Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-13 Thread Greg KH
On Fri, Nov 11, 2016 at 12:57:14AM +0100, Peter Zijlstra wrote: > On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > > > On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: > > > >> As it stands

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-13 Thread Greg KH
On Fri, Nov 11, 2016 at 12:57:14AM +0100, Peter Zijlstra wrote: > On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > > > On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: > > > >> As it stands kref is a pointless

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Peter Zijlstra
On Fri, Nov 11, 2016 at 02:00:34PM +0100, Peter Zijlstra wrote: > +static inline bool refcount_sub_and_test(int i, refcount_t *r) > +{ > + unsigned int old, new, val = atomic_read(>refs); > + > + for (;;) { regardless of the sub_and_test vs inc_and_test issue, this should probably also

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Peter Zijlstra
On Fri, Nov 11, 2016 at 02:00:34PM +0100, Peter Zijlstra wrote: > +static inline bool refcount_sub_and_test(int i, refcount_t *r) > +{ > + unsigned int old, new, val = atomic_read(>refs); > + > + for (;;) { regardless of the sub_and_test vs inc_and_test issue, this should probably also

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Peter Zijlstra
On Fri, Nov 11, 2016 at 03:39:05PM +0100, Thomas Gleixner wrote: > On Fri, 11 Nov 2016, Peter Zijlstra wrote: > > A wee bit like so... > > + > > +static inline bool refcount_sub_and_test(int i, refcount_t *r) > > Why would we want to expose that at all? refcount_inc() and >

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Peter Zijlstra
On Fri, Nov 11, 2016 at 03:39:05PM +0100, Thomas Gleixner wrote: > On Fri, 11 Nov 2016, Peter Zijlstra wrote: > > A wee bit like so... > > + > > +static inline bool refcount_sub_and_test(int i, refcount_t *r) > > Why would we want to expose that at all? refcount_inc() and >

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Thomas Gleixner
On Fri, 11 Nov 2016, Peter Zijlstra wrote: > A wee bit like so... > + > +static inline bool refcount_sub_and_test(int i, refcount_t *r) Why would we want to expose that at all? refcount_inc() and refcount_dec_and_test() is what is required for refcounting. I know there are a few users of

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Thomas Gleixner
On Fri, 11 Nov 2016, Peter Zijlstra wrote: > A wee bit like so... > + > +static inline bool refcount_sub_and_test(int i, refcount_t *r) Why would we want to expose that at all? refcount_inc() and refcount_dec_and_test() is what is required for refcounting. I know there are a few users of

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Peter Zijlstra
On Fri, Nov 11, 2016 at 01:47:55PM +0100, Peter Zijlstra wrote: > On Fri, Nov 11, 2016 at 12:41:27PM +, Mark Rutland wrote: > > Regardless of atomic_t semantics, a refcount_t would be far more obvious > > to developers than atomic_t and/or kref, and better documents the intent > > of code

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Peter Zijlstra
On Fri, Nov 11, 2016 at 01:47:55PM +0100, Peter Zijlstra wrote: > On Fri, Nov 11, 2016 at 12:41:27PM +, Mark Rutland wrote: > > Regardless of atomic_t semantics, a refcount_t would be far more obvious > > to developers than atomic_t and/or kref, and better documents the intent > > of code

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Peter Zijlstra
On Fri, Nov 11, 2016 at 12:41:27PM +, Mark Rutland wrote: > On Fri, Nov 11, 2016 at 01:29:21AM +0100, Colin Vidal wrote: > > I wonder if we didn't make a confusion between naming and > > specifications. I have thought about Kees idea and what you're saying: > > > > - The name "atomic_t" name

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Peter Zijlstra
On Fri, Nov 11, 2016 at 12:41:27PM +, Mark Rutland wrote: > On Fri, Nov 11, 2016 at 01:29:21AM +0100, Colin Vidal wrote: > > I wonder if we didn't make a confusion between naming and > > specifications. I have thought about Kees idea and what you're saying: > > > > - The name "atomic_t" name

