Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752364AbdHGOT2 (ORCPT <rfc822;w@1wt.eu>);
        Mon, 7 Aug 2017 10:19:28 -0400
Received: from mx1.redhat.com ([209.132.183.28]:53050 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752350AbdHGOTZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 Aug 2017 10:19:25 -0400
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 838A1C047B71
Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer@redhat.com
Subject: Re: [PATCH v2 0/2] mm,fork,security: introduce MADV_WIPEONFORK
To: Michal Hocko <mhocko@kernel.org>, riel@redhat.com
Cc: linux-kernel@vger.kernel.org, mike.kravetz@oracle.com,
        linux-mm@kvack.org, colm@allcosts.net, akpm@linux-foundation.org,
        keescook@chromium.org, luto@amacapital.net, wad@chromium.org,
        mingo@kernel.org, kirill@shutemov.name, dave.hansen@intel.com,
        linux-api@vger.kernel.org
References: <20170806140425.20937-1-riel@redhat.com>
 <20170807132257.GH32434@dhcp22.suse.cz>
 <20170807134648.GI32434@dhcp22.suse.cz>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <134bbcf4-5717-7f53-0bf1-57158e948bbe@redhat.com>
Date: Mon, 7 Aug 2017 16:19:18 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170807134648.GI32434@dhcp22.suse.cz>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 07 Aug 2017 14:19:25 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 838
Lines: 20

On 08/07/2017 03:46 PM, Michal Hocko wrote:
> How do they know that they need to regenerate if they do not get SEGV?
> Are they going to assume that a read of zeros is a "must init again"? Isn't
> that too fragile?

Why would it be fragile?  Some level of synchronization is needed to set
things up, of course, but I think it's possible to write a lock-free
algorithm to maintain the state even without strong guarantees of memory
ordering from fork.

In the DRBG uniqueness case, you don't care if you reinitialize because
it's the first use, or because a fork just happened.

In the API-mandated fork check, a detection false positive before a fork
is not acceptable (because it would prevent legitimate API use), but I
think you can deal with this case if you publish a pointer to a
pre-initialized, non-zero mapping.

Thanks,
Florian