* [PATCH v2 00/11] Introduce Simple atomic counters @ 2020-10-06 20:44 Shuah Khan 2020-10-06 20:44 ` [PATCH v2 11/11] drivers/edac: convert pci counters to counter_atomic32 Shuah Khan 2020-10-07 18:30 ` [PATCH v2 00/11] Introduce Simple atomic counters Kees Cook 0 siblings, 2 replies; 4+ messages in thread From: Shuah Khan @ 2020-10-06 20:44 UTC (permalink / raw) To: corbet, keescook, gregkh, shuah, rafael, johannes, lenb, james.morse, tony.luck, bp, arve, tkjos, maco, joel, christian, hridya, surenb, minyard, arnd, mchehab, rric Cc: Shuah Khan, linux-doc, linux-kernel, linux-kselftest, linux-acpi, devel, openipmi-developer, linux-edac This patch series is a result of discussion at the refcount_t BOF the Linux Plumbers Conference. In this discussion, we identified a need for looking closely and investigating atomic_t usages in the kernel when it is used strictly as a counter without it controlling object lifetimes and state changes. There are a number of atomic_t usages in the kernel where atomic_t api is used strictly for counting and not for managing object lifetime. In some cases, atomic_t might not even be needed. The purpose of these counters is to clearly differentiate atomic_t counters from atomic_t usages that guard object lifetimes, hence prone to overflow and underflow errors. It allows tools that scan for underflow and overflow on atomic_t usages to detect overflow and underflows to scan just the cases that are prone to errors. Simple atomic counters api provides interfaces for simple atomic counters that just count, and don't guard resource lifetimes. Counter will wrap around to 0 when it overflows and should not be used to guard resource lifetimes, device usage and open counts that control state changes, and pm states. Using counter_atomic* to guard lifetimes could lead to use-after free when it overflows and undefined behavior when used to manage state changes and device usage/open states. This patch series introduces Simple atomic counters. Counter atomic ops leverage atomic_t and provide a sub-set of atomic_t ops. In addition this patch series converts a few drivers to use the new api. The following criteria is used for select variables for conversion: 1. Variable doesn't guard object lifetimes, manage state changes e.g: device usage counts, device open counts, and pm states. 2. Variable is used for stats and counters. 3. The conversion doesn't change the overflow behavior. Changes since Patch v1 -- Thanks for reviews and reviewed-by, and Acked-by tags. Updated the patches with the tags. -- Addressed Kees's and Joel's comments: 1. Removed dec_return interfaces (Patch 1/11) 2. Removed counter_simple interfaces to be added later with changes to drivers that use them (if any) (Patch 1/11) 3. Comment and Changelogs updates to Patch 2/11 Kees, if this series is good, would you like to take this through your tree or would you like to take this through mine? Changes since RFC: -- Thanks for reviews and reviewed-by, and Acked-by tags. Updated the patches with the tags. -- Addressed Kees's comments: 1. Non-atomic counters renamed to counter_simple32 and counter_simple64 to clearly indicate size. 2. Added warning for counter_simple* usage and it should be used only when there is no need for atomicity. 3. Renamed counter_atomic to counter_atomic32 to clearly indicate size. 4. Renamed counter_atomic_long to counter_atomic64 and it now uses atomic64_t ops and indicates size. 5. Test updated for the API renames. 6. Added helper functions for test results printing 7. Verified that the test module compiles in kunit env. and test module can be loaded to run the test. 8. Updated Documentation to reflect the intent to make the API restricted so it can never be used to guard object lifetimes and state management. I left _return ops for now, inc_return is necessary for now as per the discussion we had on this topic. -- Updated driver patches with API name changes. -- We discussed if binder counters can be non-atomic. For now I left them the same as the RFC patch - using counter_atomic32 -- Unrelated to this patch series: The patch series review uncovered improvements could be made to test_async_driver_probe and vmw_vmci/vmci_guest. I will track these for fixing later. Shuah Khan (11): counters: Introduce counter_atomic* counters selftests:lib:test_counters: add new test for counters drivers/base: convert deferred_trigger_count and probe_count to counter_atomic32 drivers/base/devcoredump: convert devcd_count to counter_atomic32 drivers/acpi: convert seqno counter_atomic32 drivers/acpi/apei: convert seqno counter_atomic32 drivers/android/binder: convert stats, transaction_log to counter_atomic32 drivers/base/test/test_async_driver_probe: convert to use counter_atomic32 drivers/char/ipmi: convert stats to use counter_atomic32 drivers/misc/vmw_vmci: convert num guest devices counter to counter_atomic32 drivers/edac: convert pci counters to counter_atomic32 Documentation/core-api/counters.rst | 103 +++++++++++ MAINTAINERS | 8 + drivers/acpi/acpi_extlog.c | 5 +- drivers/acpi/apei/ghes.c | 5 +- drivers/android/binder.c | 41 ++--- drivers/android/binder_internal.h | 3 +- drivers/base/dd.c | 19 +- drivers/base/devcoredump.c | 5 +- drivers/base/test/test_async_driver_probe.c | 23 +-- drivers/char/ipmi/ipmi_msghandler.c | 9 +- drivers/char/ipmi/ipmi_si_intf.c | 9 +- drivers/edac/edac_pci.h | 5 +- drivers/edac/edac_pci_sysfs.c | 28 +-- drivers/misc/vmw_vmci/vmci_guest.c | 9 +- include/linux/counters.h | 173 +++++++++++++++++++ lib/Kconfig | 10 ++ lib/Makefile | 1 + lib/test_counters.c | 157 +++++++++++++++++ tools/testing/selftests/lib/Makefile | 1 + tools/testing/selftests/lib/config | 1 + tools/testing/selftests/lib/test_counters.sh | 5 + 21 files changed, 546 insertions(+), 74 deletions(-) create mode 100644 Documentation/core-api/counters.rst create mode 100644 include/linux/counters.h create mode 100644 lib/test_counters.c create mode 100755 tools/testing/selftests/lib/test_counters.sh -- 2.25.1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 11/11] drivers/edac: convert pci counters to counter_atomic32 2020-10-06 20:44 [PATCH v2 00/11] Introduce Simple atomic counters Shuah Khan @ 2020-10-06 20:44 ` Shuah Khan 2020-10-07 18:28 ` Kees Cook 2020-10-07 18:30 ` [PATCH v2 00/11] Introduce Simple atomic counters Kees Cook 1 sibling, 1 reply; 4+ messages in thread From: Shuah Khan @ 2020-10-06 20:44 UTC (permalink / raw) To: bp, mchehab, tony.luck, james.morse, rric, gregkh, keescook Cc: Shuah Khan, linux-edac, linux-kernel, Borislav Petkov counter_atomic* is introduced to be used when a variable is used as a simple counter and doesn't guard object lifetimes. This clearly differentiates atomic_t usages that guard object lifetimes. counter_atomic* variables will wrap around to 0 when it overflows and should not be used to guard resource lifetimes, device usage and open counts that control state changes, and pm states. atomic_t variables used for pci counters keep track of pci parity and non-parity errors. Convert them to use counter_atomic32. Overflow will wrap around and reset the counts as was the case prior to the conversion. Acked-by: Borislav Petkov <bp@suse.de> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> --- drivers/edac/edac_pci.h | 5 +++-- drivers/edac/edac_pci_sysfs.c | 28 ++++++++++++++-------------- 2 files changed, 17 insertions(+), 16 deletions(-) diff --git a/drivers/edac/edac_pci.h b/drivers/edac/edac_pci.h index 5175f5724cfa..797b25a6afc0 100644 --- a/drivers/edac/edac_pci.h +++ b/drivers/edac/edac_pci.h @@ -30,12 +30,13 @@ #include <linux/pci.h> #include <linux/types.h> #include <linux/workqueue.h> +#include <linux/counters.h> #ifdef CONFIG_PCI struct edac_pci_counter { - atomic_t pe_count; - atomic_t npe_count; + struct counter_atomic32 pe_count; + struct counter_atomic32 npe_count; }; /* diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c index 53042af7262e..d33a726234c0 100644 --- a/drivers/edac/edac_pci_sysfs.c +++ b/drivers/edac/edac_pci_sysfs.c @@ -23,8 +23,8 @@ static int edac_pci_log_pe = 1; /* log PCI parity errors */ static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */ static int edac_pci_poll_msec = 1000; /* one second workq period */ -static atomic_t pci_parity_count = ATOMIC_INIT(0); -static atomic_t pci_nonparity_count = ATOMIC_INIT(0); +static struct counter_atomic32 pci_parity_count = COUNTER_ATOMIC_INIT(0); +static struct counter_atomic32 pci_nonparity_count = COUNTER_ATOMIC_INIT(0); static struct kobject *edac_pci_top_main_kobj; static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0); @@ -58,13 +58,13 @@ int edac_pci_get_poll_msec(void) /**************************** EDAC PCI sysfs instance *******************/ static ssize_t instance_pe_count_show(struct edac_pci_ctl_info *pci, char *data) { - return sprintf(data, "%u\n", atomic_read(&pci->counters.pe_count)); + return sprintf(data, "%u\n", counter_atomic32_read(&pci->counters.pe_count)); } static ssize_t instance_npe_count_show(struct edac_pci_ctl_info *pci, char *data) { - return sprintf(data, "%u\n", atomic_read(&pci->counters.npe_count)); + return sprintf(data, "%u\n", counter_atomic32_read(&pci->counters.npe_count)); } #define to_instance(k) container_of(k, struct edac_pci_ctl_info, kobj) @@ -553,7 +553,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) edac_printk(KERN_CRIT, EDAC_PCI, "Signaled System Error on %s\n", pci_name(dev)); - atomic_inc(&pci_nonparity_count); + counter_atomic32_inc(&pci_nonparity_count); } if (status & (PCI_STATUS_PARITY)) { @@ -561,7 +561,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) "Master Data Parity Error on %s\n", pci_name(dev)); - atomic_inc(&pci_parity_count); + counter_atomic32_inc(&pci_parity_count); } if (status & (PCI_STATUS_DETECTED_PARITY)) { @@ -569,7 +569,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) "Detected Parity Error on %s\n", pci_name(dev)); - atomic_inc(&pci_parity_count); + counter_atomic32_inc(&pci_parity_count); } } @@ -592,7 +592,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) edac_printk(KERN_CRIT, EDAC_PCI, "Bridge " "Signaled System Error on %s\n", pci_name(dev)); - atomic_inc(&pci_nonparity_count); + counter_atomic32_inc(&pci_nonparity_count); } if (status & (PCI_STATUS_PARITY)) { @@ -600,7 +600,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) "Master Data Parity Error on " "%s\n", pci_name(dev)); - atomic_inc(&pci_parity_count); + counter_atomic32_inc(&pci_parity_count); } if (status & (PCI_STATUS_DETECTED_PARITY)) { @@ -608,7 +608,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev) "Detected Parity Error on %s\n", pci_name(dev)); - atomic_inc(&pci_parity_count); + counter_atomic32_inc(&pci_parity_count); } } } @@ -646,7 +646,7 @@ void edac_pci_do_parity_check(void) if (!check_pci_errors) return; - before_count = atomic_read(&pci_parity_count); + before_count = counter_atomic32_read(&pci_parity_count); /* scan all PCI devices looking for a Parity Error on devices and * bridges. @@ -658,7 +658,7 @@ void edac_pci_do_parity_check(void) /* Only if operator has selected panic on PCI Error */ if (edac_pci_get_panic_on_pe()) { /* If the count is different 'after' from 'before' */ - if (before_count != atomic_read(&pci_parity_count)) + if (before_count != counter_atomic32_read(&pci_parity_count)) panic("EDAC: PCI Parity Error"); } } @@ -686,7 +686,7 @@ void edac_pci_handle_pe(struct edac_pci_ctl_info *pci, const char *msg) { /* global PE counter incremented by edac_pci_do_parity_check() */ - atomic_inc(&pci->counters.pe_count); + counter_atomic32_inc(&pci->counters.pe_count); if (edac_pci_get_log_pe()) edac_pci_printk(pci, KERN_WARNING, @@ -711,7 +711,7 @@ void edac_pci_handle_npe(struct edac_pci_ctl_info *pci, const char *msg) { /* global NPE counter incremented by edac_pci_do_parity_check() */ - atomic_inc(&pci->counters.npe_count); + counter_atomic32_inc(&pci->counters.npe_count); if (edac_pci_get_log_npe()) edac_pci_printk(pci, KERN_WARNING, -- 2.25.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 11/11] drivers/edac: convert pci counters to counter_atomic32 2020-10-06 20:44 ` [PATCH v2 11/11] drivers/edac: convert pci counters to counter_atomic32 Shuah Khan @ 2020-10-07 18:28 ` Kees Cook 0 siblings, 0 replies; 4+ messages in thread From: Kees Cook @ 2020-10-07 18:28 UTC (permalink / raw) To: Shuah Khan Cc: bp, mchehab, tony.luck, james.morse, rric, gregkh, linux-edac, linux-kernel, Borislav Petkov On Tue, Oct 06, 2020 at 02:44:42PM -0600, Shuah Khan wrote: > counter_atomic* is introduced to be used when a variable is used as > a simple counter and doesn't guard object lifetimes. This clearly > differentiates atomic_t usages that guard object lifetimes. > > counter_atomic* variables will wrap around to 0 when it overflows and > should not be used to guard resource lifetimes, device usage and > open counts that control state changes, and pm states. > > atomic_t variables used for pci counters keep track of pci parity and > non-parity errors. Convert them to use counter_atomic32. > > Overflow will wrap around and reset the counts as was the case prior to > the conversion. > > Acked-by: Borislav Petkov <bp@suse.de> > Signed-off-by: Shuah Khan <skhan@linuxfoundation.org> Looks like pure logging. :) Reviewed-by: Kees Cook <keescook@chromium.org> -- Kees Cook ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2 00/11] Introduce Simple atomic counters 2020-10-06 20:44 [PATCH v2 00/11] Introduce Simple atomic counters Shuah Khan 2020-10-06 20:44 ` [PATCH v2 11/11] drivers/edac: convert pci counters to counter_atomic32 Shuah Khan @ 2020-10-07 18:30 ` Kees Cook 1 sibling, 0 replies; 4+ messages in thread From: Kees Cook @ 2020-10-07 18:30 UTC (permalink / raw) To: Shuah Khan Cc: corbet, gregkh, shuah, rafael, johannes, lenb, james.morse, tony.luck, bp, arve, tkjos, maco, joel, christian, hridya, surenb, minyard, arnd, mchehab, rric, linux-doc, linux-kernel, linux-kselftest, linux-acpi, devel, openipmi-developer, linux-edac On Tue, Oct 06, 2020 at 02:44:31PM -0600, Shuah Khan wrote: > -- Addressed Kees's and Joel's comments: > 1. Removed dec_return interfaces (Patch 1/11) > 2. Removed counter_simple interfaces to be added later with changes > to drivers that use them (if any) (Patch 1/11) > 3. Comment and Changelogs updates to Patch 2/11 Thanks! > Kees, if this series is good, would you like to take this through your > tree or would you like to take this through mine? I think it's very close! I've sent reviews. Why don't you take this tree for now? (Originally I thought this was going through Greg's tree since it was touching a lot of drivers.) -- Kees Cook ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-07 18:30 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-10-06 20:44 [PATCH v2 00/11] Introduce Simple atomic counters Shuah Khan 2020-10-06 20:44 ` [PATCH v2 11/11] drivers/edac: convert pci counters to counter_atomic32 Shuah Khan 2020-10-07 18:28 ` Kees Cook 2020-10-07 18:30 ` [PATCH v2 00/11] Introduce Simple atomic counters Kees Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).