From: Ingo Molnar <mingo@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org,
Christoph Hellwig <hch@infradead.org>,
Peter Zijlstra <peterz@infradead.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Jann Horn <jannh@google.com>, Eric Biggers <ebiggers3@gmail.com>,
Elena Reshetova <elena.reshetova@intel.com>,
Hans Liljestrand <ishkamiel@gmail.com>,
David Windsor <dwindsor@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartner>
Subject: Re: [PATCH v2] refcount: Create unchecked atomic_t implementation
Date: Wed, 21 Jun 2017 11:57:15 +0200 [thread overview]
Message-ID: <20170621095715.zf57frodvjmhdttg@gmail.com> (raw)
In-Reply-To: <20170608025831.GA43608@beast>
* Kees Cook <keescook@chromium.org> wrote:
> Many subsystems will not use refcount_t unless there is a way to build the
> kernel so that there is no regression in speed compared to atomic_t. This
> adds CONFIG_REFCOUNT_FULL to enable the full refcount_t implementation
> which has the validation but is slightly slower. When not enabled,
> refcount_t uses the basic unchecked atomic_t routines, which results in
> no code changes compared to just using atomic_t directly.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> This is v2 of this patch, which I've split from the arch-specific
> alternative implementation for x86. Getting this patch in will unblock
> atomic_t -> refcount_t conversion, and the x86 alternative implementation
> can be developed in parallel. Changes from v1: use better atomic ops,
> thanks to Elena and Peter.
> ---
> arch/Kconfig | 9 +++++++++
> include/linux/refcount.h | 44 ++++++++++++++++++++++++++++++++++++++++++++
> lib/refcount.c | 3 +++
> 3 files changed, 56 insertions(+)
Looks almost good - sans a few stylistic nits:
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 6c00e5b00f8b..fba3bf186728 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -867,4 +867,13 @@ config STRICT_MODULE_RWX
> config ARCH_WANT_RELAX_ORDER
> bool
>
> +config REFCOUNT_FULL
> + bool "Perform full reference count validation at the expense of speed"
> + help
> + Enabling this switches the refcounting infrastructure from a fast
> + unchecked atomic_t implementation to a fully state checked
> + implementation, which can be slower but provides protections
> + against various use-after-free conditions that can be used in
> + security flaw exploits.
> +
> source "kernel/gcov/Kconfig"
> diff --git a/include/linux/refcount.h b/include/linux/refcount.h
> index b34aa649d204..099c32bd07b2 100644
> --- a/include/linux/refcount.h
> +++ b/include/linux/refcount.h
> @@ -41,6 +41,7 @@ static inline unsigned int refcount_read(const refcount_t *r)
> return atomic_read(&r->refs);
> }
>
> +#ifdef CONFIG_REFCOUNT_FULL
> extern __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r);
> extern void refcount_add(unsigned int i, refcount_t *r);
>
> @@ -52,6 +53,49 @@ extern void refcount_sub(unsigned int i, refcount_t *r);
>
> extern __must_check bool refcount_dec_and_test(refcount_t *r);
> extern void refcount_dec(refcount_t *r);
> +#else
> +static inline __must_check bool refcount_add_not_zero(unsigned int i,
> + refcount_t *r)
Please keep it on a single, slighly over-long line instead of the ugly line break
in the middle of the list of parameters ...
There's other such uglies in the patch as well.
Thanks,
Ingo
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org,
Christoph Hellwig <hch@infradead.org>,
Peter Zijlstra <peterz@infradead.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Jann Horn <jannh@google.com>, Eric Biggers <ebiggers3@gmail.com>,
Elena Reshetova <elena.reshetova@intel.com>,
Hans Liljestrand <ishkamiel@gmail.com>,
David Windsor <dwindsor@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
Ingo Molnar <mingo@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
arozansk@redhat.com, Davidlohr Bueso <dave@stgolabs.net>,
Manfred Spraul <manfred@colorfullife.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
James Bottomley <James.Bottomley@hansenpartnership.com>,
"x86@kernel.org" <x86@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Rik van Riel <riel@redhat.com>,
linux-arch <linux-arch@vger.kernel.org>
Subject: Re: [PATCH v2] refcount: Create unchecked atomic_t implementation
Date: Wed, 21 Jun 2017 11:57:15 +0200 [thread overview]
Message-ID: <20170621095715.zf57frodvjmhdttg@gmail.com> (raw)
Message-ID: <20170621095715.X8W6TrkrVX6C0PgUkM74_yLpMnQVagZsYLpet8kdfYM@z> (raw)
In-Reply-To: <20170608025831.GA43608@beast>
* Kees Cook <keescook@chromium.org> wrote:
> Many subsystems will not use refcount_t unless there is a way to build the
> kernel so that there is no regression in speed compared to atomic_t. This
> adds CONFIG_REFCOUNT_FULL to enable the full refcount_t implementation
> which has the validation but is slightly slower. When not enabled,
> refcount_t uses the basic unchecked atomic_t routines, which results in
> no code changes compared to just using atomic_t directly.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> This is v2 of this patch, which I've split from the arch-specific
> alternative implementation for x86. Getting this patch in will unblock
> atomic_t -> refcount_t conversion, and the x86 alternative implementation
> can be developed in parallel. Changes from v1: use better atomic ops,
> thanks to Elena and Peter.
