Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On Thu, Jul 20, 2017 at 5:34 AM, Eric W. Biederman
wrote:
> Ingo Molnar writes:
>
>> * Andrew Morton wrote:
>>
>>> On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso
>>> wrote:
>>>
>>> > On Wed, 19 Jul 2017, Andrew Morton wrote:
>>> >
>>> > >I do rather dislike these conversions from the point of view of
>>> > >performance overhead and general code bloat. But I seem to have lost
>>> > >that struggle and I don't think any of these are fastpath(?).
>>> >
>>> > Well, since we now have fd25d19 (locking/refcount: Create unchecked
>>> > atomic_t
>>> > implementation), performance is supposed to be ok.
>>>
>>> Sure, things are OK for people who disable the feature.
>>
>> So with the WIP fast-refcount series from Kees:
>>
>> [PATCH v6 0/2] x86: Implement fast refcount overflow protection
>>
>> I believe the robustness difference between optimized-refcount_t and
>> full-refcount_t will be marginal.
>>
>> I.e. we'll be able to have both higher API safety _and_ performance.
>>
>>> But for people who want to enable the feature we really should minimize the
>>> cost
>>> by avoiding blindly converting sites which simply don't need it: simple,
>>> safe,
>>> old, well-tested code. Why go and slow down such code? Need to apply some
>>> common sense here...
>>
>> It's old, well-tested code _for existing, sane parameters_, until someone
>> finds a
>> decade old bug in one of these with an insane parameters no-one stumbled
>> upon so
>> far, and builds an exploit on top of it.
>>
>> Only by touching all these places do we have a chance to improve things
>> measurably
>> in terms of reducing the probability of bugs.
>
> The more I hear people pushing the upsides of refcount_t without
> considering the downsides the more I dislike it.
>
> - refcount_t is really the wrong thing because it uses saturation
> semantics. So by definition it includes a bug.
This is a feature, not a bug. :) If the kernel has a refcount overflow
flaw (which, in the pantheon of exploitable kernel bugs, is
_common_[1], as I've referenced earlier), then we're downgrading an
exploitable use-after-free to a harmless memory allocation leak. Even
if you don't include malicious attackers in the consideration, this
changes a memory corruption of unknown results into a memory leak.
That's actually an _improvement_ to availability and integrity.
> - refcount_t will only really prevent something if there is an extra
> increment. That is not the kind of bug people are likely to make.
Like I've said, this is common. This is usually a mistake in error
handling which forgets (or misplaces) a "put".
> - refcount_t won't help if you have an extra decrement. The bad
> use-after-free will still happen.
Yes, and not having a protected refcount_t will also allow a
use-after-free. There is no change here, so it's not a "downside" of
refcount_t. In fact, having gained the implicit annotation of
refcount_t being a refcounter (rather than a simple atomic_t) means
that auditing users is easier and more focused. This could reduce the
chance people make mistakes in the first place, especially since the
API is more constrained than atomic_t.
> - refcount_t won't help if there is a memory stomp. As with an extra
> decrement the bad use-after-free will still happen.
A stomp of the refcount_t value itself? Sure, and this remains as
vulnerable as atomic_t. This isn't a downside to refcount_t. And
again, since there _is_ checking of the value in places, it's possible
an actionable warning will be produced (though, yes, after the
use-after-free has been exposed), which is a benefit over simple
atomic_t. I mention this in the commit log ("better to maybe produce
the warning than be universally silent").
> So all I see is a huge amount of code churn to implement a buggy (by
> definition) refcounting API, that risks adding new bugs and only truly
> helps with bugs that are unlikely in the first place.
Given that the conversions alone have been uncovering refcount bugs
and that the implementation isn't "buggy" (it provides a specific set
of protections), I strongly disagree with your assessment.
> I really don't think this is an obvious slam dunk.
It entirely blocks a commonly exploitable flaw in the kernel. This
isn't a probabilistic mitigation, either. While I'm not sure I'd ever
describe a security protection as a slam dunk, I think this is up
there. :)
-Kees
[1] When I say "common", I'm speaking from the perspective of security
flaw frequency. The kernel sees about 1-2 high severity security flaws
a year (with an average lifetime of 5 years), and the
refcount-overflow use-after-free class of flaw is normally reliable
for attackers (and I'd classify as high severity). With 2016 seeing
two known separate refcount-overflow use-after-free flaws, this could
be better described as an epidemic, but I'll try to be less
inflammatory and just say "common".
