From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 312C4C433F5 for ; Mon, 25 Oct 2021 21:04:52 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id A9E9661076 for ; Mon, 25 Oct 2021 21:04:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A9E9661076 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id CD07B940008; Mon, 25 Oct 2021 17:04:50 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C59A6940007; Mon, 25 Oct 2021 17:04:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AFA77940008; Mon, 25 Oct 2021 17:04:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0194.hostedemail.com [216.40.44.194]) by kanga.kvack.org (Postfix) with ESMTP id 9D1F0940007 for ; Mon, 25 Oct 2021 17:04:50 -0400 (EDT) Received: from smtpin34.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 3FE0982499A8 for ; Mon, 25 Oct 2021 21:04:50 +0000 (UTC) X-FDA: 78736189140.34.7E1A287 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by imf10.hostedemail.com (Postfix) with ESMTP id 56BD76001987 for ; Mon, 25 Oct 2021 21:04:43 +0000 (UTC) Received: by mail-pj1-f41.google.com with SMTP id t5-20020a17090a4e4500b001a0a284fcc2so422492pjl.2 for ; Mon, 25 Oct 2021 14:04:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=HDl+0lXfWPTqvJCtIEex4xl+4pLrnoKB7rFaWtkUugI=; b=IBm87Inmj1ppZK8MoWS3WHbM3mnFj6HnfzmU9Jz3Q0nBXLysCvRjnllsGt5YL89GH1 XSIUdYHMnVUCQU2aLRKOXKJyOglyg7OslW4fYfKHRGO5PZAElCHLknLXKyP8L2Q6ombV 8aL+OnBwOe+elYKUKx2bwBtLyvJOOl5cG+45U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=HDl+0lXfWPTqvJCtIEex4xl+4pLrnoKB7rFaWtkUugI=; b=mA3beJ3u0Aco8h6xhvkFiCvs+dR+NN3w1Mf1ffW4OrpA3QV3aa30YiRyXwM0bYZH8p unV3jZcxnBFXx/huz3655TweutHpv+ostYWEBkime9Wgh0EJnBjNQHLVcK5XZ/b5+SJw ro9v3AhOZYMNOi2AENldy7Fg1HH7hQbovz/ft77+lCp/JHY2SgAF/tZGNc1gBWdy0HPb 6KiX9SQJU5WT9eRG6RLX5oh/UwybHJwblabpXZorcCLfeE/jxEm8visLjpwdeeQfnqGk A5ech2caQU2Fxzx7cGyFx/a3Qz+tz9cKrLo7jJJNkKipWxicHJW5wuOgOyx+15PmkXqM rVNg== X-Gm-Message-State: AOAM533g1dI4Et/c6xgBoOgm+yL8ycjXROKxabCJACrq6GHmCl06EMm5 xj7stVGMFfKodj1gNfykMA+suA== X-Google-Smtp-Source: ABdhPJwBtqoDP78rvQu08GbpajM4wjQnhb/rT2OKnoJlMUJYv9SxNpicod/64UHypFDiBP7VcAFYdQ== X-Received: by 2002:a17:90b:1a85:: with SMTP id ng5mr34461566pjb.43.1635195888757; Mon, 25 Oct 2021 14:04:48 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d21sm21496409pfl.135.2021.10.25.14.04.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Oct 2021 14:04:48 -0700 (PDT) Date: Mon, 25 Oct 2021 14:04:47 -0700 From: Kees Cook To: Matthew Wilcox Cc: Linus Torvalds , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Jordy Zomer , James Bottomley , Mike Rapoport , Andrew Morton Subject: Re: [PATCH] secretmem: Prevent secretmem_users from wrapping to zero Message-ID: <202110251402.ADFA4D41BF@keescook> References: <20211025181634.3889666-1-willy@infradead.org> <202110251225.D01841AE67@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 56BD76001987 Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=IBm87Inm; spf=pass (imf10.hostedemail.com: domain of keescook@chromium.org designates 209.85.216.41 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Stat-Signature: pzd85seairoort6erprcd335quhsqjc5 X-Rspamd-Server: rspam06 X-HE-Tag: 1635195883-394184 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Oct 25, 2021 at 08:51:40PM +0100, Matthew Wilcox wrote: > On Mon, Oct 25, 2021 at 12:29:46PM -0700, Kees Cook wrote: > > On Mon, Oct 25, 2021 at 07:16:34PM +0100, Matthew Wilcox (Oracle) wrote: > > > Commit 110860541f44 ("mm/secretmem: use refcount_t instead of atomic_t") > > > attempted to fix the problem of secretmem_users wrapping to zero and > > > allowing suspend once again. Prevent secretmem_users from wrapping to > > > zero by forbidding new users if the number of users has wrapped from > > > positive to negative. This stops a long way short of reaching the > > > necessary 4 billion users, so there's no need to be clever with special > > > anti-wrap types or checking the return value from atomic_inc(). > > > > I still prefer refcount_t here because it provides deterministic > > saturation, but the risk right now is so narrow ("don't hibernate"), > > I'm not going to fight for it. I think it'd be fine to use it initialized > > to 1, and have the removal check for == 0 as a failure state, which would > > deterministically cover the underflow case too. > > I still think that's abusing the refcount_t pattern. refcount_t should > be for ... reference counts. Not these other things. Is secretmem different? We're trying to count how many of these we have, this is a common pattern in, for example, the network code which does this kind of thing a lot. It's just that for a "global" counter like here, we're not tied to a specific object's lifetime, but usually some global state that depends on having _any_ of the objects alive. -- Kees Cook