From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6230C43387 for ; Wed, 16 Jan 2019 11:49:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 836CB20657 for ; Wed, 16 Jan 2019 11:49:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="XBDV5mv8" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732657AbfAPLth (ORCPT ); Wed, 16 Jan 2019 06:49:37 -0500 Received: from mail-io1-f65.google.com ([209.85.166.65]:37338 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392564AbfAPLsy (ORCPT ); Wed, 16 Jan 2019 06:48:54 -0500 Received: by mail-io1-f65.google.com with SMTP id g8so4657473iok.4 for ; Wed, 16 Jan 2019 03:48:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7ACHI8wbIcFEZRLHjFXJSjay7XbVtHTV0YO3anElFaM=; b=XBDV5mv8iLCpbhQSInzaR/tvm1Iw64m3JMzAjIsML0vay2k9Cadlz4xZ0AXPr5UfX8 Y72pfgj4+/b/eMTeWYGYqEjMkGShxcovke/wQJPE8d0eVs9u26jMVpVmm0a41/zM2WkU HQlqTKhi9gfG8/Rech6/olJH6JuafdlltZqccO9DVPFiLk+Al+3Y6mZySS9m/HKpvins +WZEygTijDc99sDZbq3vooDxgmz7zbOyXPZbGWvKsNMVX7P2LPfNmgZ9k8gkJMuCUe0j xzAiHETf18XLZbZ/RbwKKkBuzvetliXyi/WPYYKRdwJaQXHVE/yf8a3HUs2ciUv8jrZQ vJcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7ACHI8wbIcFEZRLHjFXJSjay7XbVtHTV0YO3anElFaM=; b=FuhNVAKO+j22zX8zoOM4BEdQU2gojngULFnFsZny2pQA4H9hhGzWUqCziJEU3cf5ba ewSxddCZWDYeWn6MByarpeYhGjPR14wbXECGGf/S3bKrVRBBfKBMZIiXL/v2WPsnORes Wfjub0Fi857SA8cfx18T2kTngRUUx983/Lf7pJErvLsjf8t6m6oJcFeL4+sZw3b5led3 6Jety17iQ3AigTadIYSt6nJhRuCu6BnEqoD5LKgsGuICd/nTxAk8lLsrESVpjcDW6ua7 WoJ5fIA3e9+GlQefffA5g8qFpU+LseOko+ltkb/oTgT0dARpQut/6Jy49UtO27J3kqWr OmfA== X-Gm-Message-State: AJcUukc3Exe/Mpt3QuNY7qjnywzg/NlUDus1QdE3dWXencPA01Aw+sGQ jIBOXU9fYoyu7dL9mFwanPmOn/u087ZA0f3+WRFPsQ== X-Google-Smtp-Source: ALg8bN6hr23tXMVGliPEbxl1uivI9/bX2kIS66/8pzVJ2tZua+gYyublDHme9/j/C9hqkrj8VB1VTOpbNoasOu3pufM= X-Received: by 2002:a5d:8491:: with SMTP id t17mr4595820iom.11.1547639333196; Wed, 16 Jan 2019 03:48:53 -0800 (PST) MIME-Version: 1.0 References: <1547201433-10231-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> <04c6d87c-fc26-b994-3b34-947414984abe@i-love.sakura.ne.jp> <54b68f21-c8b5-7074-74e0-06e3d7ee4003@i-love.sakura.ne.jp> <20190116104308.GC26069@quack2.suse.cz> In-Reply-To: From: Dmitry Vyukov Date: Wed, 16 Jan 2019 12:48:41 +0100 Message-ID: Subject: Re: [PATCH] fs: ratelimit __find_get_block_slow() failure message. To: Jan Kara , Linus Torvalds , Greg Kroah-Hartman , Kees Cook Cc: Tetsuo Handa , Al Viro , linux-fsdevel , Kostya Serebryany Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Wed, Jan 16, 2019 at 12:03 PM Dmitry Vyukov wrote: > > On Wed, Jan 16, 2019 at 11:43 AM Jan Kara wrote: > > > > On Wed 16-01-19 10:47:56, Dmitry Vyukov wrote: > > > On Fri, Jan 11, 2019 at 1:46 PM Tetsuo Handa > > > wrote: > > > > > > > > On 2019/01/11 19:48, Dmitry Vyukov wrote: > > > > >> How did you arrive to the conclusion that it is harmless? > > > > >> There is only one relevant standard covering this, which is the C > > > > >> language standard, and it is very clear on this -- this has Undefined > > > > >> Behavior, that is the same as, for example, reading/writing random > > > > >> pointers. > > > > >> > > > > >> Check out this on how any race that you might think is benign can be > > > > >> badly miscompiled and lead to arbitrary program behavior: > > > > >> https://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong > > > > > > > > > > Also there is no other practical definition of data race for automatic > > > > > data race detectors than: two conflicting non-atomic concurrent > > > > > accesses. Which this code is. Which means that if we continue writing > > > > > such code we are not getting data race detection and don't detect > > > > > thousands of races in kernel code that one may consider more harmful > > > > > than this one the easy way. And instead will spent large amounts of > > > > > time to fix some of then the hard way, and leave the rest as just too > > > > > hard to debug so let the kernel continue crashing from time to time (I > > > > > believe a portion of currently open syzbot bugs that developers just > > > > > left as "I don't see how this can happen" are due to such races). > > > > > > > > > > > > > I still cannot catch. Read/write of sizeof(long) bytes at naturally > > > > aligned address is atomic, isn't it? > > > > > > Nobody guarantees this. According to C non-atomic conflicting > > > reads/writes of sizeof(long) cause undefined behavior of the whole > > > program. > > > > Yes, but to be fair the kernel has always relied on long accesses to be > > atomic pretty heavily so that it is now de-facto standard for the kernel > > AFAICT. I understand this makes life for static checkers hard but such is > > reality. > > Yes, but nobody never defined what "a long access" means. And if you > see a function that accepts a long argument and stores it into a long > field, no, it does not qualify. I bet this will come at surprise to > lots of developers. > Check out this fix and try to extrapolate how this "function stores > long into a long leads to a serious security bug" can actually be > applied to whole lot of places after inlining (or when somebody just > slightly shuffles code in a way that looks totally safe) that also > kinda look safe and atomic: > https://lore.kernel.org/patchwork/patch/599779/ > So where is the boundary between "a long access" that is atomic and > the one that is not necessary atomic? +Linus, Greg, Kees I wanted to provide a hash/link to this commit but, wait, you want to say that this patch for a security bugs was mailed, recorded by patchwork, acked by subsystem developer and then dropped on the floor for 3+ years? Doh! https://lore.kernel.org/patchwork/patch/599779/ There are known ways how to make this not a thing at all. Like open pull requests on github: https://github.com/google/syzkaller/pulls or, some projects even do own dashboard for this: https://dev.golang.org/reviews because this is important. Especially for new contributors, drive-by improvements, good samaritan fixes, etc. Another example: a bug-fixing patch was lost for 2 years: "Two years ago ;) I don't understand why there were ignored" https://www.spinics.net/lists/linux-mm/msg161351.html Another example: a patch is applied to a subsystem tree and then lost for 6 months: https://patchwork.kernel.org/patch/10339089/