| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 May 2024 00:12:28 +0100 From: Al Viro <viro@...iv.linux.org.uk> To: Kees Cook <keescook@...omium.org> Cc: Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>, linux-fsdevel@...r.kernel.org, Zack Rusin <zack.rusin@...adcom.com>, Broadcom internal kernel review list <bcm-kernel-feedback-list@...adcom.com>, Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>, Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>, Daniel Vetter <daniel@...ll.ch>, Jani Nikula <jani.nikula@...ux.intel.com>, Joonas Lahtinen <joonas.lahtinen@...ux.intel.com>, Rodrigo Vivi <rodrigo.vivi@...el.com>, Tvrtko Ursulin <tursulin@...ulin.net>, Andi Shyti <andi.shyti@...ux.intel.com>, Lucas De Marchi <lucas.demarchi@...el.com>, Matt Atwood <matthew.s.atwood@...el.com>, Matthew Auld <matthew.auld@...el.com>, Nirmoy Das <nirmoy.das@...el.com>, Jonathan Cavitt <jonathan.cavitt@...el.com>, Will Deacon <will@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Boqun Feng <boqun.feng@...il.com>, Mark Rutland <mark.rutland@....com>, Kent Overstreet <kent.overstreet@...ux.dev>, Masahiro Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Nicolas Schier <nicolas@...sle.eu>, Andrew Morton <akpm@...ux-foundation.org>, linux-kernel@...r.kernel.org, dri-devel@...ts.freedesktop.org, intel-gfx@...ts.freedesktop.org, linux-kbuild@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH 5/5] fs: Convert struct file::f_count to refcount_long_t On Thu, May 02, 2024 at 03:52:21PM -0700, Kees Cook wrote: > As for semantics, what do you mean? Detecting dec-below-zero means we > catch underflow, and detected inc-from-zero means we catch resurrection > attempts. In both cases we avoid double-free, but we have already lost > to a potential dangling reference to a freed struct file. But just > letting f_count go bad seems dangerous. Detected inc-from-zero can also mean an RCU lookup detecting a descriptor in the middle of getting closed. And it's more subtle than that, actually, thanks to SLAB_TYPESAFE_BY_RCU for struct file.
Powered by blists - more mailing lists