| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Nov 2022 15:47:29 +0000
From: Dmitry Safonov <dima@...sta.com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: linux-kernel@...r.kernel.org, David Ahern <dsahern@...nel.org>,
Eric Dumazet <edumazet@...gle.com>,
Bob Gilligan <gilligan@...sta.com>,
"David S. Miller" <davem@...emloft.net>,
Dmitry Safonov <0x7f454c46@...il.com>,
Francesco Ruggeri <fruggeri@...sta.com>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Salam Noureddine <noureddine@...sta.com>,
netdev@...r.kernel.org, Ard Biesheuvel <ardb@...nel.org>,
Jason Baron <jbaron@...mai.com>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Steven Rostedt <rostedt@...dmis.org>
Subject: Re: [PATCH v3 1/3] jump_label: Prevent key->enabled int overflow
Hi Peter,
Thanks again for reviewing,
On 11/12/22 10:03, Peter Zijlstra wrote:
[..]
>> Prevent the reference counter overflow by checking if (v + 1) > 0.
>> Change functions API to return whether the increment was successful.
>>
>> While at here, provide static_key_fast_inc() helper that does ref
>> counter increment in atomic fashion (without grabbing cpus_read_lock()
>> on CONFIG_JUMP_LABEL=y). This is needed to add a new user for
>
> -ENOTHERE, did you forget to Cc me on all patches?
I'll Cc you and static_key maintainers on all patches for v4.
Probably, my practice of Cc'ing maintainers only on patches for their
sub-system + cover-letter is a bit outdated and better to Cc on the
whole patch set.
>> a static_key when the caller controls the lifetime of another user.
>> The exact detail where it will be used: if a listen socket with TCP-MD5
>> key receives SYN packet that passes the verification and in result
>> creates a request socket - it's all done from RX softirq. At that moment
>> userspace can't lock the listen socket and remove that TCP-MD5 key, so
>> the tcp_md5_needed static branch can't get disabled. But the refcounter
>> of the static key needs to be adjusted to account for a new user
>> (the request socket).
>
> Arguably all this should be a separate patch. Also I'm hoping the caller
> does something like WARN on failure?
I thought about it, but did add an error-fallback.
I'll add net_warn_ratelimited() for v4 for such cases.
>> -static inline void static_key_slow_inc(struct static_key *key)
>> +static inline bool static_key_fast_inc(struct static_key *key)
>> {
>> + int v, v1;
>> +
>> STATIC_KEY_CHECK_USE(key);
>> - atomic_inc(&key->enabled);
>> + /*
>> + * Prevent key->enabled getting negative to follow the same semantics
>> + * as for CONFIG_JUMP_LABEL=y, see kernel/jump_label.c comment.
>> + */
>> + for (v = atomic_read(&key->enabled); v >= 0 && (v + 1) > 0; v = v1) {
>> + v1 = atomic_cmpxchg(&key->enabled, v, v + 1);
>> + if (likely(v1 == v))
>> + return true;
>> + }
>
>
> Please, use atomic_try_cmpxchg(), it then turns into something like:
>
> int v = atomic_read(&key->enabled);
>
> do {
> if (v < 0 || (v + 1) < 0)
> return false;
> } while (!atomic_try_cmpxchg(&key->enabled, &v, v + 1))
>
> return true;
Thanks, will do.
>
>> + return false;
>> }
>> +#define static_key_slow_inc(key) static_key_fast_inc(key)
>>
>> static inline void static_key_slow_dec(struct static_key *key)
>> {
>> diff --git a/kernel/jump_label.c b/kernel/jump_label.c
>> index 714ac4c3b556..f2c1aa351d41 100644
>> --- a/kernel/jump_label.c
>> +++ b/kernel/jump_label.c
>> @@ -113,11 +113,38 @@ int static_key_count(struct static_key *key)
>> }
>> EXPORT_SYMBOL_GPL(static_key_count);
>>
>> -void static_key_slow_inc_cpuslocked(struct static_key *key)
>> +/***
>> + * static_key_fast_inc - adds a user for a static key
>> + * @key: static key that must be already enabled
>> + *
>> + * The caller must make sure that the static key can't get disabled while
>> + * in this function. It doesn't patch jump labels, only adds a user to
>> + * an already enabled static key.
>> + *
>> + * Returns true if the increment was done.
>> + */
>> +bool static_key_fast_inc(struct static_key *key)
>
> Typically this primitive is called something_inc_not_zero().
Hmm, maybe static_key_fast_inc_not_negative()?
>
>> {
>> int v, v1;
>>
>> STATIC_KEY_CHECK_USE(key);
>> + /*
>> + * Negative key->enabled has a special meaning: it sends
>> + * static_key_slow_inc() down the slow path, and it is non-zero
>> + * so it counts as "enabled" in jump_label_update(). Note that
>> + * atomic_inc_unless_negative() checks >= 0, so roll our own.
>> + */
>> + for (v = atomic_read(&key->enabled); v > 0 && (v + 1) > 0; v = v1) {
>> + v1 = atomic_cmpxchg(&key->enabled, v, v + 1);
>> + if (likely(v1 == v))
>> + return true;
>> + }
>
> Idem on atomic_try_cmpxchg().
>
>> + return false;
>> +}
>> +EXPORT_SYMBOL_GPL(static_key_fast_inc);
>> +
>> +bool static_key_slow_inc_cpuslocked(struct static_key *key)
>> +{
>> lockdep_assert_cpus_held();
>>
>> /*
>> @@ -126,17 +153,9 @@ void static_key_slow_inc_cpuslocked(struct static_key *key)
>> * jump_label_update() process. At the same time, however,
>> * the jump_label_update() call below wants to see
>> * static_key_enabled(&key) for jumps to be updated properly.
>> - *
>> - * So give a special meaning to negative key->enabled: it sends
>> - * static_key_slow_inc() down the slow path, and it is non-zero
>> - * so it counts as "enabled" in jump_label_update(). Note that
>> - * atomic_inc_unless_negative() checks >= 0, so roll our own.
>> */
>> - for (v = atomic_read(&key->enabled); v > 0; v = v1) {
>> - v1 = atomic_cmpxchg(&key->enabled, v, v + 1);
>> - if (likely(v1 == v))
>> - return;
>> - }
>
> This does not in fact apply, since someone already converted to try_cmpxchg.
Yeah, I based it on the current master, will take a look in linux-next.
Thanks,
Dmitry
Powered by blists - more mailing lists