| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Dec 2013 04:28:30 +0000 From: Al Viro <viro@...IV.linux.org.uk> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Simon Kirby <sim@...tway.ca>, Ingo Molnar <mingo@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Waiman Long <Waiman.Long@...com>, Ian Applegate <ia@...udflare.com>, Christoph Lameter <cl@...two.org>, Pekka Enberg <penberg@...nel.org>, LKML <linux-kernel@...r.kernel.org>, Chris Mason <chris.mason@...ionio.com> Subject: Re: Found it! (was Re: [3.10] Oopses in kmem_cache_allocate() via prepare_creds()) On Mon, Dec 02, 2013 at 06:58:57PM -0800, Linus Torvalds wrote: > In other words, it's unsafe to protect reference counts inside objects > with anything but spinlocks and/or atomic refcounts. Or you have to > have the lock *outside* the object you're protecting (which is often > what you want for other reasons anyway, notably lookup). > > So having a non-atomic refcount protected inside a sleeping lock is a > bug, and that's really the bug that ended up biting us for pipes. > > Now, the question is: do we have other such cases? How do we document > this? Do we try to make mutexes and other locks safe to use for things > like this? Umm... AFAICS, in VFS proper we have files_struct - atomic_dec_and_test fs_struct - spinlock + int file - atomic_long_dec_and_test (with delays after that, including RCU). super_block - global spinlock + int (s_count); the mutex in there (->s_umount) can be taken by anybody who holds an active ref *or* has bumped ->s_count while holding sb_lock. Exactly to prevent that kind of unpleasantness. Freeing RCU-delayed. vfsmount - percpu counter + flag + global seqlock, with quite a bit of contortions for the sake of avoiding cross-CPU stores on fastpath; discussed back in October, concluded to be safe. Freeing RCU-delayed. dentry - lockref, with RCU-delayed actual freeing. file_system_type, nls_table, linux_binfmt - module refcount of "owner"; search structures protected by global spinlocks or rwlocks, exiting module is responsible for unregistering first. inode - atomic_dec_and_lock, with actual freeing RCU-delayed (and evicting code waiting for pagecache references to be gone, with the rest being responsibility of fs method called before we free the sucker) block_device - part of bdevfs inode These should be safe, but damnit, we really need the lifecycle documented for all objects - the above is only a part of it (note that for e.g. superblocks we have additional rules re "->s_active can't be incremented for any reason once it drops to zero, it can't be incremented until superblock had been marked 'born' and it crosses over to zero only with ->s_umount held"; there's 6 stages in life cycle of struct super_block and we had interesting bugs due to messing the transitions up). The trouble is, attempt to write those down tends to stray into massive grep session, with usual results - some other crap gets found (e.g. in some odd driver) and needs to be dealt with ;-/ Sigh... -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists