From: Peter Zijlstra <peterz@infradead.org>
To: Dmitry Safonov <dima@arista.com>
Cc: linux-kernel@vger.kernel.org, David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Ard Biesheuvel <ardb@kernel.org>,
Bob Gilligan <gilligan@arista.com>,
"David S. Miller" <davem@davemloft.net>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>, Jason Baron <jbaron@akamai.com>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Salam Noureddine <noureddine@arista.com>,
Steven Rostedt <rostedt@goodmis.org>,
netdev@vger.kernel.org
Subject: Re: [PATCH v6 1/5] jump_label: Prevent key->enabled int overflow
Date: Fri, 25 Nov 2022 08:59:42 +0100 [thread overview]
Message-ID: <Y4B17nBArWS1Iywo@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <20221123173859.473629-2-dima@arista.com>
On Wed, Nov 23, 2022 at 05:38:55PM +0000, Dmitry Safonov wrote:
> 1. With CONFIG_JUMP_LABEL=n static_key_slow_inc() doesn't have any
> protection against key->enabled refcounter overflow.
> 2. With CONFIG_JUMP_LABEL=y static_key_slow_inc_cpuslocked()
> still may turn the refcounter negative as (v + 1) may overflow.
>
> key->enabled is indeed a ref-counter as it's documented in multiple
> places: top comment in jump_label.h, Documentation/staging/static-keys.rst,
> etc.
>
> As -1 is reserved for static key that's in process of being enabled,
> functions would break with negative key->enabled refcount:
> - for CONFIG_JUMP_LABEL=n negative return of static_key_count()
> breaks static_key_false(), static_key_true()
> - the ref counter may become 0 from negative side by too many
> static_key_slow_inc() calls and lead to use-after-free issues.
>
> These flaws result in that some users have to introduce an additional
> mutex and prevent the reference counter from overflowing themselves,
> see bpf_enable_runtime_stats() checking the counter against INT_MAX / 2.
>
> Prevent the reference counter overflow by checking if (v + 1) > 0.
> Change functions API to return whether the increment was successful.
>
> Signed-off-by: Dmitry Safonov <dima@arista.com>
> Acked-by: Jakub Kicinski <kuba@kernel.org>
This looks good to me:
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
What is the plan for merging this? I'm assuming it would want to go
through the network tree, but as already noted earlier it depends on a
patch I have in tip/locking/core.
Now I checked, tip/locking/core is *just* that one patch, so it might be
possible to merge that branch and this series into the network tree and
note that during the pull request to Linus.
next prev parent reply other threads:[~2022-11-25 8:00 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-23 17:38 [PATCH v6 0/5] net/tcp: Dynamically disable TCP-MD5 static key Dmitry Safonov
2022-11-23 17:38 ` [PATCH v6 1/5] jump_label: Prevent key->enabled int overflow Dmitry Safonov
2022-11-25 7:59 ` Peter Zijlstra [this message]
2022-11-25 14:28 ` Dmitry Safonov
2022-12-01 22:31 ` Jakub Kicinski
2022-12-01 23:17 ` Dmitry Safonov
2022-12-01 23:36 ` Jakub Kicinski
2022-12-02 0:37 ` Dmitry Safonov
2022-11-23 17:38 ` [PATCH v6 2/5] net/tcp: Separate tcp_md5sig_info allocation into tcp_md5sig_info_add() Dmitry Safonov
2022-11-23 17:38 ` [PATCH v6 3/5] net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction Dmitry Safonov
2022-12-01 19:38 ` Eric Dumazet
2022-12-02 5:05 ` Eric Dumazet
2022-12-02 5:34 ` Eric Dumazet
2022-11-23 17:38 ` [PATCH v6 4/5] net/tcp: Do cleanup on tcp_md5_key_copy() failure Dmitry Safonov
2022-12-01 19:42 ` Eric Dumazet
2022-11-23 17:38 ` [PATCH v6 5/5] net/tcp: Separate initialization of twsk Dmitry Safonov
2022-12-01 19:44 ` Eric Dumazet
2022-12-02 4:10 ` [PATCH v6 0/5] net/tcp: Dynamically disable TCP-MD5 static key patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y4B17nBArWS1Iywo@hirez.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=0x7f454c46@gmail.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dima@arista.com \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=gilligan@arista.com \
--cc=jbaron@akamai.com \
--cc=jpoimboe@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=noureddine@arista.com \
--cc=pabeni@redhat.com \
--cc=rostedt@goodmis.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.