--
Kees Cook
Pixel Security
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
Ingo Molnar writes: > * Andrew Morton wrote: > >> On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso wrote: >> >> > On Wed, 19 Jul 2017, Andrew Morton wrote: >> > >> > >I do rather dislike these conversions from the point of view of >> > >performance overhead and general code bloat. But I seem to have lost >> > >that struggle and I don't think any of these are fastpath(?). >> > >> > Well, since we now have fd25d19 (locking/refcount: Create unchecked >> > atomic_t >> > implementation), performance is supposed to be ok. >> >> Sure, things are OK for people who disable the feature. > > So with the WIP fast-refcount series from Kees: > > [PATCH v6 0/2] x86: Implement fast refcount overflow protection > > I believe the robustness difference between optimized-refcount_t and > full-refcount_t will be marginal. > > I.e. we'll be able to have both higher API safety _and_ performance. > >> But for people who want to enable the feature we really should minimize the >> cost >> by avoiding blindly converting sites which simply don't need it: simple, >> safe, >> old, well-tested code. Why go and slow down such code? Need to apply some >> common sense here... > > It's old, well-tested code _for existing, sane parameters_, until someone > finds a > decade old bug in one of these with an insane parameters no-one stumbled upon > so > far, and builds an exploit on top of it. > > Only by touching all these places do we have a chance to improve things > measurably > in terms of reducing the probability of bugs. The more I hear people pushing the upsides of refcount_t without considering the downsides the more I dislike it. - refcount_t is really the wrong thing because it uses saturation semantics. So by definition it includes a bug. - refcount_t will only really prevent something if there is an extra increment. That is not the kind of bug people are likely to make. - refcount_t won't help if you have an extra decrement. The bad use-after-free will still happen. - refcount_t won't help if there is a memory stomp. As with an extra decrement the bad use-after-free will still happen. So all I see is a huge amount of code churn to implement a buggy (by definition) refcounting API, that risks adding new bugs and only truly helps with bugs that are unlikely in the first place. I really don't think this is an obvious slam dunk. Eric
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
* Andrew Morton wrote: > On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso wrote: > > > On Wed, 19 Jul 2017, Andrew Morton wrote: > > > > >I do rather dislike these conversions from the point of view of > > >performance overhead and general code bloat. But I seem to have lost > > >that struggle and I don't think any of these are fastpath(?). > > > > Well, since we now have fd25d19 (locking/refcount: Create unchecked atomic_t > > implementation), performance is supposed to be ok. > > Sure, things are OK for people who disable the feature. So with the WIP fast-refcount series from Kees: [PATCH v6 0/2] x86: Implement fast refcount overflow protection I believe the robustness difference between optimized-refcount_t and full-refcount_t will be marginal. I.e. we'll be able to have both higher API safety _and_ performance. > But for people who want to enable the feature we really should minimize the > cost > by avoiding blindly converting sites which simply don't need it: simple, > safe, > old, well-tested code. Why go and slow down such code? Need to apply some > common sense here... It's old, well-tested code _for existing, sane parameters_, until someone finds a decade old bug in one of these with an insane parameters no-one stumbled upon so far, and builds an exploit on top of it. Only by touching all these places do we have a chance to improve things measurably in terms of reducing the probability of bugs. Thanks, Ingo
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On Wed, Jul 19, 2017 at 4:20 PM, Kees Cook wrote: > On Wed, Jul 19, 2017 at 4:11 PM, Davidlohr Bueso wrote: >> May I suggest using mmtests with the following config file: >> >> https://github.com/gormanm/mmtests/blob/7e070a810bc0af92e592e5121d0ea75fada51aeb/configs/config-global-dhp__workload-ipc-scale-short >> >> It will run two of Manfred's ipcscale sem benchmarks. > > I'll see if I can figure out how to use this for testing the fast > refcount protection: > https://lkml.org/lkml/2017/7/18/1223 > > Then we could see: > > before conversion > after conversion > with CONFIG_REFCOUNT_FULL > with fast refcount protection I have no idea how to read this report. It seems to be mostly noise (multiple baseline runs seem to show greater variability than compared against the other possible results). Test runs were atomic_t, atomic_t-2, refcount_t, refcount-full, and refcount-fast. (Two baselines, refcount_t conversion, with FULL, and with the fast implementation.) Output here: http://pastebin.ubuntu.com/25129382/ -Kees -- Kees Cook Pixel Security
