Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp42430pxb;
        Mon, 2 Nov 2020 13:27:38 -0800 (PST)
X-Google-Smtp-Source: ABdhPJx3C/HUrMIyTSCnCYk3dQ+dgOCYfLdItD/VK60bZHDVDvfe0xB4WPr3IRG/F0W91OaSM/9r
X-Received: by 2002:a50:c40c:: with SMTP id v12mr18602975edf.233.1604352458128;
        Mon, 02 Nov 2020 13:27:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1604352458; cv=none;
        d=google.com; s=arc-20160816;
        b=vvvSqTyIpqDw5Mm+3awxAwuS+KFEe7r9Ph46k0mM1YKdweEIMrKNN6mSxBd4pOtSVa
         jdbXkkgjx2vhNKz+grWgsXwmTB1WXv2mBr7IJpamNWfbdk0wwnfXNysQlM0hIcbwQv/o
         MGcN3fxjoINs0nYugyCEJYYoGdpmGr6pV0J22FMFBjri0hOJYI4TD3G47FcSmxzjw0jX
         2SJKVv7P/lWN5uupdB6+Ug1tSnMa9hUAaRrNNDWrBJmMteHRGMeggtAaoHNC/Jud7Bx1
         kgXrDc6MDb49HPE/PS/e53YQLRMH9sxIo03A7OQvRC/oGWEaiwxXFiplZBgX0Z1SUIKb
         ulHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=Ivkoi8yVc65qQ28XQiSgVz9bf/+CPrc7tnAXrZK2AlE=;
        b=u1WDUS6QWiSs0Vkue0pcwUROvJQtXw6xXT+GtWBuXULElFtU2ZegKUK2ddFnUgDF+f
         AK68B9jz1mNG/qeZbyJd/cFkCDTKRSiIwZfHomfikJT4exUkRpWRFyOnrIvC27JQ0tIf
         95qCnLaHDSjqvc4tqjAg7UFXyzDz6fdscUmoS1it+UMpJwf09uyWQvXHI+tpeEPt1YWN
         h0NGvSNtgVfZkfUiEan6uJ06S58uI2YFnU0wDzCtr9pJh8UqaMkhE6whityIp+dB0B5U
         mUOmVe3bP/tkvD/zxEiJIKxHDg+uynbflD51L73Bpcx9e2MYfDJQ6YdsnkabmbUSmde3
         Ys6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c93si11776174edf.452.2020.11.02.13.27.15;
        Mon, 02 Nov 2020 13:27:38 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725956AbgKBVXj (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Mon, 2 Nov 2020 16:23:39 -0500
Received: from raptor.unsafe.ru ([5.9.43.93]:39096 "EHLO raptor.unsafe.ru"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725833AbgKBVXj (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 2 Nov 2020 16:23:39 -0500
Received: from comp-core-i7-2640m-0182e6 (ip-89-103-122-167.net.upcbroadband.cz [89.103.122.167])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
        (No client certificate requested)
        by raptor.unsafe.ru (Postfix) with ESMTPSA id B766F209AF;
        Mon,  2 Nov 2020 21:23:36 +0000 (UTC)
Date:   Mon, 2 Nov 2020 22:23:32 +0100
From:   Alexey Gladkov <gladkov.alexey@gmail.com>
To:     Christian Brauner <christian.brauner@ubuntu.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        Kees Cook <keescook@chromium.org>,
        Christian Brauner <christian@brauner.io>
Subject: Re: [RFC PATCH v1 1/4] Increase size of ucounts to atomic_long_t
Message-ID: <20201102212332.zsdi2xcx6vxdh5ui@comp-core-i7-2640m-0182e6>
References: <cover.1604335819.git.gladkov.alexey@gmail.com>
 <f3c95ffedbab07f05e0e6e4e5a8bdd6c358194e7.1604335819.git.gladkov.alexey@gmail.com>
 <20201102180301.dup2cmbqdyrexp22@wittgenstein>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20201102180301.dup2cmbqdyrexp22@wittgenstein>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.1 (raptor.unsafe.ru [5.9.43.93]); Mon, 02 Nov 2020 21:23:37 +0000 (UTC)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Nov 02, 2020 at 07:03:01PM +0100, Christian Brauner wrote:
> On Mon, Nov 02, 2020 at 05:50:30PM +0100, Alexey Gladkov wrote:
> > In order to be able to use ucounts for rlimits, the size must be increased.
> > For example user_struct.mq_bytes (RLIMIT_MSGQUEUE) is unsigned long.
> 
> I don't have any issues with this change I just wonder what the exact
> reason is. It's not immediately obvious to me.

