From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=AeVH=PN=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F10C2C433FE
	for <linux-mm@archiver.kernel.org>; Mon, 25 Oct 2021 19:54:04 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 0B9B760D43
	for <linux-mm@archiver.kernel.org>; Mon, 25 Oct 2021 19:54:03 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0B9B760D43
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 381B980007; Mon, 25 Oct 2021 15:54:03 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 33007940007; Mon, 25 Oct 2021 15:54:03 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 1F84980007; Mon, 25 Oct 2021 15:54:03 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0201.hostedemail.com [216.40.44.201])
	by kanga.kvack.org (Postfix) with ESMTP id 0E4A6940007
	for <linux-mm@kvack.org>; Mon, 25 Oct 2021 15:54:03 -0400 (EDT)
Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 9C6D131EA8
	for <linux-mm@kvack.org>; Mon, 25 Oct 2021 19:54:02 +0000 (UTC)
X-FDA: 78736010724.03.1C7F624
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	by imf16.hostedemail.com (Postfix) with ESMTP id 3EA90F00008C
	for <linux-mm@kvack.org>; Mon, 25 Oct 2021 19:53:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version:
	References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description;
	bh=feiSu/V4M75PxXGyqNekfyG7331jHFrJV+X5N9qJi2U=; b=mfrmWqFYEO5Cc53hQGj5nf66Rf
	AiFAUaen0MEfEl37lAgmXxxLUYlc+Ux5/M814DgzzpY3XklmDgkQBR42DBT3Y+cDQ0X92QJzyyequ
	eRrce/W/2YkdQaAVQ827+O7s1ORPHiq10AoMtHkFkpvGWgorXxz2YUB1pA48jSPKOifGnFzLeVbv3
	43QMPCy9Cjoz7MtWqEyHUp07nIhMGn3P4GqJdgavdCue3f8RFTFTJuJPtKrkwxyY+/MunZVZt4rWn
	UXRXTenV4MzqCsxZmECbzHDhpjMEibVgmU80cjPmz+BWBG2EagBCL2TOFeN+hG1lmNotGXwgWjVc+
	qWI8u+Hw==;
Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux))
	id 1mf60S-00GO49-1g; Mon, 25 Oct 2021 19:52:32 +0000
Date: Mon, 25 Oct 2021 20:51:40 +0100
From: Matthew Wilcox <willy@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	Jordy Zomer <jordy@pwning.systems>,
	James Bottomley <James.Bottomley@hansenpartnership.com>,
	Mike Rapoport <rppt@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] secretmem: Prevent secretmem_users from wrapping to zero
Message-ID: <YXcKzKVX7NTAtvPh@casper.infradead.org>
References: <20211025181634.3889666-1-willy@infradead.org>
 <202110251225.D01841AE67@keescook>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202110251225.D01841AE67@keescook>
X-Rspamd-Queue-Id: 3EA90F00008C
Authentication-Results: imf16.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=mfrmWqFY;
	spf=none (imf16.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org;
	dmarc=none
X-Stat-Signature: xfm3g7ioyb1q7qtjd5iac3xcskjgoa47
X-Rspamd-Server: rspam06
X-HE-Tag: 1635191637-708819
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Oct 25, 2021 at 12:29:46PM -0700, Kees Cook wrote:
> On Mon, Oct 25, 2021 at 07:16:34PM +0100, Matthew Wilcox (Oracle) wrote:
> > Commit 110860541f44 ("mm/secretmem: use refcount_t instead of atomic_t")
> > attempted to fix the problem of secretmem_users wrapping to zero and
> > allowing suspend once again.  Prevent secretmem_users from wrapping to
> > zero by forbidding new users if the number of users has wrapped from
> > positive to negative.  This stops a long way short of reaching the
> > necessary 4 billion users, so there's no need to be clever with special
> > anti-wrap types or checking the return value from atomic_inc().
> 
> I still prefer refcount_t here because it provides deterministic
> saturation, but the risk right now is so narrow ("don't hibernate"),
> I'm not going to fight for it. I think it'd be fine to use it initialized
> to 1, and have the removal check for == 0 as a failure state, which would
> deterministically cover the underflow case too.

I still think that's abusing the refcount_t pattern.  refcount_t should
be for ... reference counts.  Not these other things.