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On Wed, Jul 19, 2017 at 4:11 PM, Davidlohr Bueso wrote: > On Wed, 19 Jul 2017, Andrew Morton wrote: > >> On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso >> wrote: >> >>> On Wed, 19 Jul 2017, Andrew Morton wrote: >>> >>> >I do rather dislike these conversions from the point of view of >>> >performance overhead and general code bloat. But I seem to have lost >>> >that struggle and I don't think any of these are fastpath(?). >>> >>> Well, since we now have fd25d19 (locking/refcount: Create unchecked >>> atomic_t >>> implementation), performance is supposed to be ok. >> >> >> Sure, things are OK for people who disable the feature. FWIW, it's off by default. >> >> But for people who want to enable the feature we really should minimize >> the cost by avoiding blindly converting sites which simply don't need >> it: simple, safe, old, well-tested code. Why go and slow down such >> code? Need to apply some common sense here... These are the very code paths we'd want to make sure are well protected since people may never expect them to misbehave when some "small change" goes in. > Fair points. > >>> It would be lovely to have >>> some actual numbers nonetheless. >> >> Very much so. > > May I suggest using mmtests with the following config file: > > https://github.com/gormanm/mmtests/blob/7e070a810bc0af92e592e5121d0ea75fada51aeb/configs/config-global-dhp__workload-ipc-scale-short > > It will run two of Manfred's ipcscale sem benchmarks. I'll see if I can figure out how to use this for testing the fast refcount protection: https://lkml.org/lkml/2017/7/18/1223 Then we could see: before conversion after conversion with CONFIG_REFCOUNT_FULL with fast refcount protection -Kees -- Kees Cook Pixel Security
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On Wed, 19 Jul 2017, Andrew Morton wrote: On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso wrote: On Wed, 19 Jul 2017, Andrew Morton wrote: >I do rather dislike these conversions from the point of view of >performance overhead and general code bloat. But I seem to have lost >that struggle and I don't think any of these are fastpath(?). Well, since we now have fd25d19 (locking/refcount: Create unchecked atomic_t implementation), performance is supposed to be ok. Sure, things are OK for people who disable the feature. But for people who want to enable the feature we really should minimize the cost by avoiding blindly converting sites which simply don't need it: simple, safe, old, well-tested code. Why go and slow down such code? Need to apply some common sense here... Fair points. It would be lovely to have some actual numbers nonetheless. Very much so. May I suggest using mmtests with the following config file: https://github.com/gormanm/mmtests/blob/7e070a810bc0af92e592e5121d0ea75fada51aeb/configs/config-global-dhp__workload-ipc-scale-short It will run two of Manfred's ipcscale sem benchmarks. Thanks, Davidlohr
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso wrote: > On Wed, 19 Jul 2017, Andrew Morton wrote: > > >I do rather dislike these conversions from the point of view of > >performance overhead and general code bloat. But I seem to have lost > >that struggle and I don't think any of these are fastpath(?). > > Well, since we now have fd25d19 (locking/refcount: Create unchecked atomic_t > implementation), performance is supposed to be ok. Sure, things are OK for people who disable the feature. But for people who want to enable the feature we really should minimize the cost by avoiding blindly converting sites which simply don't need it: simple, safe, old, well-tested code. Why go and slow down such code? Need to apply some common sense here... > It would be lovely to have > some actual numbers nonetheless. Very much so.
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On Wed, 19 Jul 2017, Andrew Morton wrote: I do rather dislike these conversions from the point of view of performance overhead and general code bloat. But I seem to have lost that struggle and I don't think any of these are fastpath(?). Well, since we now have fd25d19 (locking/refcount: Create unchecked atomic_t implementation), performance is supposed to be ok. It would be lovely to have some actual numbers nonetheless. Thanks, Davidlohr
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On Sun, 09 Jul 2017 16:59:55 -0500 ebied...@xmission.com (Eric W. Biederman) wrote: > Elena Reshetova writes: > > > refcount_t type and corresponding API should be > > used instead of atomic_t when the variable is used as > > a reference counter. This allows to avoid accidental > > refcounter overflows that might lead to use-after-free > > situations. > > In this patch you can see all of the uses of the count. > What accidental refcount overflows are possible? I do rather dislike these conversions from the point of view of performance overhead and general code bloat. But I seem to have lost that struggle and I don't think any of these are fastpath(?).