Right now user_struct.mq_bytes that is currently used for checking
RLIMIT_MSGQUEUE is unsigned log, but ucounts is signed int. The rlimit is
also unsigned long. If I migrate RLIMIT_MSGQUEUE to ucounts I will
decrease counter and possibly break backward compatibility. Technically,
it can be violated anyway.

linux/ipc/mqueue.c:376:

	mq_bytes += mq_treesize;
	spin_lock(&mq_lock);
	if (u->mq_bytes + mq_bytes < u->mq_bytes ||
	    u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
		spin_unlock(&mq_lock);
		/* mqueue_evict_inode() releases info->messages */
		ret = -EMFILE;
		goto out_inode;
	}
	u->mq_bytes += mq_bytes;
	spin_unlock(&mq_lock);

> > 
> > Signed-off-by: Alexey Gladkov <gladkov.alexey@gmail.com>
> > ---
> >  include/linux/user_namespace.h |  4 ++--
> >  kernel/ucount.c                | 14 +++++++-------
> >  2 files changed, 9 insertions(+), 9 deletions(-)
> > 
> > diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> > index 6ef1c7109fc4..fc75af812d73 100644
> > --- a/include/linux/user_namespace.h
> > +++ b/include/linux/user_namespace.h
> > @@ -86,7 +86,7 @@ struct user_namespace {
> >  	struct ctl_table_header *sysctls;
> >  #endif
> >  	struct ucounts		*ucounts;
> > -	int ucount_max[UCOUNT_COUNTS];
> > +	long ucount_max[UCOUNT_COUNTS];
> >  } __randomize_layout;
> >  
> >  struct ucounts {
> > @@ -94,7 +94,7 @@ struct ucounts {
> >  	struct user_namespace *ns;
> >  	kuid_t uid;
> >  	int count;
> > -	atomic_t ucount[UCOUNT_COUNTS];
> > +	atomic_long_t ucount[UCOUNT_COUNTS];
> >  };
> >  
> >  extern struct user_namespace init_user_ns;
> > diff --git a/kernel/ucount.c b/kernel/ucount.c
> > index 11b1596e2542..7b2bca8582ef 100644
> > --- a/kernel/ucount.c
> > +++ b/kernel/ucount.c
> > @@ -175,14 +175,14 @@ static void put_ucounts(struct ucounts *ucounts)
> >  	kfree(ucounts);
> >  }
> >  
> > -static inline bool atomic_inc_below(atomic_t *v, int u)
> > +static inline bool atomic_long_inc_below(atomic_long_t *v, int u)
> >  {
> > -	int c, old;
> > -	c = atomic_read(v);
> > +	long c, old;
> > +	c = atomic_long_read(v);
> >  	for (;;) {
> >  		if (unlikely(c >= u))
> >  			return false;
> > -		old = atomic_cmpxchg(v, c, c+1);
> > +		old = atomic_long_cmpxchg(v, c, c+1);
> >  		if (likely(old == c))
> >  			return true;
> >  		c = old;
> > @@ -199,14 +199,14 @@ struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid,
> >  		int max;
> >  		tns = iter->ns;
> >  		max = READ_ONCE(tns->ucount_max[type]);
> > -		if (!atomic_inc_below(&iter->ucount[type], max))
> > +		if (!atomic_long_inc_below(&iter->ucount[type], max))
> >  			goto fail;
> >  	}
> >  	return ucounts;
> >  fail:
> >  	bad = iter;
> >  	for (iter = ucounts; iter != bad; iter = iter->ns->ucounts)
> > -		atomic_dec(&iter->ucount[type]);
> > +		atomic_long_dec(&iter->ucount[type]);
> >  
> >  	put_ucounts(ucounts);
> >  	return NULL;
> > @@ -216,7 +216,7 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type)
> >  {
> >  	struct ucounts *iter;
> >  	for (iter = ucounts; iter; iter = iter->ns->ucounts) {
> > -		int dec = atomic_dec_if_positive(&iter->ucount[type]);
> > +		int dec = atomic_long_dec_if_positive(&iter->ucount[type]);
> >  		WARN_ON_ONCE(dec < 0);
> >  	}
> >  	put_ucounts(ucounts);
> > -- 
> > 2.25.4
> > 
> 

-- 
Rgrds, legion