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Mark Rutland
On Fri, Nov 11, 2016 at 01:29:21AM +0100, Colin Vidal wrote: > On Fri, 2016-11-11 at 00:57 +0100, Peter Zijlstra wrote: > > On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > > > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH > > > wrote: > > > > On Thu, Nov 10,

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-11 Thread Mark Rutland
On Fri, Nov 11, 2016 at 01:29:21AM +0100, Colin Vidal wrote: > On Fri, 2016-11-11 at 00:57 +0100, Peter Zijlstra wrote: > > On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > > > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH > > > wrote: > > > > On Thu, Nov 10, 2016 at 10:13:10PM +0100,

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Rik van Riel
On Thu, 2016-11-10 at 13:23 -0800, Kees Cook wrote: > If we don't use opt-out for atomics, we're going to be in the same > situation where we have to constantly review every commit with an > atomic for exploitable refcount flaws. Kicking this down from > "privilege escalation" to "DoS" is a

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Rik van Riel
On Thu, 2016-11-10 at 13:23 -0800, Kees Cook wrote: > If we don't use opt-out for atomics, we're going to be in the same > situation where we have to constantly review every commit with an > atomic for exploitable refcount flaws. Kicking this down from > "privilege escalation" to "DoS" is a

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread David Windsor
On Thu, Nov 10, 2016 at 3:56 PM, Kees Cook wrote: > On Thu, Nov 10, 2016 at 12:37 PM, Peter Zijlstra wrote: >> On Thu, Nov 10, 2016 at 10:24:35PM +0200, Elena Reshetova wrote: >>> This series brings the PaX/Grsecurity PAX_REFCOUNT >>> feature support

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread David Windsor
On Thu, Nov 10, 2016 at 3:56 PM, Kees Cook wrote: > On Thu, Nov 10, 2016 at 12:37 PM, Peter Zijlstra wrote: >> On Thu, Nov 10, 2016 at 10:24:35PM +0200, Elena Reshetova wrote: >>> This series brings the PaX/Grsecurity PAX_REFCOUNT >>> feature support to the upstream kernel. All credit for the

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Colin Vidal
On Fri, 2016-11-11 at 00:57 +0100, Peter Zijlstra wrote: > On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > > > > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > > > > > > On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: > > > > > > >

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Colin Vidal
On Fri, 2016-11-11 at 00:57 +0100, Peter Zijlstra wrote: > On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > > > > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > > > > > > On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: > > > > > > > > > > > > > > As it stands

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Peter Zijlstra
On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > > On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: > >> As it stands kref is a pointless wrapper. If it were to provide > >> something

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Peter Zijlstra
On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > > On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: > >> As it stands kref is a pointless wrapper. If it were to provide > >> something actually useful, like wrap

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Greg KH
On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > (PeterZ went missing from your reply? I've added him back to the thread...) argh, not intentional at all, thanks for that... > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > > On Thu, Nov 10, 2016 at

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Greg KH
On Thu, Nov 10, 2016 at 03:15:44PM -0800, Kees Cook wrote: > (PeterZ went missing from your reply? I've added him back to the thread...) argh, not intentional at all, thanks for that... > On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > > On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Kees Cook
(PeterZ went missing from your reply? I've added him back to the thread...) On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: >> On Thu, Nov 10, 2016 at 08:48:38PM +, Will Deacon wrote: >> > > That

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Kees Cook
(PeterZ went missing from your reply? I've added him back to the thread...) On Thu, Nov 10, 2016 at 2:27 PM, Greg KH wrote: > On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: >> On Thu, Nov 10, 2016 at 08:48:38PM +, Will Deacon wrote: >> > > That said, I still don't much like