RE: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
> "Reshetova, Elena" writes: > > >> "Reshetova, Elena" writes: > >> > >> >> "Reshetova, Elena" writes: > >> >> > >> >> 2>> Elena Reshetova writes: > >> >> >> > >> >> >> > refcount_t type and corresponding API should be > >> >> >> > used instead of atomic_t when the variable is used as > >> >> >> > a reference counter. This allows to avoid accidental > >> >> >> > refcounter overflows that might lead to use-after-free > >> >> >> > situations. > >> >> >> > >> >> >> In this patch you can see all of the uses of the count. > >> >> >> What accidental refcount overflows are possible? > >> >> > > >> >> > Even if one can guarantee and prove that in the current implementation > >> >> > there are no overflows possible, we can't say that for > >> >> > sure for any future implementation. Bugs might always happen > >> >> > unfortunately, but if we convert the refcounter to a safer > >> >> > type we can be sure that overflows are not possible. > >> >> > > >> >> > Does it make sense to you? > >> >> > >> >> Not for code that is likely to remain unchanged for a decade no. > >> > > >> > Can we really be sure for any kernel code about this? And does it make > >> > sense to trust our security on a fact like this? > >> > >> But refcount_t doesn't fix anything. At best it changes a bad bug to a > >> less bad bug. So now my machine OOMS instead of allows a memory > >> overwrite. It still doesn't work. > > > > Well, it is a step forward from security standpoint. OOMS is really hard > > to exploit vs. memory overwrites. Pretty much all exploits need either > > memory write or memory read, out of memory is really much harder to > > exploit. > > OOM in production is a denial of service attack. From a serverity point > of view an OOM can be considered equivalent to a kernel panic and > something that requires a box to reboot. Denial of service is usually (unless the system is designed poorly) not the highest security concern. It is one thing to get your system down for a certain period of time vs. telling your customers that all your database of their data and credit cards info is now public in the Internet. So, I would still stand by the statement that it makes the situation better. > > From a long term perspective I expect we will need to change all > reference counters to a type where that is not saturating but instead > fails to increment and returns an error. If we want to keep a system > functioning in the face of maxing out a reference count that is the only > way it can truly be done. I think the work on refcount_t internals will continue. We have a number of things that need to be improved further. Kees has first set of patches in work now, and no one expects it to be the last. However, we also do need to make conversions in the kernel, otherwise we are not moving anywhere and it is also easier to test implications of changes inside refcount_t on as many converted cases as possible when they are merged. > > >> Plus refcount_t does not provide any safety on the architectures where > >> it is a noop. > > > > Not sure I understood this. What do you mean by "noop"? > > refcount_t is currently architecture independent. > > noop being short for no operation. > > I believe there were some/most archicture implementations that define > refcount_t to atomic_t out of performance concerns. I know I saw > patches fly by to that effect. On an architecture where refcount_t is > equivalent to atomic_t the change in these patches is a noop. This choice isn't architecture-dependent now. It is defaults to atomic_t for all architectures unless CONFIG_REFCOUNT_FULL is enabled (then it is arch. independent refcount_t implementation). Next set of patches (still under review) provides x86 arch. dependent fast refcount_t implementation. > > >> >> This looks like a large set of unautomated changes without any real > >> >> thought put into it. > >> > > >> > We are soon into the end of the first year that we started to look into > >> > refcounter overflow/underflow problem and coming up this far was > >> > not easy enough (just check all the millions of emails on > >> > kernel-hardening > >> > mailing list). Each refcount_t conversion candidate was first found by > Coccinelle > >> > analysis and then manually checked and converted. The story of > >> > refcount_t API and all discussions go even further. > >> > So you can't really claim that there is no " thought put into it " :) > >> > >> But the conversion of the instance happens without thought and manually. > >> Which is a good recipe for typos. Which is what I am saying. > >> > >> There have been lots of conversions like that in the kernel and > >> practically every one has introduced at least one typo. > > > > What do you exactly mean by "typo"? Typos should be detected at these > > stages: > > An unintentional mistake. The term "thinko" might be more what I am > thinking of. Many human mistakes are not slips of the fingers but > accidentally giving the wrong comma
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
"Reshetova, Elena" writes: >> "Reshetova, Elena" writes: >> >> >> "Reshetova, Elena" writes: >> >> >> >> 2>> Elena Reshetova writes: >> >> >> >> >> >> > refcount_t type and corresponding API should be >> >> >> > used instead of atomic_t when the variable is used as >> >> >> > a reference counter. This allows to avoid accidental >> >> >> > refcounter overflows that might lead to use-after-free >> >> >> > situations. >> >> >> >> >> >> In this patch you can see all of the uses of the count. >> >> >> What accidental refcount overflows are possible? >> >> > >> >> > Even if one can guarantee and prove that in the current implementation >> >> > there are no overflows possible, we can't say that for >> >> > sure for any future implementation. Bugs might always happen >> >> > unfortunately, but if we convert the refcounter to a safer >> >> > type we can be sure that overflows are not possible. >> >> > >> >> > Does it make sense to you? >> >> >> >> Not for code that is likely to remain unchanged for a decade no. >> > >> > Can we really be sure for any kernel code about this? And does it make >> > sense to trust our security on a fact like this? >> >> But refcount_t doesn't fix anything. At best it changes a bad bug to a >> less bad bug. So now my machine OOMS instead of