linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: kernel-hardening@lists.openwall.com
Cc: Will Deacon <will.deacon@arm.com>,
	Elena Reshetova <elena.reshetova@intel.com>,
	keescook@chromium.org, arnd@arndb.de, tglx@linutronix.de,
	mingo@redhat.com, h.peter.anvin@intel.com,
	linux-kernel@vger.kernel.org
Subject: Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC
Date: Thu, 10 Nov 2016 23:27:44 +0100	[thread overview]
Message-ID: <20161110222744.GD8086@kroah.com> (raw)
In-Reply-To: <20161110211310.GX3117@twins.programming.kicks-ass.net>

On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote:
> On Thu, Nov 10, 2016 at 08:48:38PM +0000, Will Deacon wrote:
> > > That said, I still don't much like this.
> > > 
> > > I would much rather you make kref useful and use that. It still means
> > > you get to audit all refcounts in the kernel, but hey, you had to do
> > > that anyway.
> > 
> > What needs to happen to kref to make it useful? Like many others, I've
> > been guilty of using atomic_t for refcounts in the past.
> 
> As it stands kref is a pointless wrapper. If it were to provide
> something actually useful, like wrap protection, then it might actually
> make sense to use it.

It provides the correct cleanup ability for a reference count and the
object it is in, so it's not all that pointless :)

But I'm always willing to change it to make it work better for people,
if kref did the wrapping protection (i.e. used a non-wrapping atomic
type), then you would have that.  I thought that was what this patchset
provided...

And yes, this is a horridly large patchset.  I've looked at these
changes, and in almost all of them, people are using atomic_t as merely
a "counter" for something (sequences, rx/tx stats, etc), to get away
without having to lock it with an external lock.

So, does it make more sense to just provide a "pointless" api for this
type of "counter" pattern:
	counter_inc()
	counter_dec()
	counter_read()
	counter_set()
	counter_add()
	counter_subtract()
Those would use the wrapping atomic type, as they can wrap all they want
and no one really is in trouble.  Once those changes are done, just make
atomic_t not wrap and all should be fine, no other code should need to
be changed.

We can bikeshed on the function names for a while, to let everyone feel
they contributed (counter, kcount, ksequence, sequence_t, cnt_t, etc.)...

And yes, out-of-tree code will work differently, but really, the worse
that could happen is their "sequence number" stops wrapping :)

Would that be a better way to implement this?

thanks,

greg k-h

  parent reply	other threads:[~2016-11-10 22:27 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1478809488-18303-1-git-send-email-elena.reshetova@intel.com>
2016-11-10 20:37 ` [RFC v4 PATCH 00/13] HARDENED_ATOMIC Peter Zijlstra
2016-11-10 20:48   ` Will Deacon
2016-11-10 21:01     ` Kees Cook
2016-11-10 21:23       ` [kernel-hardening] " David Windsor
2016-11-10 21:27         ` Kees Cook
2016-11-10 21:39           ` David Windsor
2016-11-10 21:39         ` Peter Zijlstra
2016-11-10 21:13     ` Peter Zijlstra
2016-11-10 21:23       ` Kees Cook
2016-11-11  4:25         ` [kernel-hardening] " Rik van Riel
2016-11-10 22:27       ` Greg KH [this message]
2016-11-10 23:15         ` Kees Cook
2016-11-10 23:38           ` Greg KH
2016-11-10 23:57           ` Peter Zijlstra
2016-11-11  0:29             ` Colin Vidal
2016-11-11 12:41               ` Mark Rutland
2016-11-11 12:47                 ` Peter Zijlstra
2016-11-11 13:00                   ` Peter Zijlstra
2016-11-11 14:39                     ` Thomas Gleixner
2016-11-11 14:48                       ` Peter Zijlstra
2016-11-11 23:07                     ` Peter Zijlstra
2016-11-13 11:03             ` Greg KH
2016-11-10 20:56   ` Kees Cook
2016-11-11  3:20     ` [kernel-hardening] " David Windsor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161110222744.GD8086@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=arnd@arndb.de \
    --cc=elena.reshetova@intel.com \
    --cc=h.peter.anvin@intel.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).