Eric Dumazet
2017-Mar-22 02:03 UTC
[Bridge] [PATCH 07/17] net: convert sock.sk_refcnt from atomic_t to refcount_t
On Tue, 2017-03-21 at 16:51 -0700, Kees Cook wrote:> Am I understanding you correctly that you'd want something like: > > refcount.h: > #ifdef UNPROTECTED_REFCOUNT > #define refcount_inc(x) atomic_inc(x) > ... > #else > void refcount_inc(... > ... > #endif > > some/net.c: > #define UNPROTECTED_REFCOUNT > #include <refcount.h> > > or similar?At first, it could be something simple like that yes. Note that we might define two refcount_inc() : One that does whole tests, and refcount_inc_relaxed() that might translate to atomic_inc() on non debug kernels. Then later, maybe provide a dynamic infrastructure so that we can dynamically force the full checks even for refcount_inc_relaxed() on say 1% of the hosts, to get better debug coverage ?
Peter Zijlstra
2017-Mar-22 12:25 UTC
[Bridge] [PATCH 07/17] net: convert sock.sk_refcnt from atomic_t to refcount_t
On Tue, Mar 21, 2017 at 07:03:19PM -0700, Eric Dumazet wrote:> Note that we might define two refcount_inc() : One that does whole > tests, and refcount_inc_relaxed() that might translate to atomic_inc() > on non debug kernels.So you'd want a duplicate interface, such that most code, which doesn't care about refcount performance much, can still have all the tests enabled. But the code that cares about it (and preferably can prove it with numbers) can use the other. I'm also somewhat hesitant to use _relaxed for this distinction, as it has a clear meaning in atomics, maybe _nocheck? Also; what operations do you want _nocheck variants of, only refcount_inc() ? That said; I'm really loath to provide these without actual measurements that prove they make a difference.> Then later, maybe provide a dynamic infrastructure so that we can > dynamically force the full checks even for refcount_inc_relaxed() on say > 1% of the hosts, to get better debug coverage ?Shouldn't be too hard to do in arch specific code using alternative stuff. Generic code could use jump labels I suppose, but that would result in bigger code.
Kees Cook
2017-Mar-22 19:08 UTC
[Bridge] [PATCH 07/17] net: convert sock.sk_refcnt from atomic_t to refcount_t
On Tue, Mar 21, 2017 at 7:03 PM, Eric Dumazet <eric.dumazet at gmail.com> wrote:> On Tue, 2017-03-21 at 16:51 -0700, Kees Cook wrote: > >> Am I understanding you correctly that you'd want something like: >> >> refcount.h: >> #ifdef UNPROTECTED_REFCOUNT >> #define refcount_inc(x) atomic_inc(x) >> ... >> #else >> void refcount_inc(... >> ... >> #endif >> >> some/net.c: >> #define UNPROTECTED_REFCOUNT >> #include <refcount.h> >> >> or similar? > > At first, it could be something simple like that yes. > > Note that we might define two refcount_inc() : One that does whole > tests, and refcount_inc_relaxed() that might translate to atomic_inc() > on non debug kernels. > > Then later, maybe provide a dynamic infrastructure so that we can > dynamically force the full checks even for refcount_inc_relaxed() on say > 1% of the hosts, to get better debug coverage ?Well, this isn't about finding bugs in normal workflows. This is about catching bugs that attackers have found and start exploiting to gain a use-after-free primitive. The intention is for it to be always enabled. -Kees -- Kees Cook Pixel Security