Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1266264pxb; Thu, 21 Oct 2021 19:55:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzqTnvdGTCvRlxPDCEqrgt73Esks6OlW3o6zDLcXBCrAfMcZv96baVJrJ8Izr+E5kWRsR3A X-Received: by 2002:a17:907:e94:: with SMTP id ho20mr12152816ejc.243.1634871322891; Thu, 21 Oct 2021 19:55:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634871322; cv=none; d=google.com; s=arc-20160816; b=D3aRyKRJ2C0rb9bwkaBTL73OnINRxF/l6mQMxoQ20VHDy37+MqghIodFUXMRw/9u5q q+ESgqOXwdQECbdyn3y7+ZGT8l3QWIT9MHru4Q8kDm8Y4LzbjY5cca6KJuDIQOH0rq5D Kqgdz+HqAbMtw/CcvK4HCdXMnIPNOIQUXQS0Eb1fdu/NB+0yEwWTZi8H6vO6MRMH2b/T 3EPaHcDrzTtXc2RrzlkRmh2xUwsWHgoH0cGA1iZn3Tp0IcUsGo3C0PBlzj8yUgoSMhnw 6/9Eh9eXwhRt/U/YCbhSwB9LytsPDaSgWL6rkXTkymUaOdIsl7uLGjStveDbMcoRwS1E Bw6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=/RK/wdF1GRTSU2I1E2l6/JpXVG/VOyOcXLh+7Ph1Lgk=; b=RGkpYQi0gGlbMSDLLTydUdpVd0CfdCHRDbr5SJlmeXZChQbMDsOFLj5wju7xFNXgee DudWODYej5C68ifRGLZTnk/72MgfoJ9xhiIcYilvN/Sh1l/OQwdI+KEUvEwrRjKFTVX3 czS3yO7MW/oXNz8CGMh/q5WfqW3nefNuMECKG14YzwxJAJBBsUQvzWUOeoU9Dg3L7HD/ WeEGBXvrKufnAq6UsO7m4jeedDRiQ27rnmF7Lhmsa/wdOpfHt0ccHGsXTTl+w7vrJ+6D 8IHt7W3qLpURYYAyaSfvFV1jaaKUEJWzAnXPkp5u0e5qEa850PsoHT5dcCcFLKik+24b 2zKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=MYl6fk54; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ho40si11920511ejc.137.2021.10.21.19.54.59; Thu, 21 Oct 2021 19:55:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=MYl6fk54; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232586AbhJVCza (ORCPT + 99 others); Thu, 21 Oct 2021 22:55:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:33312 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232556AbhJVCz3 (ORCPT ); Thu, 21 Oct 2021 22:55:29 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id B5D266135E; Fri, 22 Oct 2021 02:53:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1634871193; bh=ZOyHbxAA1KVGEYcWxP49OLWHjX0kWfehynxD5OBUUVw=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=MYl6fk548La85NrwC/69S4sKIJvdsbVdNXs9wgOfrX7zVeEh/JVjMuVJBaPLdbpOv yHO9iNYMoEIeXZ4Knv8ctrzbhv+1IHA7gfgUii2lsO4Z1rDVMBq+9Vt7vQ5kaYqlcd ZuG4B+l/nqSUKKafT4TqvA0ZbCZUdliClZeG8epA= Date: Thu, 21 Oct 2021 19:53:11 -0700 From: Andrew Morton To: Kees Cook Cc: Mike Rapoport , Jordy Zomer , linux-mm@kvack.org, Dmitry Vyukov , James Bottomley , David Hildenbrand , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] mm/secretmem: Avoid letting secretmem_users drop to zero Message-Id: <20211021195311.6058b90f573641542605dae4@linux-foundation.org> In-Reply-To: <20211021154046.880251-1-keescook@chromium.org> References: <20211021154046.880251-1-keescook@chromium.org> X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.31; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 21 Oct 2021 08:40:46 -0700 Kees Cook wrote: > Quoting Dmitry: "refcount_inc() needs to be done before fd_install(). > After fd_install() finishes, the fd can be used by userspace and we can > have secret data in memory before the refcount_inc(). > > A straightforward mis-use where a user will predict the returned fd > in another thread before the syscall returns and will use it to store > secret data is somewhat dubious because such a user just shoots themself > in the foot. > > But a more interesting mis-use would be to close the predicted fd and > decrement the refcount before the corresponding refcount_inc, this way > one can briefly drop the refcount to zero while there are other users > of secretmem." > > Move fd_install() after refcount_inc(). I added cc:stable. Or doesn't the benefit/risk ratio justify that?