From: ebiederm@xmission.com (Eric W. Biederman)
To: Alexey Gladkov <gladkov.alexey@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>, Kees Cook <keescook@chromium.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Linux Containers <containers@lists.linux-foundation.org>,
Jann Horn <jannh@google.com>, LKML <linux-kernel@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>, Linux-MM <linux-mm@kvack.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
io-uring <io-uring@vger.kernel.org>
Subject: Re: [RFC PATCH v3 1/8] Use refcount_t for ucounts reference counting
Date: Tue, 19 Jan 2021 19:57:36 -0600 [thread overview]
Message-ID: <87eeig74kv.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20210118205629.zro2qkd3ut42bpyq@example.org> (Alexey Gladkov's message of "Mon, 18 Jan 2021 21:56:29 +0100")
Alexey Gladkov <gladkov.alexey@gmail.com> writes:
> On Mon, Jan 18, 2021 at 12:34:29PM -0800, Linus Torvalds wrote:
>> On Mon, Jan 18, 2021 at 11:46 AM Alexey Gladkov
>> <gladkov.alexey@gmail.com> wrote:
>> >
>> > Sorry about that. I thought that this code is not needed when switching
>> > from int to refcount_t. I was wrong.
>>
>> Well, you _may_ be right. I personally didn't check how the return
>> value is used.
>>
>> I only reacted to "it certainly _may_ be used, and there is absolutely
>> no comment anywhere about why it wouldn't matter".
>
> I have not found examples where checked the overflow after calling
> refcount_inc/refcount_add.
>
> For example in kernel/fork.c:2298 :
>
> current->signal->nr_threads++;
> atomic_inc(¤t->signal->live);
> refcount_inc(¤t->signal->sigcnt);
>
> $ semind search signal_struct.sigcnt
> def include/linux/sched/signal.h:83 refcount_t sigcnt;
> m-- kernel/fork.c:723 put_signal_struct if (refcount_dec_and_test(&sig->sigcnt))
> m-- kernel/fork.c:1571 copy_signal refcount_set(&sig->sigcnt, 1);
> m-- kernel/fork.c:2298 copy_process refcount_inc(¤t->signal->sigcnt);
>
> It seems to me that the only way is to use __refcount_inc and then compare
> the old value with REFCOUNT_MAX
>
> Since I have not seen examples of such checks, I thought that this is
> acceptable. Sorry once again. I have not tried to hide these changes.
The current ucount code does check for overflow and fails the increment
in every case.
So arguably it will be a regression and inferior error handling behavior
if the code switches to the ``better'' refcount_t data structure.
I originally didn't use refcount_t because silently saturating and not
bothering to handle the error makes me uncomfortable.
Not having to acquire the ucounts_lock every time seems nice. Perhaps
the path forward would be to start with stupid/correct code that always
takes the ucounts_lock for every increment of ucounts->count, that is
later replaced with something more optimal.
Not impacting performance in the non-namespace cases and having good
performance in the other cases is a fundamental requirement of merging
code like this.
Eric
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Alexey Gladkov <gladkov.alexey@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
io-uring <io-uring@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Linux Containers <containers@lists.linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
Andrew Morton <akpm@linux-foundation.org>,
Christian Brauner <christian.brauner@ubuntu.com>,
Jann Horn <jannh@google.com>, Jens Axboe <axboe@kernel.dk>,
Kees Cook <keescook@chromium.org>,
Oleg Nesterov <oleg@redhat.com>
Subject: Re: [RFC PATCH v3 1/8] Use refcount_t for ucounts reference counting
Date: Tue, 19 Jan 2021 19:57:36 -0600 [thread overview]
Message-ID: <87eeig74kv.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20210118205629.zro2qkd3ut42bpyq@example.org> (Alexey Gladkov's message of "Mon, 18 Jan 2021 21:56:29 +0100")
Alexey Gladkov <gladkov.alexey@gmail.com> writes:
> On Mon, Jan 18, 2021 at 12:34:29PM -0800, Linus Torvalds wrote:
>> On Mon, Jan 18, 2021 at 11:46 AM Alexey Gladkov
>> <gladkov.alexey@gmail.com> wrote:
>> >
>> > Sorry about that. I thought that this code is not needed when switching
>> > from int to refcount_t. I was wrong.
>>
>> Well, you _may_ be right. I personally didn't check how the return
>> value is used.
>>
>> I only reacted to "it certainly _may_ be used, and there is absolutely
>> no comment anywhere about why it wouldn't matter".
