From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 736D4C433F5 for ; Tue, 26 Oct 2021 00:18:01 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 0C81760F92 for ; Tue, 26 Oct 2021 00:18:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0C81760F92 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 519A18000A; Mon, 25 Oct 2021 20:18:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4C932940007; Mon, 25 Oct 2021 20:18:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 38FED8000A; Mon, 25 Oct 2021 20:18:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0022.hostedemail.com [216.40.44.22]) by kanga.kvack.org (Postfix) with ESMTP id 2631A940007 for ; Mon, 25 Oct 2021 20:18:00 -0400 (EDT) Received: from smtpin40.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id DA6B132608 for ; Tue, 26 Oct 2021 00:17:59 +0000 (UTC) X-FDA: 78736675878.40.83C832A Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by imf10.hostedemail.com (Postfix) with ESMTP id EB7386001981 for ; Tue, 26 Oct 2021 00:17:52 +0000 (UTC) Received: by mail-pg1-f172.google.com with SMTP id m21so12303986pgu.13 for ; Mon, 25 Oct 2021 17:17:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=8SzW5TJvKJhLV5Zb7k2R+KxmVSWy5yO4Y3SYbKAXh8Y=; b=jUSJH9FB1tQe74x33ZsBbEMJRUwlkMpP2TT6GO7KJQf1dWq9E8iu/VGwfwSTCqfPZ4 An3XWfhGyxe5rotkQV0Lev2wj7RbjRdVvxLMq0NjH6jJarolN1T0mcxM5/KMUVMw88ie 1rh+0GNZH8lBRHYRp4TICNUoXnUdvNTd6DdpY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=8SzW5TJvKJhLV5Zb7k2R+KxmVSWy5yO4Y3SYbKAXh8Y=; b=G0HdOLhP2t80kOZElWpE3QgR1IyzuDAn/oQVyCB2ovarsMexyfXV6oNL3s07x/q6Xv 78/smHAgFV2+AFnb5G2lmZ4X6qVRiEytGaBFRbsd2T7Pcx0VngfDVwDOdPZGARVm89Yk DfxAmKLjFOhqOTgNOJ+Q4LkM0/Ys4sbClN3kULpcj+CBXWSftwg+0Ya+kFfDeSImZLH4 jhErkO6784zN+hyGgU+9vKTvM48YaBLvMcD+bx0PYd3bTXV4QMVC8EK3yqCIkuJ3Oo5g dM1LaRg/oa1Vwlm1DH+tHvtuqiUq2bW2GieQc5LwYEsX0GwE1jgVEP8d7Q2fZkUdOT7v rLVw== X-Gm-Message-State: AOAM531SMz2ITMaFs/prfRgM6Y5F7FWyD+b/jf+arcdTVr2MNNOqVcy/ fbG3LG1ERlbgkHiqNPZquTuxqg== X-Google-Smtp-Source: ABdhPJyEdi3xPL0NDkl6Hyn+8btHTGELKeAAX9vWElqHXOKofWKODgkdIRn1+plw8MBs2/Pc+oylqw== X-Received: by 2002:a63:1406:: with SMTP id u6mr16303404pgl.106.1635207478435; Mon, 25 Oct 2021 17:17:58 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id d17sm7971251pfj.98.2021.10.25.17.17.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Oct 2021 17:17:57 -0700 (PDT) Date: Mon, 25 Oct 2021 17:17:57 -0700 From: Kees Cook To: Linus Torvalds Cc: Matthew Wilcox , Linux Kernel Mailing List , Linux-MM , Jordy Zomer , James Bottomley , Mike Rapoport , Andrew Morton Subject: Re: [PATCH] secretmem: Prevent secretmem_users from wrapping to zero Message-ID: <202110251706.BBEE1428@keescook> References: <20211025181634.3889666-1-willy@infradead.org> <202110251225.D01841AE67@keescook> <202110251402.ADFA4D41BF@keescook> <202110251438.1762406A5@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Stat-Signature: 5qapcygepxk88trjf4egfjyj9hckpasw Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=jUSJH9FB; spf=pass (imf10.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.172 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: EB7386001981 X-HE-Tag: 1635207472-769175 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Oct 25, 2021 at 04:37:01PM -0700, Linus Torvalds wrote: > If we want other semantics, it should be a new type. Okay, that's reasonable. > > I see that is more like a "shared resource usage count" where the shared > > resource doesn't necessarily disappear when we reach "no users"? > > So I think that's really "atomic_t". > > And instead of saturating, people should always check such shared > resources for limits. Right, but people make mistakes, etc. I agree about the limit being much more sane than saturating (though in the cases of "missed decrement"), we get to the same place: an open-coded check for the limit that never goes down doesn't matter if it's refcount_t nor atomic_t. :) > > i.e. there is some resource, and it starts its life with no one using it > > (count = 1). > > You are already going off into the weeds. > > That's not a natural thing to do. It's already confusing. Really. Read > that sentence yourself, and read it like an outsider. > > "No one is using it, so count == 1" is a nonsensican statement on the > face of it. > > You are thinking of a refcount_t trick, not some sane semantics. > > Yes, we have played off-by-one games in the kernel before. We've done > it for various subtle reasons. Right, sure, but it's not a rare pattern. Given that it exists, and that it _does_ get used for allocation management (e.g. module loader), it seems worth constructing a proper type for it so that all the open coded stuff around these instances can be consolidated, and the API can be defined in a way that will behave sanely. > I really don't see what's wrong with 'atomic_t', and just checking for limits. It's that last part. :) If we go through atomic_dec() see a zero and do something, okay, fine. But these places need to check for insane conditions too ("we got a -1 back -- this means there's a bug but what do we do?"). Same for atomic_inc(): "oh, we're at our limit, do something", but what above discovering ourselves above the limit? There's nothing about using the atomic_t primitives that enforces these kinds of checks. (And there likely shouldn't be for atomic_t -- it's a plain type.) But we likely need something that fills in this API gap between atomic_t and refcount_t. > So if a user can ever trigger a saturating counter, that's a big big > problem in itself. Yes! It is. :) But they don't get to gain control over a Use-after-Free. The risk to the system is DoS instead of loss of execution control. That's a meaningful risk downgrade. So, what's the right semantics for an atomic type that could be used in the module loader, that would catch kernel counting bugs in a safe manner? The "refcount_t but 1-based" is close, but clearly not the right name. :) -- Kees Cook