From: Florian Weimer <fweimer@redhat.com>
To: Theodore Ts'o <tytso@mit.edu>, Ingo Molnar <mingo@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Tejun Heo <tj@kernel.org>,
Mike Galbraith <umgwanakikbuti@gmail.com>,
Paul Turner <pjt@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Li Zefan <lizefan@huawei.com>, cgroups <cgroups@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel-team <kernel-team@fb.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: Getrandom wrapper
Date: Mon, 26 Oct 2015 14:32:56 +0100 [thread overview]
Message-ID: <562E2B88.60909@redhat.com> (raw)
In-Reply-To: <20151025134000.GB13940@thunk.org>
On 10/25/2015 02:40 PM, Theodore Ts'o wrote:
> On Sun, Oct 25, 2015 at 02:17:23PM +0100, Florian Weimer wrote:
>>
>> I think we can reach consensus for an implementation which makes this code
>>
>> unsigned char session_key[32];
>> getrandom (session_key, sizeof (session_key), 0);
>> install_session_key (session_key);
>>
>> correct. That is, no error handling code for ENOMEM, ENOSYS, EINTR,
>> ENOMEM or short reads is necessary. It seems that several getrandom
>> wrappers currently built into applications do not get this completely right.
>
> The only error handling code that is necessary is a fallback for
> ENOSYS. getrandom(2) won't return ENOMEM, and if the number of bytes
> requested is less than or equal to 256 bytes, it won't return EINTR
> either.
Not even during early boot? The code suggests that you can get EINTR if
the non-blocking pool isn't initialized yet. With VMs, that
initialization can happen quite some time after boot, when the userland
is well under way.
> As far as ENOSYS is concerned, a fallback gets tricky; you could try
> to open /dev/urandom, and read from it, but that can fail due to
> EMFILE, ENFILE, ENOENT (if they are chrooted and /dev wasn't properly
> populated). So attempting a fallback for ENOSYS can actually expand
> the number of potential error conditions for the userspace application
> to (fail to) handle. I suppose you could attempt the fallback and
> call abort(2) if the fallback fails, which is probably the safe and
> secure thing to do, but applications might not appreciate getting
> terminated without getting a chance to do something (but if the
> something is just calling random(3), maybe not giving them a chance to
> do something insane is the appropriate thing to do....)
I'm more worried that the fallback code could be triggered
unexpectedly on some obscure code path that is not tested regularly, and
runs into a failure. I suspect a high-quality implementation of
getrandom would have to open /dev/random and /devurandom when the
getrandom symbol is resolved, and report failure at that point, to avoid
late surprises.
Florian
next prev parent reply other threads:[~2015-10-26 13:32 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-03 22:41 [PATCHSET sched,cgroup] sched: Implement interface for cgroup unified hierarchy Tejun Heo
2015-08-03 22:41 ` [PATCH 1/3] cgroup: define controller file conventions Tejun Heo
2015-08-04 8:48 ` Peter Zijlstra
2015-08-04 14:53 ` Tejun Heo
[not found] ` <1438641689-14655-2-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2015-08-04 8:42 ` Peter Zijlstra
[not found] ` <20150804084257.GJ25159-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2015-08-04 14:51 ` Tejun Heo
2015-08-04 19:31 ` [PATCH v2 " Tejun Heo
[not found] ` <20150804193101.GI17598-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-05 0:39 ` Kamezawa Hiroyuki
2015-08-05 7:47 ` Michal Hocko
2015-08-06 2:30 ` Kamezawa Hiroyuki
[not found] ` <55C2C6B0.3080203-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2015-08-07 18:17 ` Michal Hocko
2015-08-17 22:04 ` Johannes Weiner
2015-08-17 21:34 ` Johannes Weiner
2015-08-03 22:41 ` [PATCH 2/3] sched: Misc preps for cgroup unified hierarchy interface Tejun Heo
2015-08-03 22:41 ` [PATCH 3/3] sched: Implement interface for cgroup unified hierarchy Tejun Heo
2015-08-04 9:07 ` Peter Zijlstra
2015-08-04 15:10 ` Tejun Heo
[not found] ` <20150804151017.GD17598-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-05 9:10 ` Peter Zijlstra
[not found] ` <20150805091036.GT25159-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2015-08-05 14:31 ` Tejun Heo
[not found] ` <20150805143132.GK17598-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-17 20:35 ` Tejun Heo
[not found] ` <CAPM31RJTf0v=2v90kN6-HM9xUGab_k++upO0Ym=irmfO9+BbFw@mail.gmail.com>
2015-08-18 4:03 ` Paul Turner
2015-08-18 20:31 ` Tejun Heo
2015-08-18 23:39 ` Kamezawa Hiroyuki
2015-08-19 16:23 ` Tejun Heo
[not found] ` <20150818203117.GC15739-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-19 3:23 ` Mike Galbraith
[not found] ` <1439954620.3479.30.camel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-08-19 16:41 ` Tejun Heo
2015-08-20 4:00 ` Mike Galbraith
[not found] ` <1440043259.3515.84.camel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-08-20 7:52 ` Tejun Heo
[not found] ` <20150820075232.GA27917-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-20 8:47 ` Mike Galbraith
2015-08-21 19:26 ` Paul Turner
2015-08-22 18:29 ` Tejun Heo
[not found] ` <20150822182916.GE20768-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-24 15:47 ` Austin S Hemmelgarn
2015-08-24 17:04 ` Tejun Heo
