From: David Windsor <dwindsor@gmail.com> To: Bruce Fields <bfields@fieldses.org> Cc: Jeff Layton <jlayton@poochiereds.net>, linux-nfs@vger.kernel.org, netdev@vger.kernel.org, kernel-hardening@lists.openwall.com, Kees Cook <keescook@chromium.org>, "Reshetova, Elena" <elena.reshetova@intel.com> Subject: Re: [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session Date: Sat, 11 Feb 2017 20:42:04 -0500 [thread overview] Message-ID: <CAEXv5_ggWO39MBZu_y5z4hKuN9xRUrxM4xh30MaapR6smus3_g@mail.gmail.com> (raw) In-Reply-To: <20170212011521.GD2768@fieldses.org> On Sat, Feb 11, 2017 at 8:15 PM, Bruce Fields <bfields@fieldses.org> wrote: > On Sat, Feb 11, 2017 at 07:31:42AM -0500, Jeff Layton wrote: >> The basic idea here is that nfsv4 sessions have a "resting state" of 0. >> We want to keep them around, but if they go "dead" then we we'll tear >> them down if they aren't actively in use at the time. So, we still free >> the thing when the refcount goes to zero, but we have an extra condition >> before we free it on the put -- that the session is also "dead" (meaning >> that the client asked us to destroy it). >> >> Your patch doesn't look like it'll break anything, but I personally find >> it harder to follow that way. The freeable reference state will be 1 >> instead of the normal 0. > > Alas, I don't have any examples in mind, but doesn't this pattern happen > all over? > The majority of refcounted objects are allocated with refcount=1: the very fact that they're being allocated means that they already have a user. The issue with struct nfsd4_session is that, like struct nfs4_client, references to it are only taken when the server is actively working on it. Its default "resting state" is with refcount=0. I would like to make its default resting state with refcount=1. In other cases similar to this, we've gotten around it by doing a semantic +1 to the object's overall refcounting scheme. Jeff suggested taking an additional reference in init_session(), and dropping it in is_session_dead(), after determining, in fact, that the object is DEAD. > You have objects that live in some data structure. They're freed only > when they're removed from the data structure. You want removal to fail > whenever they're in use. > When they're in use, these objects' refcount should be > 0. > So it's natural to use an atomic counter to track the number of external > users and some other lock to serialize lookup and destruction. > When considering refcounted objects, the most "natural" interpretation of refcount=0 means that the object no longer has any users and can be freed. Increments on objects with refcount=0 shouldn't be allowed, as this may indicate a use-after-free condition. This discussion is difficult because the refcount_t API hasn't yet been introduced. The purpose of that API is to eliminate use-after-free bugs. > --b.
WARNING: multiple messages have this Message-ID (diff)
From: David Windsor <dwindsor@gmail.com> To: Bruce Fields <bfields@fieldses.org> Cc: Jeff Layton <jlayton@poochiereds.net>, linux-nfs@vger.kernel.org, netdev@vger.kernel.org, kernel-hardening@lists.openwall.com, Kees Cook <keescook@chromium.org>, "Reshetova, Elena" <elena.reshetova@intel.com> Subject: [kernel-hardening] Re: [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session Date: Sat, 11 Feb 2017 20:42:04 -0500 [thread overview] Message-ID: <CAEXv5_ggWO39MBZu_y5z4hKuN9xRUrxM4xh30MaapR6smus3_g@mail.gmail.com> (raw) In-Reply-To: <20170212011521.GD2768@fieldses.org> On Sat, Feb 11, 2017 at 8:15 PM, Bruce Fields <bfields@fieldses.org> wrote: > On Sat, Feb 11, 2017 at 07:31:42AM -0500, Jeff Layton wrote: >> The basic idea here is that nfsv4 sessions have a "resting state" of 0. >> We want to keep them around, but if they go "dead" then we we'll tear >> them down if they aren't actively in use at the time. So, we still free >> the thing when the refcount goes to zero, but we have an extra condition >> before we free it on the put -- that the session is also "dead" (meaning >> that the client asked us to destroy it). >> >> Your patch doesn't look like it'll break anything, but I personally find >> it harder to follow that way. The freeable reference state will be 1 >> instead of the normal 0. > > Alas, I don't have any examples in mind, but doesn't this pattern happen > all over? > The majority of refcounted objects are allocated with refcount=1: the very fact that they're being allocated means that they already have a user. The issue with struct nfsd4_session is that, like struct nfs4_client, references to it are only taken when the server is actively working on it. Its default "resting state" is with refcount=0. I would like to make its default resting state with refcount=1. In other cases similar to this, we've gotten around it by doing a semantic +1 to the object's overall refcounting scheme. Jeff suggested taking an additional reference in init_session(), and dropping it in is_session_dead(), after determining, in fact, that the object is DEAD. > You have objects that live in some data structure. They're freed only > when they're removed from the data structure. You want removal to fail > whenever they're in use. > When they're in use, these objects' refcount should be > 0. > So it's natural to use an atomic counter to track the number of external > users and some other lock to serialize lookup and destruction. > When considering refcounted objects, the most "natural" interpretation of refcount=0 means that the object no longer has any users and can be freed. Increments on objects with refcount=0 shouldn't be allowed, as this may indicate a use-after-free condition. This discussion is difficult because the refcount_t API hasn't yet been introduced. The purpose of that API is to eliminate use-after-free bugs. > --b.
