From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C15BFC2D0A8 for ; Wed, 23 Sep 2020 19:31:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 56699221EF for ; Wed, 23 Sep 2020 19:31:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600889479; bh=HofJQBUkXGFQOYGL4lr+EYwXyw/QmcufSV5KnSHysj8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=t4MOlsJ/r38aXHFsAFC1IQq75A7BSfI+UBkNYwPgdqCEMjrWUjQPZh1HTRu0w/6xo 9aQc6aRT2v6k9Sx8wziTVD7W6mYdNyo/7+pqRV6LnPtOsaRR4W16CygDvTP7Clp0Hn Cyy3r9t+wWDkqlW0TwnxQodDoOM7sG9mEY5p4oNQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726621AbgIWTbS (ORCPT ); Wed, 23 Sep 2020 15:31:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:53602 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726156AbgIWTbR (ORCPT ); Wed, 23 Sep 2020 15:31:17 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8DE1F21D92; Wed, 23 Sep 2020 19:31:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600889477; bh=HofJQBUkXGFQOYGL4lr+EYwXyw/QmcufSV5KnSHysj8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=we/4z+2+4D7WJJ5vgWaOXyOo3grlqL8EUDVNwV9feDwpMAF6WPssdE72scvWNi9Tv u3+DY4/hqATDmcOaw9ULuNmKLkBNVyd0rGeJNIi0j+TG0ga+pED6RmXVPwuaJaLssC rlQRy2ruZ7D3xO3mHb78XTCqPxPaLBzBuV9/oT3Y= Date: Wed, 23 Sep 2020 21:31:34 +0200 From: Greg KH To: Kees Cook Cc: devel@driverdev.osuosl.org, tkjos@android.com, surenb@google.com, linux-kernel@vger.kernel.org, hridya@google.com, arve@android.com, Shuah Khan , joel@joelfernandes.org, maco@android.com, christian@brauner.io Subject: Re: [RFC PATCH 07/11] drivers/android/binder: convert stats, transaction_log to counter_atomic Message-ID: <20200923193134.GD199068@kroah.com> References: <4fe28fc5f315657e4af276b8a3c71d80a5eaa379.1600816121.git.skhan@linuxfoundation.org> <20200923051027.GA2578443@kroah.com> <202009231204.5531FBA23F@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202009231204.5531FBA23F@keescook> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 23, 2020 at 12:04:58PM -0700, Kees Cook wrote: > On Wed, Sep 23, 2020 at 07:10:27AM +0200, Greg KH wrote: > > On Tue, Sep 22, 2020 at 07:43:36PM -0600, Shuah Khan wrote: > > > counter_atomic is introduced to be used when a variable is used as > > > a simple counter and doesn't guard object lifetimes. This clearly > > > differentiates atomic_t usages that guard object lifetimes. > > > > > > counter_atomic variables will wrap around to 0 when it overflows and > > > should not be used to guard resource lifetimes, device usage and > > > open counts that control state changes, and pm states. > > > > > > stats tracks per-process binder statistics. Unsure if there is a chance > > > of this overflowing, other than stats getting reset to 0. Convert it to > > > use counter_atomic. > > > > > > binder_transaction_log:cur is used to keep track of the current log entry > > > location. Overflow is handled in the code. Since it is used as a > > > counter, convert it to use counter_atomic. > > > > > > This conversion doesn't change the oveflow wrap around behavior. > > > > > > Signed-off-by: Shuah Khan > > > --- > > > drivers/android/binder.c | 41 ++++++++++++++++--------------- > > > drivers/android/binder_internal.h | 3 ++- > > > 2 files changed, 23 insertions(+), 21 deletions(-) > > > > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > > index f936530a19b0..11a0407c46df 100644 > > > --- a/drivers/android/binder.c > > > +++ b/drivers/android/binder.c > > > @@ -66,6 +66,7 @@ > > > #include > > > #include > > > #include > > > +#include > > > > > > #include > > > #include > > > @@ -172,22 +173,22 @@ enum binder_stat_types { > > > }; > > > > > > struct binder_stats { > > > - atomic_t br[_IOC_NR(BR_FAILED_REPLY) + 1]; > > > - atomic_t bc[_IOC_NR(BC_REPLY_SG) + 1]; > > > - atomic_t obj_created[BINDER_STAT_COUNT]; > > > - atomic_t obj_deleted[BINDER_STAT_COUNT]; > > > + struct counter_atomic br[_IOC_NR(BR_FAILED_REPLY) + 1]; > > > + struct counter_atomic bc[_IOC_NR(BC_REPLY_SG) + 1]; > > > + struct counter_atomic obj_created[BINDER_STAT_COUNT]; > > > + struct counter_atomic obj_deleted[BINDER_STAT_COUNT]; > > > > These are just debugging statistics, no reason they have to be atomic > > variables at all and they should be able to just be "struct counter" > > variables instead. > > But there's no reason for them _not_ to be atomic. Please let's keep > this API as always safe. Why even provide a new foot-gun here? These are debugging things, how can you shoot yourself in the foot with that??? thanks, greg k-h