>
> I have not found examples where checked the overflow after calling
> refcount_inc/refcount_add.
>
> For example in kernel/fork.c:2298 :
>
> current->signal->nr_threads++;
> atomic_inc(¤t->signal->live);
> refcount_inc(¤t->signal->sigcnt);
>
> $ semind search signal_struct.sigcnt
> def include/linux/sched/signal.h:83 refcount_t sigcnt;
> m-- kernel/fork.c:723 put_signal_struct if (refcount_dec_and_test(&sig->sigcnt))
> m-- kernel/fork.c:1571 copy_signal refcount_set(&sig->sigcnt, 1);
> m-- kernel/fork.c:2298 copy_process refcount_inc(¤t->signal->sigcnt);
>
> It seems to me that the only way is to use __refcount_inc and then compare
> the old value with REFCOUNT_MAX
>
> Since I have not seen examples of such checks, I thought that this is
> acceptable. Sorry once again. I have not tried to hide these changes.
The current ucount code does check for overflow and fails the increment
in every case.
So arguably it will be a regression and inferior error handling behavior
if the code switches to the ``better'' refcount_t data structure.
I originally didn't use refcount_t because silently saturating and not
bothering to handle the error makes me uncomfortable.
Not having to acquire the ucounts_lock every time seems nice. Perhaps
the path forward would be to start with stupid/correct code that always
takes the ucounts_lock for every increment of ucounts->count, that is
later replaced with something more optimal.
Not impacting performance in the non-namespace cases and having good
performance in the other cases is a fundamental requirement of merging
code like this.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Alexey Gladkov <gladkov.alexey@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
io-uring <io-uring@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Linux Containers <containers@lists.linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
Andrew Morton <akpm@linux-foundation.org>,
Christian Brauner <christian.brauner@ubuntu.com>,
Jann Horn <jannh@google.com>, Jens Axboe <axboe@kernel.dk>,
Kees Cook <keescook@chromium.org>,
Oleg Nesterov <oleg@redhat.com>
Subject: Re: [RFC PATCH v3 1/8] Use refcount_t for ucounts reference counting
Date: Tue, 19 Jan 2021 19:57:36 -0600 [thread overview]
Message-ID: <87eeig74kv.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20210118205629.zro2qkd3ut42bpyq@example.org> (Alexey Gladkov's message of "Mon, 18 Jan 2021 21:56:29 +0100")
Alexey Gladkov <gladkov.alexey@gmail.com> writes:
> On Mon, Jan 18, 2021 at 12:34:29PM -0800, Linus Torvalds wrote:
>> On Mon, Jan 18, 2021 at 11:46 AM Alexey Gladkov
>> <gladkov.alexey@gmail.com> wrote:
>> >
>> > Sorry about that. I thought that this code is not needed when switching
>> > from int to refcount_t. I was wrong.
>>
>> Well, you _may_ be right. I personally didn't check how the return
>> value is used.
>>
>> I only reacted to "it certainly _may_ be used, and there is absolutely
>> no comment anywhere about why it wouldn't matter".
>
> I have not found examples where checked the overflow after calling
> refcount_inc/refcount_add.
>
> For example in kernel/fork.c:2298 :
>
> current->signal->nr_threads++;
> atomic_inc(¤t->signal->live);
> refcount_inc(¤t->signal->sigcnt);
>
> $ semind search signal_struct.sigcnt
> def include/linux/sched/signal.h:83 refcount_t sigcnt;
> m-- kernel/fork.c:723 put_signal_struct if (refcount_dec_and_test(&sig->sigcnt))
> m-- kernel/fork.c:1571 copy_signal refcount_set(&sig->sigcnt, 1);
> m-- kernel/fork.c:2298 copy_process refcount_inc(¤t->signal->sigcnt);
>
> It seems to me that the only way is to use __refcount_inc and then compare
> the old value with REFCOUNT_MAX
>
> Since I have not seen examples of such checks, I thought that this is
> acceptable. Sorry once again. I have not tried to hide these changes.
The current ucount code does check for overflow and fails the increment
in every case.
So arguably it will be a regression and inferior error handling behavior
if the code switches to the ``better'' refcount_t data structure.
I originally didn't use refcount_t because silently saturating and not
bothering to handle the error makes me uncomfortable.
Not having to acquire the ucounts_lock every time seems nice. Perhaps
the path forward would be to start with stupid/correct code that always
takes the ucounts_lock for every increment of ucounts->count, that is
later replaced with something more optimal.
