From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jens Axboe <axboe@kernel.dk>,
Peter Zijlstra <peterz@infradead.org>,
Christoph Hellwig <hch@infradead.org>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] block: switch to atomic_t for request references
Date: Mon, 6 Dec 2021 20:56:12 -0800 [thread overview]
Message-ID: <202112062004.EFB6BFE1@keescook> (raw)
In-Reply-To: <CAHk-=whLU+dk7EmPu5UC6DDSd76_dO4bVd4BkvxmR4W5-mmAgg@mail.gmail.com>
On Mon, Dec 06, 2021 at 04:13:00PM -0800, Linus Torvalds wrote:
> On Mon, Dec 6, 2021 at 3:28 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > I'm not arguing for refcount_t -- I'm arguing for an API that isn't a
> > regression of features that have been protecting the kernel from bugs.
>
> Maybe somebody could actually just fix refcount_t instead. Somebody
> who cares about that currently horrendously bad interface.
>
> Fix it to not do the fundamentally broken saturation that actively
> destroys state: fix it to have a safe "try to increment", instead of
> an unsafe "increment and do bad things".
There would need to be a pretty hefty transition -- there are a lot of
refcount_inc() uses that would need checking and error handling (which
might not be sane to add to ancient drivers):
2 block
2 crypto
2 ipc
2 virt
3 mm
4 sound
5 rust
10 arch
13 security
31 kernel
88 include
192 fs
192 net
358 drivers
refcount_inc_not_zero() already uses __must_check, etc.
I'm not afraid of giant transitions, but this could be pretty tricky.
I'm open to ideas. Maybe a treewide change of refcount_inc() ->
refcount_inc_saturating() and then start fixing all the _unsafe() cases
where a sensible error path could be created and tested?
--
Kees Cook
next prev parent reply other threads:[~2021-12-07 4:56 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 15:35 [PATCH] block: switch to atomic_t for request references Jens Axboe
2021-12-03 15:56 ` Keith Busch
2021-12-06 6:53 ` Christoph Hellwig
2021-12-06 8:31 ` Peter Zijlstra
2021-12-06 16:32 ` Jens Axboe
2021-12-06 17:19 ` Peter Zijlstra
2021-12-06 17:35 ` Linus Torvalds
2021-12-06 18:13 ` Jens Axboe
2021-12-06 20:51 ` Kees Cook
2021-12-06 21:17 ` Linus Torvalds
2021-12-06 23:28 ` Kees Cook
2021-12-07 0:13 ` Linus Torvalds
2021-12-07 4:56 ` Kees Cook [this message]
2021-12-07 9:34 ` Peter Zijlstra
2021-12-07 16:03 ` Linus Torvalds
2021-12-07 10:30 ` Peter Zijlstra
2021-12-07 16:10 ` Linus Torvalds
2021-12-07 16:23 ` Peter Zijlstra
2021-12-06 16:31 ` Jens Axboe
2021-12-07 11:26 ` Peter Zijlstra
2021-12-07 13:28 ` Peter Zijlstra
2021-12-07 15:51 ` Peter Zijlstra
2021-12-07 16:13 ` Linus Torvalds
2021-12-07 16:52 ` Peter Zijlstra
2021-12-07 17:41 ` Peter Zijlstra
2021-12-07 17:43 ` Linus Torvalds
2021-12-07 17:45 ` Linus Torvalds
2021-12-07 20:28 ` Peter Zijlstra
2021-12-07 23:23 ` Linus Torvalds
2021-12-08 17:07 ` Peter Zijlstra
2021-12-08 18:00 ` Linus Torvalds
2021-12-08 18:44 ` Peter Zijlstra
2021-12-08 18:50 ` Linus Torvalds
2021-12-08 20:32 ` Peter Zijlstra
2021-12-10 10:57 ` Peter Zijlstra
2021-12-10 12:38 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202112062004.EFB6BFE1@keescook \
--to=keescook@chromium.org \
--cc=axboe@kernel.dk \
--cc=hch@infradead.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.