From: David Windsor <dwindsor@gmail.com>
To: Bruce Fields <bfields@fieldses.org>
Cc: Jeff Layton <jlayton@poochiereds.net>,
linux-nfs@vger.kernel.org, netdev@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Kees Cook <keescook@chromium.org>,
"Reshetova, Elena" <elena.reshetova@intel.com>
Subject: Re: [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session
Date: Sat, 11 Feb 2017 20:42:04 -0500 [thread overview]
Message-ID: <CAEXv5_ggWO39MBZu_y5z4hKuN9xRUrxM4xh30MaapR6smus3_g@mail.gmail.com> (raw)
In-Reply-To: <20170212011521.GD2768@fieldses.org>
On Sat, Feb 11, 2017 at 8:15 PM, Bruce Fields <bfields@fieldses.org> wrote:
> On Sat, Feb 11, 2017 at 07:31:42AM -0500, Jeff Layton wrote:
>> The basic idea here is that nfsv4 sessions have a "resting state" of 0.
>> We want to keep them around, but if they go "dead" then we we'll tear
>> them down if they aren't actively in use at the time. So, we still free
>> the thing when the refcount goes to zero, but we have an extra condition
>> before we free it on the put -- that the session is also "dead" (meaning
>> that the client asked us to destroy it).
>>
>> Your patch doesn't look like it'll break anything, but I personally find
>> it harder to follow that way. The freeable reference state will be 1
>> instead of the normal 0.
>
> Alas, I don't have any examples in mind, but doesn't this pattern happen
> all over?
>
The majority of refcounted objects are allocated with refcount=1: the
very fact that they're being allocated means that they already have a
user.
The issue with struct nfsd4_session is that, like struct nfs4_client,
references to it are only taken when the server is actively working on
it. Its default "resting state" is with refcount=0.
I would like to make its default resting state with refcount=1. In
other cases similar to this, we've gotten around it by doing a
semantic +1 to the object's overall refcounting scheme.
Jeff suggested taking an additional reference in init_session(), and
dropping it in is_session_dead(), after determining, in fact, that the
object is DEAD.
> You have objects that live in some data structure. They're freed only
> when they're removed from the data structure. You want removal to fail
> whenever they're in use.
>
When they're in use, these objects' refcount should be > 0.
> So it's natural to use an atomic counter to track the number of external
> users and some other lock to serialize lookup and destruction.
>
When considering refcounted objects, the most "natural" interpretation
of refcount=0 means that the object no longer has any users and can be
freed. Increments on objects with refcount=0 shouldn't be allowed, as
this may indicate a use-after-free condition.
This discussion is difficult because the refcount_t API hasn't yet
been introduced. The purpose of that API is to eliminate
use-after-free bugs.
> --b.
WARNING: multiple messages have this Message-ID (diff)
From: David Windsor <dwindsor@gmail.com>
To: Bruce Fields <bfields@fieldses.org>
Cc: Jeff Layton <jlayton@poochiereds.net>,
linux-nfs@vger.kernel.org, netdev@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Kees Cook <keescook@chromium.org>,
"Reshetova, Elena" <elena.reshetova@intel.com>
Subject: [kernel-hardening] Re: [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session
Date: Sat, 11 Feb 2017 20:42:04 -0500 [thread overview]
Message-ID: <CAEXv5_ggWO39MBZu_y5z4hKuN9xRUrxM4xh30MaapR6smus3_g@mail.gmail.com> (raw)
In-Reply-To: <20170212011521.GD2768@fieldses.org>
On Sat, Feb 11, 2017 at 8:15 PM, Bruce Fields <bfields@fieldses.org> wrote:
> On Sat, Feb 11, 2017 at 07:31:42AM -0500, Jeff Layton wrote:
>> The basic idea here is that nfsv4 sessions have a "resting state" of 0.
>> We want to keep them around, but if they go "dead" then we we'll tear
>> them down if they aren't actively in use at the time. So, we still free
>> the thing when the refcount goes to zero, but we have an extra condition
>> before we free it on the put -- that the session is also "dead" (meaning
>> that the client asked us to destroy it).
>>
>> Your patch doesn't look like it'll break anything, but I personally find
>> it harder to follow that way. The freeable reference state will be 1
>> instead of the normal 0.
>
> Alas, I don't have any examples in mind, but doesn't this pattern happen
> all over?