allows a memory >> overwrite. It still doesn't work. > > Well, it is a step forward from security standpoint. OOMS is really hard > to exploit vs. memory overwrites. Pretty much all exploits need either > memory write or memory read, out of memory is really much harder to > exploit. OOM in production is a denial of service attack. From a serverity point of view an OOM can be considered equivalent to a kernel panic and something that requires a box to reboot. >From a long term perspective I expect we will need to change all reference counters to a type where that is not saturating but instead fails to increment and returns an error. If we want to keep a system functioning in the face of maxing out a reference count that is the only way it can truly be done. >> Plus refcount_t does not provide any safety on the architectures where >> it is a noop. > > Not sure I understood this. What do you mean by "noop"? > refcount_t is currently architecture independent. noop being short for no operation. I believe there were some/most archicture implementations that define refcount_t to atomic_t out of performance concerns. I know I saw patches fly by to that effect. On an architecture where refcount_t is equivalent to atomic_t the change in these patches is a noop. >> >> This looks like a large set of unautomated changes without any real >> >> thought put into it. >> > >> > We are soon into the end of the first year that we started to look into >> > refcounter overflow/underflow problem and coming up this far was >> > not easy enough (just check all the millions of emails on kernel-hardening >> > mailing list). Each refcount_t conversion candidate was first found by >> > Coccinelle >> > analysis and then manually checked and converted. The story of >> > refcount_t API and all discussions go even further. >> > So you can't really claim that there is no " thought put into it " :) >> >> But the conversion of the instance happens without thought and manually. >> Which is a good recipe for typos. Which is what I am saying. >> >> There have been lots of conversions like that in the kernel and >> practically every one has introduced at least one typo. > > What do you exactly mean by "typo"? Typos should be detected at these > stages: An unintentional mistake. The term "thinko" might be more what I am thinking of. Many human mistakes are not slips of the fingers but accidentally giving the wrong command at some level. > 1) typos like wrong function name etc. can be found at compile time > (trust me I have found a number of these on the very first iteration with > patches) > 2) "typos" (not sure if it is correct to call them typos) like usage of wrong > refcount_t > API vs. original atomic_t API can be found during internal reviews or > reviews by maintainers This I worry about most as the mental distance from xxx_inc to xxx_dec can be very short. > 3) much bigger problem is actually not any typos, but hidden issues that show > up only > in run-time that detect underflows/overflows or inability to increment > from zero. > These only are nasty, but given that refcount_t WARNs left and right about > them, > we can detect them fast. Which means I worry about those less. > I don't know what is a better recipe for doing API changes like this? > Do you have any suggestions? I would think a semantic patch targeting a specific lock would be less error prone. I would think that the same semantic patch could be used from lock to lock with just a change of the lock that is being targeted. I strongly suspect that would reduce the chance of accident when dealing with a particular API and being scripted would increase the c
RE: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
> "Reshetova, Elena" writes: > > >> "Reshetova, Elena" writes: > >> > >> 2>> Elena Reshetova writes: > >> >> > >> >> > refcount_t type and corresponding API should be > >> >> > used instead of atomic_t when the variable is used as > >> >> > a reference counter. This allows to avoid accidental > >> >> > refcounter overflows that might lead to use-after-free > >> >> > situations. > >> >> > >> >> In this patch you can see all of the uses of the count. > >> >> What accidental refcount overflows are possible? > >> > > >> > Even if one can guarantee and prove that in the current implementation > >> > there are no overflows possible, we can't say that for > >> > sure for any future implementation. Bugs might always happen > >> > unfortunately, but if we convert the refcounter to a safer > >> > type we can be sure that overflows are not possible. > >> > > >> > Does it make sense to you? > >> > >> Not for code that is likely to remain unchanged for a decade no. > > > > Can we really be sure for any kernel code about this? And does it make > > sense to trust our security on a fact like this? > > But refcount_t doesn't fix anything. At best it changes a bad bug to a > less bad bug. So now my machine OOMS instead of allows a memory > overwrite. It still doesn't work. Well, it is a step forward from security standpoint. OOMS is really hard to exploit vs. memory overwrites. Pretty much all exploits need either memory write or memory read, out of memory is really much harder to exploit. > > Plus refcount_t does not provide any safety on the architectures where > it is a noop. Not sure I understood this. What do you mean by "noop"? refcount_t is currently architecture independent. > > >> This looks like a large set of unautomated changes without any real > >> thought put into it. > > > > We are soon into the end of the first year that we started to look into > > refcounter overflow/underflow problem and coming up this far was > > not easy enough (just check all the millions of emails on kernel-hardening > > mailing list). Each refcount_t conversion candidate was first found by > > Coccinelle > > analysis and then manually checked and converted. The story of > > refcount_t API and all discussions go even further. > > So you can't really claim that there is no " thought put into it " :) > > But the conversion of the instance happens without thought and manually. > Which is a good recipe for typos. Which is what I am saying. > > There have been lots of conversions like that in the kernel and > practically every one has introduced at least one typo. What do you exactly mean by "typo"? Typos should be detected at these stages: 1) typos like wrong function name etc. can be found at compile time (trust me I have found a number of these on the very first iteration with patches) 2) "typos" (not sure if it is correct to call them typos) like usage of wrong refcount_t API vs. original atomic_t API can be found during internal reviews or reviews by maintainers 3) much bigger problem is actually not any typos, but hidden issues that show up only in run-time that detect underflows/overflows or inability to increment from zero. These only are nasty, but given that refcount_t WARNs left and right about them, we can detect them fast. I don't know what is a better recipe for doing API changes like this? Do you have any suggestions? > > So from an engineering standpoint it is a very valid question to ask > about. And I find the apparent insistence that you don't make typos > very disturbing. > > > That almost always results in a typo somewhere > >> that breaks things. > >> > >> So there is no benefit to the code, and a non-zero chance that there > >> will be a typo breaking the code. > > > > The code is very active on issuing WARNs when anything goes wrong. > > Using this feature we have not only found errors in conversions, but > > sometimes errors in code itself. So, any bug would be actually much > > faster visible than using old atomic_t interface. > > > > In addition by default refcount_t equals to atomic, which also gives a > > possibility to make a softer transition and catch all related bugs in couple > > of cycles when enabling CONFIG_REFCOUNT_FULL. > > But if you make a typo and change one operation for another I don't see > how any of that applies. It is hard to make a "typo" to change one operation to another. It is not a one-two char mismatch error. When doing these patches we followed the logic of "less code changes - better" (since less chances of making mistake), so if in some cases functions are changed (like from atomic_sub to refcount_sub_and_test(), or from atomic_inc_not_zero() to atomic_inc() etc.) there was a reason for making it and the change wasn't automatic and without thinking at all. Again, we do have our maintainers also to catch if a change that we did doesn't actually work for them right? Best Regards, Elena. > > And that is what it looks like I w
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
"Reshetova, Elena" writes: >> "Reshetova, Elena" writes: >> >> 2>> Elena Reshetova writes: >> >> >> >> > refcount_t type and corresponding API should be >> >> > used instead of atomic_t when the variable is used as >> >> > a reference counter. This allows to avoid accidental >> >> > refcounter overflows that might lead to use-after-free >> >> > situations. >> >> >> >> In this patch you can see all of the uses of the count. >> >> What accidental refcount overflows are possible? >> > >> > Even if one can guarantee and prove that in the current implementation >> > there are no overflows possible, we can't say that for >> > sure for any future implementation. Bugs might always happen >> > unfortunately, but if we convert the refcounter to a safer >> > type we can be sure that overflows are not possible. >> > >> > Does it make sense to you? >> >> Not for code that is likely to remain unchanged for a decade no. > > Can we really be sure for any kernel code about this? And does it make > sense to trust our security on a fact like this? But refcount_t doesn't fix anything. At best it changes a bad bug to a less bad bug. So now my machine OOMS instead of allows a memory overwrite. It still doesn't work. Plus refcount_t does not provide any safety on the architectures where it is a noop. >> This looks like a large set of unautomated changes without any real >> thought put into it. > > We are soon into the end of the first year that we started to look into > refcounter overflow/underflow problem and coming up this far was > not easy enough (just check all the millions of emails on kernel-hardening > mailing list). Each refcount_t conversion candidate was first found by > Coccinelle > analysis and then manually checked and converted. The story of > refcount_t API and all discussions go even further. > So you can't really claim that there is no " thought put into it " :) But the conversion of the instance happens without thought and manually. Which is a good recipe for typos. Which is what I am saying. There have been lots of conversions like that in the kernel and practically every one has introduced at least one typo. So from an engineering standpoint it is a very valid question to ask about. And I find the apparent insistence that you don't make typos very disturbing. > That almost always results in a typo somewhere >> that breaks things. >> >> So there is no benefit to the code, and a non-zero chance that there >> will be a typo breaking the code. > > The code is very active on issuing WARNs when anything goes wrong. > Using this feature we have not only found errors in conversions, but > sometimes errors in code itself. So, any bug would be actually much > faster visible than using old atomic_t interface. > > In addition by default refcount_t equals to atomic, which also gives a > possibility to make a softer transition and catch all related bugs in couple > of cycles when enabling CONFIG_REFCOUNT_FULL. But if you make a typo and change one operation for another I don't see how any of that applies. And that is what it looks like I we are looking at here. Eric
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
Alexey Dobriyan writes: > On Mon, Jul 10, 2017 at 11:37 AM, Eric W. Biederman > wrote: >> "Reshetova, Elena" writes: >> >> 2>> Elena Reshetova writes: > refcount_t type and corresponding API should be > used instead of atomic_t when the variable is used as > a reference counter. This allows to avoid accidental > refcounter overflows that might lead to use-after-free > situations. In this patch you can see all of the uses of the count. What accidental refcount overflows are possible? >>> >>> Even if one can guarantee and prove that in the current implementation >>> there are no overflows possible, we can't say that for >>> sure for any future implementation. Bugs might always happen >>> unfortunately, but if we convert the refcounter to a safer >>> type we can be sure that overflows are not possible. >>> >>> Does it make sense to you? >> >> Not for code that is likely to remain unchanged for a decade no. >> >> This looks like a large set of unautomated changes without any real >> thought put into it. That almost always results in a typo somewhere >> that breaks things. > > This is nonsense. The wrong code would simply emit a warning > which are caught very quickly. That depends on the typo. Eric
