Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1328259ybt; Sun, 14 Jun 2020 19:07:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwI2ssPGTqtLBAEm1fofM1FZPFL9d0+OV3holOcqEAhO5sOda6GyzfydvwnW2vv8u229QXx X-Received: by 2002:a17:906:81cc:: with SMTP id e12mr24541961ejx.67.1592186841525; Sun, 14 Jun 2020 19:07:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592186841; cv=none; d=google.com; s=arc-20160816; b=hN42YDhD05jNS8dHviLSKj2b2klz0ng06DkyIow5b6zb+AsknQDuc6WvMdBqx6jHQN BqEUQYJBJFSgwatGlv6usZpwXALAEP+oqgK2iFZB4+txTJq8FMherjDWvgaqnMk9Y9nT AlvWdTjtAH7oM2C3H+0QiPt0g8VWWvO01mRITM7JeAhEpU69hrvBbEYsxIIct7+BXEcD 0YW+/D8qSSEJM5X5GWJs6IJhOVGWB08um7R784sJplAqpfx0kyjAfzup7nnI8FJLf90l 6LRLbupxZ5GHikPvNZoqJJ2WyOtnxB0d87RtNDAazA50+Rb7qf4F3QJoisAAJbyFS1Wv 7vtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=jU/hKeZZ5xSQa/GV9IcSpmxcaO1za243+IuD2KkwD3k=; b=FqPkLqkFolW6PoL0zUjXslwMwHS7A8RfKtvUMHgb5fLRVlEXWr6GRb2ywzE6i9ZKDx CdoVPM9xiZxwUX1fLwgE9m/YDvToBM/l7aaVRc/I2jkY0lgrg6dE4SlibSbGF3VFmQCT 7iAtqHm1u+lKu8Sjn0rbT0hTuOVEQ/dyXafJ6katSWpzG6z9M/ynAuN944GJO0LKg9bv XAChx0iBfwENusJNpGClfrkmYwuBh7KDZGiu2NM4kzousveiaaJkQ1qiy6B+a/Cr7Ach MsrJHF0O8yYmoNPsZBc3PSueSg4Ij6nDT00J/zPD5+3zNiQ9BONNmgWGGzThAqxTZh9C M8Yg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dn1si7930360edb.500.2020.06.14.19.06.58; Sun, 14 Jun 2020 19:07:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728048AbgFOCDI (ORCPT + 99 others); Sun, 14 Jun 2020 22:03:08 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:5886 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728031AbgFOCDI (ORCPT ); Sun, 14 Jun 2020 22:03:08 -0400 Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 2B3A86328DFCA906ECDE; Mon, 15 Jun 2020 10:03:06 +0800 (CST) Received: from [127.0.0.1] (10.67.102.197) by DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id 14.3.487.0; Mon, 15 Jun 2020 10:02:56 +0800 Subject: Re: [PATCH 3/3] creds: convert cred.usage to refcount_t To: Kees Cook , Peter Zijlstra CC: Elena Reshetova , David Windsor , Hans Liljestrand , Paul Moore , , , "David Howells" , , James Morris , , , , References: <20200612183450.4189588-1-keescook@chromium.org> <20200612183450.4189588-4-keescook@chromium.org> From: Xiaoming Ni Message-ID: Date: Mon, 15 Jun 2020 10:02:55 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2 MIME-Version: 1.0 In-Reply-To: <20200612183450.4189588-4-keescook@chromium.org> Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.67.102.197] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020/6/13 2:34, Kees Cook wrote: > From: Elena Reshetova > > atomic_t variables are currently used to implement reference > counters with the following properties: > - counter is initialized to 1 using atomic_set() > - a resource is freed upon counter reaching zero > - once counter reaches zero, its further > increments aren't allowed > - counter schema uses basic atomic operations > (set, inc, inc_not_zero, dec_and_test, etc.) > > Such atomic variables should be converted to a newly provided > refcount_t type and API that prevents accidental counter overflows > and underflows. This is important since overflows and underflows > can lead to use-after-free situation and be exploitable. > > The variable cred.usage is used as pure reference counter. > Convert it to refcount_t and fix up the operations. > > **Important note for maintainers: > > Some functions from refcount_t API defined in lib/refcount.c > have different memory ordering guarantees than their atomic > counterparts.Please check Documentation/core-api/refcount-vs-atomic.rst > for more information. > > Normally the differences should not matter since refcount_t provides > enough guarantees to satisfy the refcounting use cases, but in > some rare cases it might matter. > Please double check that you don't have some undocumented > memory guarantees for this variable usage. > > For the cred.usage it might make a difference > in following places: > - get_task_cred(): increment in refcount_inc_not_zero() only > guarantees control dependency on success vs. fully ordered > atomic counterpart > - put_cred(): decrement in refcount_dec_and_test() only > provides RELEASE ordering and ACQUIRE ordering on success > vs. fully ordered atomic counterpart > > Suggested-by: Kees Cook > Signed-off-by: Elena Reshetova > Reviewed-by: David Windsor > Reviewed-by: Hans Liljestrand > Link: https://lore.kernel.org/r/20190306110549.7628-4-elena.reshetova@intel.com > Signed-off-by: Kees Cook Currently this patch is better than my RFC patch Looks good to me. Thanks Xiaoming Ni