[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190625073407.GP3436@hirez.programming.kicks-ass.net>
Date: Tue, 25 Jun 2019 09:34:07 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Jann Horn <jannh@...gle.com>
Cc: Joel Fernandes <joel@...lfernandes.org>,
kernel list <linux-kernel@...r.kernel.org>,
Oleg Nesterov <oleg@...hat.com>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Matthew Wilcox <willy@...radead.org>,
Will Deacon <will.deacon@....com>,
"Paul E . McKenney" <paulmck@...ux.vnet.ibm.com>,
Elena Reshetova <elena.reshetova@...el.com>,
Kees Cook <keescook@...omium.org>,
kernel-team <kernel-team@...roid.com>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Andrew Morton <akpm@...ux-foundation.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Michal Hocko <mhocko@...e.com>
Subject: Re: [PATCH RFC v2] Convert struct pid count to refcount_t
On Mon, Jun 24, 2019 at 09:10:15PM +0200, Jann Horn wrote:
> That part of the documentation only talks about cases where you have a
> control dependency on the return value of the refcount operation. But
> refcount_inc() does not return a value, so this isn't relevant for
> refcount_inc().
>
> Also, AFAIU, the control dependency mentioned in the documentation has
> to exist *in the caller* - it's just pointing out that if you write
> code like the following, you have a control dependency between the
> refcount operation and the write:
>
> if (refcount_inc_not_zero(&obj->refcount)) {
> WRITE_ONCE(obj->x, y);
> }
>
> For more information on the details of this stuff, try reading the
> section "CONTROL DEPENDENCIES" of Documentation/memory-barriers.txt.
IIRC the argument went as follows:
- if you use refcount_inc(), you've already got a stable object and
have ACQUIRED it otherwise, typically through locking.
- if you use refcount_inc_not_zero(), you have a semi stable object
(RCU), but you still need to ensure any changes to the object happen
after acquiring a reference, and this is where the control dependency
comes in as Jann already explained.
Specifically, it would be bad to allow STOREs to happen before we know
the refcount isn't 0, as that would be a UaF.
Also see the comment in lib/refcount.c.
Powered by blists - more mailing lists