| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 May 2024 15:52:21 -0700 From: Kees Cook <keescook@...omium.org> To: Al Viro <viro@...iv.linux.org.uk> Cc: Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>, linux-fsdevel@...r.kernel.org, Zack Rusin <zack.rusin@...adcom.com>, Broadcom internal kernel review list <bcm-kernel-feedback-list@...adcom.com>, Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>, Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>, Daniel Vetter <daniel@...ll.ch>, Jani Nikula <jani.nikula@...ux.intel.com>, Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>, Rodrigo Vivi <rodrigo.vivi@...el.com>, Tvrtko Ursulin <tursulin@...ulin.net>, Andi Shyti <andi.shyti@...ux.intel.com>, Lucas De Marchi <lucas.demarchi@...el.com>, Matt Atwood <matthew.s.atwood@...el.com>, Matthew Auld <matthew.auld@...el.com>, Nirmoy Das <nirmoy.das@...el.com>, Jonathan Cavitt <jonathan.cavitt@...el.com>, Will Deacon <will@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Boqun Feng <boqun.feng@...il.com>, Mark Rutland <mark.rutland@....com>, Kent Overstreet <kent.overstreet@...ux.dev>, Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Nicolas Schier <nicolas@...sle.eu>, Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org, dri-devel@...ts.freedesktop.org, intel-gfx@...ts.freedesktop.org, linux-kbuild@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH 5/5] fs: Convert struct file::f_count to refcount_long_t On Thu, May 02, 2024 at 11:42:50PM +0100, Al Viro wrote: > On Thu, May 02, 2024 at 03:33:40PM -0700, Kees Cook wrote: > > Underflow of f_count needs to be more carefully detected than it > > currently is. The results of get_file() should be checked, but the > > first step is detection. Redefine f_count from atomic_long_t to > > refcount_long_t. > > It is used on fairly hot paths. What's more, it's not > at all obvious what the hell would right semantics be. I think we've put performance concerns between refcount_t and atomic_t to rest long ago. If there is a real workload where it's a problem, let's find it! :) As for semantics, what do you mean? Detecting dec-below-zero means we catch underflow, and detected inc-from-zero means we catch resurrection attempts. In both cases we avoid double-free, but we have already lost to a potential dangling reference to a freed struct file. But just letting f_count go bad seems dangerous. -- Kees Cook
Powered by blists - more mailing lists