>
The majority of refcounted objects are allocated with refcount=1: the
very fact that they're being allocated means that they already have a
user.
The issue with struct nfsd4_session is that, like struct nfs4_client,
references to it are only taken when the server is actively working on
it. Its default "resting state" is with refcount=0.
I would like to make its default resting state with refcount=1. In
other cases similar to this, we've gotten around it by doing a
semantic +1 to the object's overall refcounting scheme.
Jeff suggested taking an additional reference in init_session(), and
dropping it in is_session_dead(), after determining, in fact, that the
object is DEAD.
> You have objects that live in some data structure. They're freed only
> when they're removed from the data structure. You want removal to fail
> whenever they're in use.
>
When they're in use, these objects' refcount should be > 0.
> So it's natural to use an atomic counter to track the number of external
> users and some other lock to serialize lookup and destruction.
>
When considering refcounted objects, the most "natural" interpretation
of refcount=0 means that the object no longer has any users and can be
freed. Increments on objects with refcount=0 shouldn't be allowed, as
this may indicate a use-after-free condition.
This discussion is difficult because the refcount_t API hasn't yet
been introduced. The purpose of that API is to eliminate
use-after-free bugs.
> --b.
next prev parent reply other threads:[~2017-02-12 1:42 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-09 7:38 [RFC][PATCH] nfsd: add +1 to reference counting scheme for struct nfsd4_session David Windsor
2017-02-09 7:38 ` [kernel-hardening] " David Windsor
2017-02-09 7:38 ` David Windsor
2017-02-11 6:42 ` David Windsor
2017-02-11 6:42 ` [kernel-hardening] " David Windsor
[not found] ` <CAEXv5_jUa8Av4JABoKSAueiLHSLzibMvaE-8DrVcxZHFceckMg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-11 12:31 ` Jeff Layton
2017-02-11 12:31 ` [kernel-hardening] " Jeff Layton
2017-02-11 12:31 ` Jeff Layton
[not found] ` <1486816302.4233.29.camel-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>
2017-02-11 14:01 ` David Windsor
2017-02-11 14:01 ` [kernel-hardening] " David Windsor
2017-02-11 14:01 ` David Windsor
2017-02-11 14:09 ` Jeff Layton
2017-02-11 14:09 ` [kernel-hardening] " Jeff Layton
[not found] ` <CAEXv5_gd7F-eaazzU1BWPzH4huhEcO1Y-FWov5UP9T+6R+fv-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-13 10:38 ` Christoph Hellwig
2017-02-13 10:38 ` [kernel-hardening] " Christoph Hellwig
2017-02-13 10:38 ` Christoph Hellwig
[not found] ` <20170213103815.GA5131-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2017-02-13 11:42 ` David Windsor
2017-02-13 11:42 ` [kernel-hardening] " David Windsor
2017-02-13 11:42 ` David Windsor
[not found] ` <CAEXv5_g=DS4wk0mgZuw-doVCqountb-CxZki1LOoQH-P7W1U4A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-13 12:12 ` Christoph Hellwig
2017-02-13 12:12 ` [kernel-hardening] " Christoph Hellwig
2017-02-13 12:12 ` Christoph Hellwig
2017-02-14 13:48 ` David Windsor
2017-02-14 13:48 ` [kernel-hardening] " David Windsor
2017-02-12 1:15 ` Bruce Fields
2017-02-12 1:15 ` [kernel-hardening] " Bruce Fields
2017-02-12 1:15 ` Bruce Fields
2017-02-12 1:42 ` David Windsor [this message]
2017-02-12 1:42 ` [kernel-hardening] " David Windsor
2017-02-13 10:54 ` Hans Liljestrand
2017-02-13 10:54 ` Hans Liljestrand
2017-02-13 11:46 ` David Windsor
[not found] ` <CAEXv5_hP39k7HSLP-G_khx7MMQHnk=8Z5caa+U5n3bYvUTE1gQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-02-15 16:45 ` Bruce Fields
2017-02-15 16:45 ` Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEXv5_ggWO39MBZu_y5z4hKuN9xRUrxM4xh30MaapR6smus3_g@mail.gmail.com \
--to=dwindsor@gmail.com \
--cc=bfields@fieldses.org \
--cc=elena.reshetova@intel.com \
--cc=jlayton@poochiereds.net \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-nfs@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.