Not impacting performance in the non-namespace cases and having good
performance in the other cases is a fundamental requirement of merging
code like this.
Eric
next prev parent reply other threads:[~2021-01-20 1:58 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-15 14:57 [RFC PATCH v3 0/8] Count rlimits in each user namespace Alexey Gladkov
2021-01-15 14:57 ` Alexey Gladkov
2021-01-15 14:57 ` [RFC PATCH v3 1/8] Use refcount_t for ucounts reference counting Alexey Gladkov
2021-01-15 14:57 ` Alexey Gladkov
2021-01-18 6:06 ` c25050162e: WARNING:at_lib/refcount.c:#refcount_warn_saturate kernel test robot
2021-01-18 6:06 ` kernel test robot
2021-01-18 6:06 ` kernel test robot
2021-01-18 19:14 ` [RFC PATCH v3 1/8] Use refcount_t for ucounts reference counting Linus Torvalds
2021-01-18 19:14 ` Linus Torvalds
2021-01-18 19:14 ` Linus Torvalds
2021-01-18 19:45 ` Alexey Gladkov
2021-01-18 19:45 ` Alexey Gladkov
2021-01-18 20:34 ` Linus Torvalds
2021-01-18 20:34 ` Linus Torvalds
2021-01-18 20:34 ` Linus Torvalds
2021-01-18 20:56 ` Alexey Gladkov
2021-01-18 20:56 ` Alexey Gladkov
2021-01-19 4:35 ` Kaiwan N Billimoria
2021-01-19 4:35 ` Kaiwan N Billimoria
2021-01-19 4:35 ` Kaiwan N Billimoria
2021-01-20 1:57 ` Eric W. Biederman [this message]
2021-01-20 1:57 ` Eric W. Biederman
2021-01-20 1:57 ` Eric W. Biederman
2021-01-20 1:58 ` Eric W. Biederman
2021-01-20 1:58 ` Eric W. Biederman
2021-01-20 1:58 ` Eric W. Biederman
2021-01-21 12:04 ` Alexey Gladkov
2021-01-21 12:04 ` Alexey Gladkov
2021-01-21 15:50 ` Eric W. Biederman
2021-01-21 15:50 ` Eric W. Biederman
2021-01-21 15:50 ` Eric W. Biederman
2021-01-21 16:07 ` Alexey Gladkov
2021-01-21 16:07 ` Alexey Gladkov
2021-01-15 14:57 ` [RFC PATCH v3 2/8] Add a reference to ucounts for each cred Alexey Gladkov
2021-01-15 14:57 ` Alexey Gladkov
2021-01-15 22:15 ` kernel test robot
2021-01-16 2:29 ` kernel test robot
2021-01-18 6:47 ` 14c3c8a27f: kernel_BUG_at_kernel/cred.c kernel test robot
2021-01-18 6:47 ` kernel test robot
2021-01-18 6:47 ` kernel test robot
2021-01-18 8:31 ` [PATCH v4 2/8] Add a reference to ucounts for each cred Alexey Gladkov
2021-01-18 8:31 ` Alexey Gladkov
2021-01-15 14:57 ` [RFC PATCH v3 3/8] Move RLIMIT_NPROC counter to ucounts Alexey Gladkov
2021-01-15 14:57 ` Alexey Gladkov
2021-01-15 14:57 ` [RFC PATCH v3 4/8] Move RLIMIT_MSGQUEUE " Alexey Gladkov
2021-01-15 14:57 ` Alexey Gladkov
2021-01-15 14:57 ` [RFC PATCH v3 5/8] Move RLIMIT_SIGPENDING " Alexey Gladkov
2021-01-15 14:57 ` Alexey Gladkov
2021-01-15 14:57 ` [RFC PATCH v3 6/8] Move RLIMIT_MEMLOCK " Alexey Gladkov
2021-01-15 14:57 ` Alexey Gladkov
2021-01-15 14:57 ` [RFC PATCH v3 7/8] Move RLIMIT_NPROC check to the place where we increment the counter Alexey Gladkov
2021-01-15 14:57 ` Alexey Gladkov
2021-01-15 14:57 ` [RFC PATCH v3 8/8] kselftests: Add test to check for rlimit changes in different user namespaces Alexey Gladkov
2021-01-15 14:57 ` Alexey Gladkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eeig74kv.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=containers@lists.linux-foundation.org \
--cc=gladkov.alexey@gmail.com \
--cc=io-uring@vger.kernel.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=oleg@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.