lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230425171913.GT3390869@ZenIV>
Date:   Tue, 25 Apr 2023 18:19:13 +0100
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Christian Brauner <brauner@...nel.org>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [GIT PULL] pidfd updates

On Tue, Apr 25, 2023 at 09:28:54AM -0700, Linus Torvalds wrote:

> Now, since they are inline functions, the code generation doesn't
> really change (compilers are smart enough to not actually generate any
> pointer stuff), but I prefer to make things like that expliict, and
> have source code that matches the code generation.
> 
> (Which is also why I do *not* endorse passing bigger structs by value,
> because then the compiler will just pass it as a "pointer to a copy"
> instead, again violating the whole concept of "source matches what
> happens in reality")
> 
> I think the above helper could be improved further with Al's
> suggestion to make 'fd_publish()' return an error code, and allow the
> file pointer (and maybe even the fd index) to be an error pointer (and
> error number), so that you could often unify the error/success paths.
> 
> IOW, I like this, and I think it's superior to my stupid original suggestion.

We'd better collect the data on the current callers first.  There are
several patterns; I'm going through the old (fairly sparse) notes and
the grep over the current tree right now, will post when I get through
that.

That's one area where we had a *lot* of recurring bugs - mostly of
leak/double put variety.  So we'd better have the calling conventions
right wrt how easy it is to fuck up in failure exits.  And we need
to document the patterns/rules for each/reasons for choosing one over
another.

Note that there's also "set the file up, then get descriptor and either
fd_install or fput, depending on get_unused_fd_flags() success";
sometimes it's the only approach (SCM_RIGHTS, for example), sometimes
it's better than "get descriptor, set the file up, then either install
or release descriptor", sometimes it's definitely worse (e.g. for
O_CREAT it's a non-starter).  It should be a deliberate choice.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