linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Reshetova, Elena" <elena.reshetova@intel.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"jlayton@kernel.org" <jlayton@kernel.org>,
	"trond.myklebust@primarydata.com"
	<trond.myklebust@primarydata.com>,
	"anna.schumaker@netapp.com" <anna.schumaker@netapp.com>,
	"peterz@infradead.org" <peterz@infradead.org>,
	"keescook@chromium.org" <keescook@chromium.org>
Subject: RE: [PATCH 1/4] lockd: convert nlm_host.h_count from atomic_t to refcount_t
Date: Fri, 22 Dec 2017 09:29:15 +0000	[thread overview]
Message-ID: <2236FBA76BA1254E88B949DDB74E612B802CFB57@IRSMSX102.ger.corp.intel.com> (raw)
In-Reply-To: <20171221202350.GE31467@fieldses.org>


On Wed, Nov 29, 2017 at 01:15:43PM +0200, Elena Reshetova wrote:
> atomic_t variables are currently used to implement reference
> counters with the following properties:
>  - counter is initialized to 1 using atomic_set()
>  - a resource is freed upon counter reaching zero
>  - once counter reaches zero, its further
>    increments aren't allowed
>  - counter schema uses basic atomic operations
>    (set, inc, inc_not_zero, dec_and_test, etc.)

>Whoops, I forgot that this doesn't apply to h_count.

>Well, it's confusing, because h_count is actually used in two different
>ways: depending on whether a nlm_host represents a client or server, it
>may have the above properties or not.


So, what happens when it is not having the above properties? Is the object 
being reused or? 

I am just trying to understand if there is a way to fix this patch to work for the case
or is the drop is the only correct way to go. 

Best Regards,
Elena.

>Inclined to drop this patch for now.

--b.