[not found] ` <20150824170427.GA27262-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-24 19:18 ` Mike Galbraith
2015-08-24 20:00 ` Austin S Hemmelgarn
[not found] ` <55DB77F1.5080802-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-08-24 20:25 ` Tejun Heo
2015-08-24 21:00 ` Paul Turner
[not found] ` <CAPM31R+ckFO5vNG4L5+h-yokFaZQz6kHe5a+pkRCfbL0H+NjXg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-24 21:12 ` Tejun Heo
[not found] ` <20150824211238.GI28944-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-24 21:15 ` Paul Turner
2015-08-24 20:54 ` Paul Turner
[not found] ` <CAPM31RJi07qs42YsH=4JQSbZ+J-zCLv8e7yELb3tF_qAZmLqRA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-24 21:02 ` Tejun Heo
2015-08-24 21:10 ` Paul Turner
[not found] ` <CAPM31R+i7BD8x9h_6wZVTa0zCB7XP0SGL5dSA-n6h9PTeAEhug-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-24 21:17 ` Tejun Heo
[not found] ` <20150824211707.GJ28944-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-24 21:19 ` Paul Turner
[not found] ` <CAPM31R+vt1oAPCB-q6570RqZtJVBu5MH=gcQD2m9mjauStV7MA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-24 21:40 ` Tejun Heo
2015-08-24 22:03 ` Paul Turner
[not found] ` <CAPM31R+Mnk=AL6h05eMMQvPEEfnjkB3iGb+oZj28jAQ9-ajOxA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-24 22:49 ` Tejun Heo
[not found] ` <20150824224936.GO28944-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-24 23:15 ` Paul Turner
2015-08-25 2:36 ` Kamezawa Hiroyuki
[not found] ` <55DBD4A9.7080603-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2015-08-25 21:13 ` Tejun Heo
2015-08-25 9:24 ` Ingo Molnar
[not found] ` <20150825092441.GA24131-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-08-25 10:00 ` Peter Zijlstra
2015-08-25 19:18 ` Tejun Heo
2015-08-24 20:52 ` Paul Turner
2015-08-24 21:36 ` Tejun Heo
2015-08-24 21:58 ` Paul Turner
[not found] ` <CAPM31RKCO-yxtVf+iUs8FOqk6uGSyixEXtx9zSzxQ1uOGtkDqQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-24 22:19 ` Tejun Heo
[not found] ` <20150824221935.GN28944-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-08-24 23:06 ` Paul Turner
[not found] ` <CAPM31RK08pC3g9qx+TEw6PQvtHk8idKE3OALQN8cFr_QOuT3FA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-08-25 21:02 ` Tejun Heo
[not found] ` <20150825210234.GE26785-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-09-02 17:03 ` Tejun Heo
2015-09-09 12:49 ` Paul Turner
[not found] ` <CAPM31RJvrPL7S37=yhxMA5OGUFNUfPurTZ21nfH6eFRb15ZGtw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-09-12 14:40 ` Tejun Heo
[not found] ` <20150912144007.GA8942-piEFEHQLUPpN0TnZuCh8vA@public.gmane.org>
2015-09-17 14:35 ` Peter Zijlstra
[not found] ` <20150917143527.GJ3604-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2015-09-17 14:53 ` Tejun Heo
2015-09-17 15:42 ` Peter Zijlstra
2015-09-17 15:10 ` Peter Zijlstra
[not found] ` <20150917151049.GB11639-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2015-09-17 15:52 ` Tejun Heo
[not found] ` <20150917155245.GF7205-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-09-17 15:53 ` Peter Zijlstra
2015-09-17 23:29 ` Tejun Heo
2015-09-18 11:27 ` Paul Turner
[not found] ` <CAPM31RLAtuaDbE9+nvMvgMB8zaOpxVcriCyE9qqszNM3XXTo5Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-01 18:46 ` Tejun Heo
2015-10-15 11:42 ` Paul Turner
[not found] ` <CAPM31RKx0vT-9VFN=XASYM4iv4U5ZGZW93XRtJd_7mOHwu76NA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-23 22:21 ` Tejun Heo
2015-10-24 4:36 ` Mike Galbraith
2015-10-25 2:18 ` Tejun Heo
[not found] ` <20151025021829.GA15471-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-10-25 3:43 ` Mike Galbraith
[not found] ` <1445744613.3180.60.camel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-10-27 3:16 ` Tejun Heo
[not found] ` <20151027031656.GA11962-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-10-27 5:42 ` Mike Galbraith
[not found] ` <1445924531.2909.79.camel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-10-27 5:46 ` Tejun Heo
2015-10-27 5:56 ` Mike Galbraith
[not found] ` <1445925402.2909.86.camel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-10-27 6:00 ` Tejun Heo
[not found] ` <20151027060027.GA2888-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2015-10-27 6:08 ` Mike Galbraith
2015-10-25 3:54 ` Linus Torvalds
[not found] ` <CA+55aFzMdG5VPA0ZvoFANj-H-7LHeu=JUvvqPykF_w5Nd0pnSA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-10-25 9:33 ` Ingo Molnar
[not found] ` <20151025093331.GA4834-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-10-25 10:41 ` Theodore Ts'o
2015-10-25 10:47 ` Florian Weimer
[not found] ` <562CB328.3090906-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-10-25 11:58 ` Theodore Ts'o
2015-10-25 13:17 ` Florian Weimer
2015-10-25 13:40 ` Getrandom wrapper Theodore Ts'o
2015-10-26 13:32 ` Florian Weimer [this message]
2015-10-26 14:10 ` [PATCH 3/3] sched: Implement interface for cgroup unified hierarchy Peter Zijlstra
[not found] ` <1438641689-14655-4-git-send-email-tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2015-08-04 19:32 ` [PATCH v2 " Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=562E2B88.60909@redhat.com \
--to=fweimer@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=kernel-team@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=umgwanakikbuti@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).