RE: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
> "Reshetova, Elena" writes: > > 2>> Elena Reshetova writes: > >> > >> > refcount_t type and corresponding API should be > >> > used instead of atomic_t when the variable is used as > >> > a reference counter. This allows to avoid accidental > >> > refcounter overflows that might lead to use-after-free > >> > situations. > >> > >> In this patch you can see all of the uses of the count. > >> What accidental refcount overflows are possible? > > > > Even if one can guarantee and prove that in the current implementation > > there are no overflows possible, we can't say that for > > sure for any future implementation. Bugs might always happen > > unfortunately, but if we convert the refcounter to a safer > > type we can be sure that overflows are not possible. > > > > Does it make sense to you? > > Not for code that is likely to remain unchanged for a decade no. Can we really be sure for any kernel code about this? And does it make sense to trust our security on a fact like this? > > This looks like a large set of unautomated changes without any real > thought put into it. We are soon into the end of the first year that we started to look into refcounter overflow/underflow problem and coming up this far was not easy enough (just check all the millions of emails on kernel-hardening mailing list). Each refcount_t conversion candidate was first found by Coccinelle analysis and then manually checked and converted. The story of refcount_t API and all discussions go even further. So you can't really claim that there is no " thought put into it " :) That almost always results in a typo somewhere > that breaks things. > > So there is no benefit to the code, and a non-zero chance that there > will be a typo breaking the code. The code is very active on issuing WARNs when anything goes wrong. Using this feature we have not only found errors in conversions, but sometimes errors in code itself. So, any bug would be actually much faster visible than using old atomic_t interface. In addition by default refcount_t equals to atomic, which also gives a possibility to make a softer transition and catch all related bugs in couple of cycles when enabling CONFIG_REFCOUNT_FULL. Best Regards, Elena. > > All to harden the code for an unlikely future when the code is > updated with a full test cycle and people paying attention. > > Introduce a bug now to avoid a bug in the future. That seems like a > very poor engineering trade off. > > Eric
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On Mon, Jul 10, 2017 at 11:37 AM, Eric W. Biederman wrote: > "Reshetova, Elena" writes: > > 2>> Elena Reshetova writes: >>> >>> > refcount_t type and corresponding API should be >>> > used instead of atomic_t when the variable is used as >>> > a reference counter. This allows to avoid accidental >>> > refcounter overflows that might lead to use-after-free >>> > situations. >>> >>> In this patch you can see all of the uses of the count. >>> What accidental refcount overflows are possible? >> >> Even if one can guarantee and prove that in the current implementation >> there are no overflows possible, we can't say that for >> sure for any future implementation. Bugs might always happen >> unfortunately, but if we convert the refcounter to a safer >> type we can be sure that overflows are not possible. >> >> Does it make sense to you? > > Not for code that is likely to remain unchanged for a decade no. > > This looks like a large set of unautomated changes without any real > thought put into it. That almost always results in a typo somewhere > that breaks things. This is nonsense. The wrong code would simply emit a warning which are caught very quickly. > So there is no benefit to the code, and a non-zero chance that there > will be a typo breaking the code.
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
"Reshetova, Elena" writes: 2>> Elena Reshetova writes: >> >> > refcount_t type and corresponding API should be >> > used instead of atomic_t when the variable is used as >> > a reference counter. This allows to avoid accidental >> > refcounter overflows that might lead to use-after-free >> > situations. >> >> In this patch you can see all of the uses of the count. >> What accidental refcount overflows are possible? > > Even if one can guarantee and prove that in the current implementation > there are no overflows possible, we can't say that for > sure for any future implementation. Bugs might always happen > unfortunately, but if we convert the refcounter to a safer > type we can be sure that overflows are not possible. > > Does it make sense to you? Not for code that is likely to remain unchanged for a decade no. This looks like a large set of unautomated changes without any real thought put into it. That almost always results in a typo somewhere that breaks things. So there is no benefit to the code, and a non-zero chance that there will be a typo breaking the code. All to harden the code for an unlikely future when the code is updated with a full test cycle and people paying attention. Introduce a bug now to avoid a bug in the future. That seems like a very poor engineering trade off. Eric
RE: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
> Elena Reshetova writes:
>
> > refcount_t type and corresponding API should be
> > used instead of atomic_t when the variable is used as
> > a reference counter. This allows to avoid accidental
> > refcounter overflows that might lead to use-after-free
> > situations.
>
> In this patch you can see all of the uses of the count.
> What accidental refcount overflows are possible?
Even if one can guarantee and prove that in the current implementation
there are no overflows possible, we can't say that for
sure for any future implementation. Bugs might always happen
unfortunately, but if we convert the refcounter to a safer
type we can be sure that overflows are not possible.
Does it make sense to you?
Best Regards,
Elena.