>
> Such atomic variables should be converted to a newly provided
> refcount_t type and API that prevents accidental counter overflows
> and underflows. This is important since overflows and underflows
> can lead to use-after-free situation and be exploitable.
>
> The variable nlm_host.h_count  is used as pure reference counter.
> Convert it to refcount_t and fix up the operations.
>
> **Important note for maintainers:
>
> Some functions from refcount_t API defined in lib/refcount.c
> have different memory ordering guarantees than their atomic
> counterparts.
> The full comparison can be seen in
> https://lkml.org/lkml/2017/11/15/57 and it is hopefully soon
> in state to be merged to the documentation tree.
> Normally the differences should not matter since refcount_t provides
> enough guarantees to satisfy the refcounting use cases, but in
> some rare cases it might matter.
> Please double check that you don't have some undocumented
> memory guarantees for this variable usage.
>
> For the nlm_host.h_count it might make a difference
> in following places:
>  - nlmsvc_release_host(): decrement in refcount_dec()
>    provides RELEASE ordering, while original atomic_dec()
>    was fully unordered. Since the change is for better, it
>    should not matter.
>  - nlmclnt_release_host(): decrement in refcount_dec_and_test() only
>    provides RELEASE ordering and control dependency on success
>    vs. fully ordered atomic counterpart. It doesn't seem to
>    matter in this case since object freeing happens under mutex
>    lock anyway.
>
> Suggested-by: Kees Cook <keescook@chromium.org>
> Reviewed-by: David Windsor <dwindsor@gmail.com>
> Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> ---
>  fs/lockd/host.c             | 14 +++++++-------
>  include/linux/lockd/lockd.h |  3 ++-
>  2 files changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/fs/lockd/host.c b/fs/lockd/host.c
> index 826a891..11b6832 100644
> --- a/fs/lockd/host.c
> +++ b/fs/lockd/host.c
> @@ -151,7 +151,7 @@ static struct nlm_host *nlm_alloc_host(struct nlm_lookup_host_info *ni,
>       host->h_state      = 0;
>       host->h_nsmstate   = 0;
>       host->h_pidcount   = 0;
> -     atomic_set(&host->h_count, 1);
> +     refcount_set(&host->h_count, 1);
>       mutex_init(&host->h_mutex);
>       host->h_nextrebind = now + NLM_HOST_REBIND;
>       host->h_expires    = now + NLM_HOST_EXPIRE;
> @@ -290,7 +290,7 @@ void nlmclnt_release_host(struct nlm_host *host)
>
>       WARN_ON_ONCE(host->h_server);
>
> -     if (atomic_dec_and_test(&host->h_count)) {
> +     if (refcount_dec_and_test(&host->h_count)) {
>               WARN_ON_ONCE(!list_empty(&host->h_lockowners));
>               WARN_ON_ONCE(!list_empty(&host->h_granted));
>               WARN_ON_ONCE(!list_empty(&host->h_reclaim));
> @@ -410,7 +410,7 @@ void nlmsvc_release_host(struct nlm_host *host)
>       dprintk("lockd: release server host %s\n", host->h_name);
>
>       WARN_ON_ONCE(!host->h_server);
> -     atomic_dec(&host->h_count);
> +     refcount_dec(&host->h_count);
>  }
>
>  /*
> @@ -504,7 +504,7 @@ struct nlm_host * nlm_get_host(struct nlm_host *host)
>  {
>       if (host) {
>               dprintk("lockd: get host %s\n", host->h_name);
> -             atomic_inc(&host->h_count);
> +             refcount_inc(&host->h_count);
>               host->h_expires = jiffies + NLM_HOST_EXPIRE;
>       }
>       return host;
> @@ -593,7 +593,7 @@ static void nlm_complain_hosts(struct net *net)
>               if (net && host->net != net)
>                       continue;
>               dprintk("       %s (cnt %d use %d exp %ld net %x)\n",
> -                     host->h_name, atomic_read(&host->h_count),
> +                     host->h_name, refcount_read(&host->h_count),
>                       host->h_inuse, host->h_expires, host->net->ns.inum);
>       }
>  }
> @@ -662,11 +662,11 @@ nlm_gc_hosts(struct net *net)
>       for_each_host_safe(host, next, chain, nlm_server_hosts) {
>               if (net && host->net != net)
>                       continue;
> -             if (atomic_read(&host->h_count) || host->h_inuse
> +             if (refcount_read(&host->h_count) || host->h_inuse
>                || time_before(jiffies, host->h_expires)) {
>                       dprintk("nlm_gc_hosts skipping %s "
>                               "(cnt %d use %d exp %ld net %x)\n",
> -                             host->h_name, atomic_read(&host->h_count),
> +                             host->h_name, refcount_read(&host->h_count),
>                               host->h_inuse, host->h_expires,
>                               host->net->ns.inum);
>                       continue;
> diff --git a/include/linux/lockd/lockd.h b/include/linux/lockd/lockd.h
> index d7d313f..39dfeea 100644
> --- a/include/linux/lockd/lockd.h
> +++ b/include/linux/lockd/lockd.h
> @@ -17,6 +17,7 @@
>  #include <net/ipv6.h>
>  #include <linux/fs.h>
>  #include <linux/kref.h>
> +#include <linux/refcount.h>
>  #include <linux/utsname.h>
>  #include <linux/lockd/bind.h>
>  #include <linux/lockd/xdr.h>
> @@ -58,7 +59,7 @@ struct nlm_host {
>       u32                     h_state;        /* pseudo-state counter */
>       u32                     h_nsmstate;     /* true remote NSM state */
>       u32                     h_pidcount;     /* Pseudopids */
> -     atomic_t                h_count;        /* reference count */
> +     refcount_t              h_count;        /* reference count */
>       struct mutex            h_mutex;        /* mutex for pmap binding */
>       unsigned long           h_nextrebind;   /* next portmap call */
>       unsigned long           h_expires;      /* eligible for GC */
> --
> 2.7.4

  reply	other threads:[~2017-12-22  9:29 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-29 11:15 [PATCH 0/4] lockd refcount conversions Elena Reshetova
2017-11-29 11:15 ` [PATCH 1/4] lockd: convert nlm_host.h_count from atomic_t to refcount_t Elena Reshetova
2017-12-21 20:23   ` J. Bruce Fields
2017-12-22  9:29     ` Reshetova, Elena [this message]
2017-12-22 14:25       ` J. Bruce Fields
2017-12-22 15:42         ` J. Bruce Fields
2017-12-27 12:10           ` Reshetova, Elena
2018-01-23 22:09             ` J. Bruce Fields
2018-01-24  0:47               ` Trond Myklebust
2018-01-24 21:09                 ` J. Bruce Fields
2017-11-29 11:15 ` [PATCH 2/4] lockd: convert nsm_handle.sm_count " Elena Reshetova
2017-11-29 11:15 ` [PATCH 3/4] lockd: convert nlm_lockowner.count " Elena Reshetova
2017-11-29 11:15 ` [PATCH 4/4] lockd: convert nlm_rqst.a_count " Elena Reshetova
2017-11-29 22:23 ` [PATCH 0/4] lockd refcount conversions J. Bruce Fields
2017-11-30  7:48   ` Reshetova, Elena

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2236FBA76BA1254E88B949DDB74E612B802CFB57@IRSMSX102.ger.corp.intel.com \
    --to=elena.reshetova@intel.com \
    --cc=anna.schumaker@netapp.com \
    --cc=bfields@fieldses.org \
    --cc=jlayton@kernel.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=peterz@infradead.org \
    --cc=trond.myklebust@primarydata.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).