> ---
> arch/Kconfig | 9 +++++++++
> include/linux/refcount.h | 44 ++++++++++++++++++++++++++++++++++++++++++++
> lib/refcount.c | 3 +++
> 3 files changed, 56 insertions(+)
Looks almost good - sans a few stylistic nits:
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 6c00e5b00f8b..fba3bf186728 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -867,4 +867,13 @@ config STRICT_MODULE_RWX
> config ARCH_WANT_RELAX_ORDER
> bool
>
> +config REFCOUNT_FULL
> + bool "Perform full reference count validation at the expense of speed"
> + help
> + Enabling this switches the refcounting infrastructure from a fast
> + unchecked atomic_t implementation to a fully state checked
> + implementation, which can be slower but provides protections
> + against various use-after-free conditions that can be used in
> + security flaw exploits.
> +
> source "kernel/gcov/Kconfig"
> diff --git a/include/linux/refcount.h b/include/linux/refcount.h
> index b34aa649d204..099c32bd07b2 100644
> --- a/include/linux/refcount.h
> +++ b/include/linux/refcount.h
> @@ -41,6 +41,7 @@ static inline unsigned int refcount_read(const refcount_t *r)
> return atomic_read(&r->refs);
> }
>
> +#ifdef CONFIG_REFCOUNT_FULL
> extern __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r);
> extern void refcount_add(unsigned int i, refcount_t *r);
>
> @@ -52,6 +53,49 @@ extern void refcount_sub(unsigned int i, refcount_t *r);
>
> extern __must_check bool refcount_dec_and_test(refcount_t *r);
> extern void refcount_dec(refcount_t *r);
> +#else
> +static inline __must_check bool refcount_add_not_zero(unsigned int i,
> + refcount_t *r)
Please keep it on a single, slighly over-long line instead of the ugly line break
in the middle of the list of parameters ...
There's other such uglies in the patch as well.
Thanks,
Ingo
next prev parent reply other threads:[~2017-06-21 9:57 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-08 2:58 [PATCH v2] refcount: Create unchecked atomic_t implementation Kees Cook
2017-06-08 2:58 ` Kees Cook
2017-06-08 5:56 ` Greg KH
2017-06-08 5:56 ` Greg KH
2017-06-20 4:47 ` Kees Cook
2017-06-20 4:47 ` Kees Cook
2017-06-08 6:58 ` Christoph Hellwig
2017-06-08 6:58 ` Christoph Hellwig
2017-06-08 7:53 ` Reshetova, Elena
2017-06-08 7:53 ` Reshetova, Elena
2017-06-08 20:09 ` Davidlohr Bueso
2017-06-08 20:09 ` Davidlohr Bueso
2017-06-09 4:24 ` Manfred Spraul
2017-06-09 4:24 ` Manfred Spraul
2017-06-09 7:20 ` Peter Zijlstra
2017-06-09 7:20 ` Peter Zijlstra
2017-06-21 9:57 ` Ingo Molnar [this message]
2017-06-21 9:57 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170621095715.zf57frodvjmhdttg@gmail.com \
--to=mingo@kernel.org \
--cc=James.Bottomley@hansenpartner \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arozansk@redhat.com \
--cc=axboe@kernel.dk \
--cc=dave@stgolabs.net \
--cc=dwindsor@gmail.com \
--cc=ebiederm@xmission.com \
--cc=ebiggers3@gmail.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=ishkamiel@gmail.com \
--cc=jannh@google.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox