From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=uvia=IN=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2CC31C433DB
	for <linux-mm@archiver.kernel.org>; Mon, 15 Mar 2021 22:29:49 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 8A5BB64F0C
	for <linux-mm@archiver.kernel.org>; Mon, 15 Mar 2021 22:29:48 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8A5BB64F0C
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 1E0D26B006C; Mon, 15 Mar 2021 18:29:48 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1B9096B0070; Mon, 15 Mar 2021 18:29:48 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 058C16B0071; Mon, 15 Mar 2021 18:29:48 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0146.hostedemail.com [216.40.44.146])
	by kanga.kvack.org (Postfix) with ESMTP id DE1A06B006C
	for <linux-mm@kvack.org>; Mon, 15 Mar 2021 18:29:47 -0400 (EDT)
Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 8AE8262D0
	for <linux-mm@kvack.org>; Mon, 15 Mar 2021 22:29:47 +0000 (UTC)
X-FDA: 77923552014.04.813368C
Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53])
	by imf06.hostedemail.com (Postfix) with ESMTP id C8A4EC111BF2
	for <linux-mm@kvack.org>; Mon, 15 Mar 2021 22:19:37 +0000 (UTC)
Received: by mail-lf1-f53.google.com with SMTP id d3so59275748lfg.10
        for <linux-mm@kvack.org>; Mon, 15 Mar 2021 15:19:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=JHuD9L12GwXv9CMjuewy7NJi4UEeZj8gMIMY0fXoMjo=;
        b=S+PBvkiNvoS7h8zAD5cjsSRJz4FVPn0bUbOW1vAx3cSOxv0XYlgWOMD63ht2EW+UvG
         WqRwvdt1hEocnp30SVofJDviTh5NFMlDuAZFdZ0CFQTPQzKAvpCn4FZXTYX5F2Q7x0TA
         w6hkZe/5rBy3BNMBjtwIU8r7P3WUEjnalDrr4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=JHuD9L12GwXv9CMjuewy7NJi4UEeZj8gMIMY0fXoMjo=;
        b=leX77zRiE2ZYJdxiveJxtgLVGRMqh48j+rG2CK4boDPrkR4zyUDkjuyYUnG62224Y1
         avCDbFhqdywdQOuG8UEmvGNMGsY3uzcoRclbaGll9gyaME6+/TccMHzcybhbrANdj1GT
         xaAJ7BWYaOBh+cUYRClSKK9LYrr/uKGqXAAe6n9Q/P4nwrMMjhMRPfAgEqVevRYqXYY7
         3NetWi8eGuJ2vbf+qUK36wtIaZJTsiXy1WPMEzxZkDPi3Uo6tJYr2VN1FwOzPydTIdod
         wC8W6x8FPci+zvt9X1s82i83lzXdP3Tpsp2gaC/URIukRYrpXYZziCrMcNy8Ny4svUBS
         nbTg==
X-Gm-Message-State: AOAM533zNthx1xR0Q69lCR0Mt9fMxB7CdNI2w0aLgKxmweaq/a4AF7Pz
	UoFRzt1junHfNNCBGsS8yEPZjvfPEeB3nA==
X-Google-Smtp-Source: ABdhPJwREtb2rtzqNjUz2CoqxSC4Lsr3t5M3EjNISyL2z09jECB9M3V7NkRKSDFKzbFKYpjRoBvUbw==
X-Received: by 2002:a05:6512:1054:: with SMTP id c20mr8993698lfb.170.1615846775675;
        Mon, 15 Mar 2021 15:19:35 -0700 (PDT)
Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com. [209.85.208.176])
        by smtp.gmail.com with ESMTPSA id d7sm2996228lja.114.2021.03.15.15.19.33
        for <linux-mm@kvack.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 15 Mar 2021 15:19:34 -0700 (PDT)
Received: by mail-lj1-f176.google.com with SMTP id z8so18143646ljm.12
        for <linux-mm@kvack.org>; Mon, 15 Mar 2021 15:19:33 -0700 (PDT)
X-Received: by 2002:a2e:a589:: with SMTP id m9mr729361ljp.220.1615846773296;
 Mon, 15 Mar 2021 15:19:33 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1615372955.git.gladkov.alexey@gmail.com>
 <59ee3289194cd97d70085cce701bc494bfcb4fd2.1615372955.git.gladkov.alexey@gmail.com>
 <202103151426.ED27141@keescook>
In-Reply-To: <202103151426.ED27141@keescook>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Mon, 15 Mar 2021 15:19:17 -0700
X-Gmail-Original-Message-ID: <CAHk-=wjYOCgM+mKzwTZwkDDg12DdYjFFkmoFKYLim7NFmR9HBg@mail.gmail.com>
Message-ID: <CAHk-=wjYOCgM+mKzwTZwkDDg12DdYjFFkmoFKYLim7NFmR9HBg@mail.gmail.com>
Subject: Re: [PATCH v8 3/8] Use atomic_t for ucounts reference counting
To: Kees Cook <keescook@chromium.org>
Cc: Alexey Gladkov <gladkov.alexey@gmail.com>, LKML <linux-kernel@vger.kernel.org>, 
	io-uring <io-uring@vger.kernel.org>, 
	Kernel Hardening <kernel-hardening@lists.openwall.com>, 
	Linux Containers <containers@lists.linux-foundation.org>, Linux-MM <linux-mm@kvack.org>, 
	Alexey Gladkov <legion@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, 
	Christian Brauner <christian.brauner@ubuntu.com>, "Eric W . Biederman" <ebiederm@xmission.com>, 
	Jann Horn <jannh@google.com>, Jens Axboe <axboe@kernel.dk>, Oleg Nesterov <oleg@redhat.com>
Content-Type: text/plain; charset="UTF-8"
X-Stat-Signature: b9r53uupqbgar1tadbxuy7qtqcq9rf73
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: C8A4EC111BF2
Received-SPF: none (linuxfoundation.org>: No applicable sender policy available) receiver=imf06; identity=mailfrom; envelope-from="<torvalds@linuxfoundation.org>"; helo=mail-lf1-f53.google.com; client-ip=209.85.167.53
X-HE-DKIM-Result: pass/pass
X-HE-Tag: 1615846777-231535
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Mar 15, 2021 at 3:03 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Wed, Mar 10, 2021 at 01:01:28PM +0100, Alexey Gladkov wrote:
> > The current implementation of the ucounts reference counter requires the
> > use of spin_lock. We're going to use get_ucounts() in more performance
> > critical areas like a handling of RLIMIT_SIGPENDING.
>
> This really looks like it should be refcount_t.

No.

refcount_t didn't have the capabilities required.

It just saturates, and doesn't have the "don't do this" case, which
the ucounts case *DOES* have.

In other words, refcount_t is entirely misdesigned for this - because
it's literally designed for "people can't handle overflow, so we warn
and saturate".

ucounts can never saturate, because they replace saturation with
"don't do that then".

In other words, ucounts work like the page counts do (which also don't
saturate, they just say "ok, you can't get a reference".

I know you are attached to refcounts, but really: they are not only
more expensive, THEY LITERALLY DO THE WRONG THING.

           Linus