count is 0 and means no-such-object, you complicate matters
> by basically returning 'busy'.
Busy is not a state of a reference count.
It is true I am suggesting treating something with a saturated reference
as not available. If that is what you mean by busy. But if it's
reference is zero it is also not available. So there is no practical
difference.
> That is a completely new class of failure that is actually hard to deal
> with, not to mention that it completely destroys refcount_inc_not_zero()
> being a 'simple' replacement for atomic_inc_not_zero().
>
> In case of the current failure, the no-such-object, we can fix that by
> creating said object. But what to do on 'busy' ? Surely you don't want
> to create another. You'd have to somehow retrofit something to wait on
> in every user.
Using little words.
A return of true from inc_not_zero means we took a reference.
A return of false means we did not take a reference.
The code already handles I took a reference or I did not take a
reference.
Therefore lying with refcount_t is not helpful. It takes failures
the code could easily handle and turns them into leaks.
At least that is how I have seen reference counts used. And those
are definitely the plane obivous semantics.
Your changes are definitely not drop in replacements for atomic_t in my
code.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@infradead.org>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Elena Reshetova <elena.reshetova@intel.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe\@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86\@kernel.org" <x86@kernel.org>,
Ingo Molnar <mingo@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>,
"kernel-hardening\@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 0/3] ipc subsystem refcounter conversions
Date: Mon, 29 May 2017 05:49:53 -0500 [thread overview]
Message-ID: <87a85wvsxa.fsf@xmission.com> (raw)
In-Reply-To: <20170529102442.gerbzxzixllen46q@hirez.programming.kicks-ass.net> (Peter Zijlstra's message of "Mon, 29 May 2017 12:24:42 +0200")
Peter Zijlstra <peterz@infradead.org> writes:
> On Mon, May 29, 2017 at 04:11:13AM -0500, Eric W. Biederman wrote:
>
>> Kees I I have a concern:
>>
>> __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r)
>> {
>> unsigned int new, val = atomic_read(&r->refs);
>>
>> do {
>> if (!val)
>> return false;
>>
>> if (unlikely(val == UINT_MAX))
>> return true;
>>
>> new = val + i;
>> if (new < val)
>> new = UINT_MAX;
>>
>> } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
>>
>> WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
>>
>> return true;
>> }
>>
>> Why in the world do you succeed when you the value saturates????
>
> Why not? On saturation the object will leak and returning a reference to
> it is always good.
>
>> From a code perspective that is bizarre. The code already has to handle
>> the case when the counter does not increment.
>
> I don't see it as bizarre, we turned an overflow/use-after-free into a
> leak. That's the primary mechanism here.
>
> As long as we have a reference to a leaked object, we might as well use
> it, its not going anywhere.
>
>> Fixing the return value would move refcount_t into the realm of
>> something that is desirable because it has bettern semantics and
>> is more useful just on a day to day correctness point of view. Even
>> ignoring the security implications.
>
> It changes the semantics between inc_not_zero() and inc(). It also
> complicates the semantics of inc_not_zero(), where currently the failure
> implies the count is 0 and means no-such-object, you complicate matters
> by basically returning 'busy'.
Busy is not a state of a reference count.
It is true I am suggesting treating something with a saturated reference
as not available. If that is what you mean by busy. But if it's
reference is zero it is also not available. So there is no practical
difference.
> That is a completely new class of failure that is actually hard to deal
> with, not to mention that it completely destroys refcount_inc_not_zero()
> being a 'simple' replacement for atomic_inc_not_zero().
>
> In case of the current failure, the no-such-object, we can fix that by
> creating said object. But what to do on 'busy' ? Surely you don't want
> to create another. You'd have to somehow retrofit something to wait on
> in every user.
Using little words.
A return of true from inc_not_zero means we took a reference.
A return of false means we did not take a reference.
The code already handles I took a reference or I did not take a
reference.
Therefore lying with refcount_t is not helpful. It takes failures
the code could easily handle and turns them into leaks.
At least that is how I have seen reference counts used. And those
are definitely the plane obivous semantics.
Your changes are definitely not drop in replacements for atomic_t in my
code.
Eric
next prev parent reply other threads:[~2017-05-29 10:49 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-20 11:29 [PATCH 0/3] ipc subsystem refcounter conversions Elena Reshetova
2017-02-20 11:29 ` [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t Elena Reshetova
2017-05-27 19:41 ` Kees Cook
2017-05-28 12:10 ` Manfred Spraul
2017-02-20 11:29 ` [PATCH 2/3] ipc: convert sem_undo_list.refcnt " Elena Reshetova
2017-05-27 19:44 ` Kees Cook
2017-02-20 11:29 ` [PATCH 3/3] ipc: convert ipc_rcu.refcount " Elena Reshetova
2017-05-27 19:47 ` Kees Cook
2017-02-20 11:42 ` [PATCH 0/3] ipc subsystem refcounter conversions Andy Shevchenko
2017-02-20 12:30 ` Reshetova, Elena
2017-02-22 15:41 ` Davidlohr Bueso
2017-03-04 0:23 ` Andrew Morton
2017-03-06 9:51 ` Reshetova, Elena
2017-05-27 19:58 ` [kernel-hardening] " Kees Cook
2017-05-27 19:58 ` Kees Cook
2017-05-27 19:58 ` Kees Cook
2017-05-29 8:39 ` [kernel-hardening] " Christoph Hellwig
2017-05-29 8:39 ` Christoph Hellwig
2017-05-29 8:39 ` Christoph Hellwig
2017-05-29 9:11 ` [kernel-hardening] " Eric W. Biederman
2017-05-29 9:11 ` Eric W. Biederman
2017-05-29 9:11 ` Eric W. Biederman
2017-05-29 9:11 ` Eric W. Biederman
2017-05-29 10:24 ` [kernel-hardening] " Peter Zijlstra
2017-05-29 10:24 ` Peter Zijlstra
2017-05-29 10:49 ` Eric W. Biederman [this message]
2017-05-29 10:49 ` Eric W. Biederman
2017-05-29 10:49 ` Eric W. Biederman
2017-05-29 10:49 ` Eric W. Biederman
2017-05-29 11:30 ` [kernel-hardening] " Eric W. Biederman
2017-05-29 11:30 ` Eric W. Biederman
2017-05-29 11:30 ` Eric W. Biederman
2017-05-29 11:30 ` Eric W. Biederman
2017-05-29 11:39 ` [kernel-hardening] " Eric W. Biederman
2017-05-29 11:39 ` Eric W. Biederman
2017-05-29 11:39 ` Eric W. Biederman
2017-05-29 11:39 ` Eric W. Biederman
2017-05-29 12:23 ` [kernel-hardening] " Peter Zijlstra
2017-05-29 12:23 ` Peter Zijlstra
2017-05-29 12:23 ` Peter Zijlstra
2017-05-29 15:43 ` [kernel-hardening] " Peter Zijlstra
2017-05-29 15:43 ` Peter Zijlstra
2017-05-29 15:43 ` Peter Zijlstra
2017-05-29 12:13 ` [kernel-hardening] " Peter Zijlstra
2017-05-29 12:13 ` Peter Zijlstra
2017-05-29 12:13 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a85wvsxa.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=arozansk@redhat.com \
--cc=axboe@kernel.dk \
--cc=dave@stgolabs.net \
--cc=davem@davemloft.net \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=serge@hallyn.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.