next prev parent reply other threads:[~2017-02-12 1:42 UTC|newest] Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-02-09 7:38 [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session David Windsor 2017-02-09 7:38 ` [kernel-hardening] " David Windsor 2017-02-09 7:38 ` David Windsor 2017-02-11 6:42 ` David Windsor 2017-02-11 6:42 ` [kernel-hardening] " David Windsor [not found] ` <CAEXv5_jUa8Av4JABoKSAueiLHSLzibMvaE-8DrVcxZHFceckMg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-02-11 12:31 ` Jeff Layton 2017-02-11 12:31 ` [kernel-hardening] " Jeff Layton 2017-02-11 12:31 ` Jeff Layton [not found] ` <1486816302.4233.29.camel-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org> 2017-02-11 14:01 ` David Windsor 2017-02-11 14:01 ` [kernel-hardening] " David Windsor 2017-02-11 14:01 ` David Windsor 2017-02-11 14:09 ` Jeff Layton 2017-02-11 14:09 ` [kernel-hardening] " Jeff Layton [not found] ` <CAEXv5_gd7F-eaazzU1BWPzH4huhEcO1Y-FWov5UP9T+6R+fv-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-02-13 10:38 ` Christoph Hellwig 2017-02-13 10:38 ` [kernel-hardening] " Christoph Hellwig 2017-02-13 10:38 ` Christoph Hellwig [not found] ` <20170213103815.GA5131-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> 2017-02-13 11:42 ` David Windsor 2017-02-13 11:42 ` [kernel-hardening] " David Windsor 2017-02-13 11:42 ` David Windsor [not found] ` <CAEXv5_g=DS4wk0mgZuw-doVCqountb-CxZki1LOoQH-P7W1U4A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-02-13 12:12 ` Christoph Hellwig 2017-02-13 12:12 ` [kernel-hardening] " Christoph Hellwig 2017-02-13 12:12 ` Christoph Hellwig 2017-02-14 13:48 ` David Windsor 2017-02-14 13:48 ` [kernel-hardening] " David Windsor 2017-02-12 1:15 ` Bruce Fields 2017-02-12 1:15 ` [kernel-hardening] " Bruce Fields 2017-02-12 1:15 ` Bruce Fields 2017-02-12 1:42 ` David Windsor [this message] 2017-02-12 1:42 ` [kernel-hardening] " David Windsor 2017-02-13 10:54 ` Hans Liljestrand 2017-02-13 10:54 ` Hans Liljestrand 2017-02-13 11:46 ` David Windsor [not found] ` <CAEXv5_hP39k7HSLP-G_khx7MMQHnk=8Z5caa+U5n3bYvUTE1gQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-02-15 16:45 ` Bruce Fields 2017-02-15 16:45 ` Bruce Fields
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAEXv5_ggWO39MBZu_y5z4hKuN9xRUrxM4xh30MaapR6smus3_g@mail.gmail.com \ --to=dwindsor@gmail.com \ --cc=bfields@fieldses.org \ --cc=elena.reshetova@intel.com \ --cc=jlayton@poochiereds.net \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-nfs@vger.kernel.org \ --cc=netdev@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.