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Greg KH
On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: > On Thu, Nov 10, 2016 at 08:48:38PM +, Will Deacon wrote: > > > That said, I still don't much like this. > > > > > > I would much rather you make kref useful and use that. It still means > > > you get to audit all refcounts in

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Greg KH
On Thu, Nov 10, 2016 at 10:13:10PM +0100, Peter Zijlstra wrote: > On Thu, Nov 10, 2016 at 08:48:38PM +, Will Deacon wrote: > > > That said, I still don't much like this. > > > > > > I would much rather you make kref useful and use that. It still means > > > you get to audit all refcounts in

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread David Windsor
On Thu, Nov 10, 2016 at 4:27 PM, Kees Cook wrote: > On Thu, Nov 10, 2016 at 1:23 PM, David Windsor wrote: >> On Thu, Nov 10, 2016 at 4:01 PM, Kees Cook wrote: >>> On Thu, Nov 10, 2016 at 12:48 PM, Will Deacon

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread David Windsor
On Thu, Nov 10, 2016 at 4:27 PM, Kees Cook wrote: > On Thu, Nov 10, 2016 at 1:23 PM, David Windsor wrote: >> On Thu, Nov 10, 2016 at 4:01 PM, Kees Cook wrote: >>> On Thu, Nov 10, 2016 at 12:48 PM, Will Deacon wrote: On Thu, Nov 10, 2016 at 09:37:49PM +0100, Peter Zijlstra wrote: > On

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Peter Zijlstra
On Thu, Nov 10, 2016 at 04:23:08PM -0500, David Windsor wrote: > Discussions have been occurring since KSPP has begun: do we need a Note that I was not included in any of that. If you hide in a corner on the intartubes don't be surprised people have no clue what you're on about. > specialized

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Peter Zijlstra
On Thu, Nov 10, 2016 at 04:23:08PM -0500, David Windsor wrote: > Discussions have been occurring since KSPP has begun: do we need a Note that I was not included in any of that. If you hide in a corner on the intartubes don't be surprised people have no clue what you're on about. > specialized

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Kees Cook
On Thu, Nov 10, 2016 at 1:23 PM, David Windsor wrote: > On Thu, Nov 10, 2016 at 4:01 PM, Kees Cook wrote: >> On Thu, Nov 10, 2016 at 12:48 PM, Will Deacon wrote: >>> On Thu, Nov 10, 2016 at 09:37:49PM +0100, Peter Zijlstra wrote:

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread Kees Cook
On Thu, Nov 10, 2016 at 1:23 PM, David Windsor wrote: > On Thu, Nov 10, 2016 at 4:01 PM, Kees Cook wrote: >> On Thu, Nov 10, 2016 at 12:48 PM, Will Deacon wrote: >>> On Thu, Nov 10, 2016 at 09:37:49PM +0100, Peter Zijlstra wrote: On Thu, Nov 10, 2016 at 10:24:35PM +0200, Elena Reshetova

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread David Windsor
On Thu, Nov 10, 2016 at 4:01 PM, Kees Cook wrote: > On Thu, Nov 10, 2016 at 12:48 PM, Will Deacon wrote: >> On Thu, Nov 10, 2016 at 09:37:49PM +0100, Peter Zijlstra wrote: >>> On Thu, Nov 10, 2016 at 10:24:35PM +0200, Elena Reshetova wrote: >>> > This

Re: [kernel-hardening] Re: [RFC v4 PATCH 00/13] HARDENED_ATOMIC

2016-11-10 Thread David Windsor
On Thu, Nov 10, 2016 at 4:01 PM, Kees Cook wrote: > On Thu, Nov 10, 2016 at 12:48 PM, Will Deacon wrote: >> On Thu, Nov 10, 2016 at 09:37:49PM +0100, Peter Zijlstra wrote: >>> On Thu, Nov 10, 2016 at 10:24:35PM +0200, Elena Reshetova wrote: >>> > This series brings the PaX/Grsecurity