>
> Eric
>
> > Signed-off-by: Elena Reshetova
> > Signed-off-by: Hans Liljestrand
> > Signed-off-by: Kees Cook
> > Signed-off-by: David Windsor
> > ---
> > include/linux/ipc_namespace.h | 5 +++--
> > ipc/msgutil.c | 2 +-
> > ipc/namespace.c | 4 ++--
> > 3 files changed, 6 insertions(+), 5 deletions(-)
> >
> > diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
> > index 65327ee..e81445c 100644
> > --- a/include/linux/ipc_namespace.h
> > +++ b/include/linux/ipc_namespace.h
> > @@ -7,6 +7,7 @@
> > #include
> > #include
> > #include
> > +#include
> >
> > struct user_namespace;
> >
> > @@ -19,7 +20,7 @@ struct ipc_ids {
> > };
> >
> > struct ipc_namespace {
> > - atomic_tcount;
> > + refcount_t count;
> > struct ipc_ids ids[3];
> >
> > int sem_ctls[4];
> > @@ -118,7 +119,7 @@ extern struct ipc_namespace *copy_ipcs(unsigned long
> flags,
> > static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns)
> > {
> > if (ns)
> > - atomic_inc(&ns->count);
> > + refcount_inc(&ns->count);
> > return ns;
> > }
> >
> > diff --git a/ipc/msgutil.c b/ipc/msgutil.c
> > index bf74eaa..8459802 100644
> > --- a/ipc/msgutil.c
> > +++ b/ipc/msgutil.c
> > @@ -29,7 +29,7 @@ DEFINE_SPINLOCK(mq_lock);
> > * and not CONFIG_IPC_NS.
> > */
> > struct ipc_namespace init_ipc_ns = {
> > - .count = ATOMIC_INIT(1),
> > + .count = REFCOUNT_INIT(1),
> > .user_ns = &init_user_ns,
> > .ns.inum = PROC_IPC_INIT_INO,
> > #ifdef CONFIG_IPC_NS
> > diff --git a/ipc/namespace.c b/ipc/namespace.c
> > index b4d80f9..7af6e6b 100644
> > --- a/ipc/namespace.c
> > +++ b/ipc/namespace.c
> > @@ -50,7 +50,7 @@ static struct ipc_namespace *create_ipc_ns(struct
> user_namespace *user_ns,
> > goto fail_free;
> > ns->ns.ops = &ipcns_operations;
> >
> > - atomic_set(&ns->count, 1);
> > + refcount_set(&ns->count, 1);
> > ns->user_ns = get_user_ns(user_ns);
> > ns->ucounts = ucounts;
> >
> > @@ -144,7 +144,7 @@ static void free_ipc_ns(struct ipc_namespace *ns)
> > */
> > void put_ipc_ns(struct ipc_namespace *ns)
> > {
> > - if (atomic_dec_and_lock(&ns->count, &mq_lock)) {
> > + if (refcount_dec_and_lock(&ns->count, &mq_lock)) {
> > mq_clear_sbinfo(ns);
> > spin_unlock(&mq_lock);
> > mq_put_mnt(ns);
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
Elena Reshetova writes:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
In this patch you can see all of the uses of the count.
What accidental refcount overflows are possible?
Eric
> Signed-off-by: Elena Reshetova
> Signed-off-by: Hans Liljestrand
> Signed-off-by: Kees Cook
> Signed-off-by: David Windsor
> ---
> include/linux/ipc_namespace.h | 5 +++--
> ipc/msgutil.c | 2 +-
> ipc/namespace.c | 4 ++--
> 3 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
> index 65327ee..e81445c 100644
> --- a/include/linux/ipc_namespace.h
> +++ b/include/linux/ipc_namespace.h
> @@ -7,6 +7,7 @@
> #include
> #include
> #include
> +#include
>
> struct user_namespace;
>
> @@ -19,7 +20,7 @@ struct ipc_ids {
> };
>
> struct ipc_namespace {
> - atomic_tcount;
> + refcount_t count;
> struct ipc_ids ids[3];
>
> int sem_ctls[4];
> @@ -118,7 +119,7 @@ extern struct ipc_namespace *copy_ipcs(unsigned long
> flags,
> static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns)
> {
> if (ns)
> - atomic_inc(&ns->count);
> + refcount_inc(&ns->count);
> return ns;
> }
>
> diff --git a/ipc/msgutil.c b/ipc/msgutil.c
> index bf74eaa..8459802 100644
> --- a/ipc/msgutil.c
> +++ b/ipc/msgutil.c
> @@ -29,7 +29,7 @@ DEFINE_SPINLOCK(mq_lock);
> * and not CONFIG_IPC_NS.
> */
> struct ipc_namespace init_ipc_ns = {
> - .count = ATOMIC_INIT(1),
> + .count = REFCOUNT_INIT(1),
> .user_ns = &init_user_ns,
> .ns.inum = PROC_IPC_INIT_INO,
> #ifdef CONFIG_IPC_NS
> diff --git a/ipc/namespace.c b/ipc/namespace.c
> index b4d80f9..7af6e6b 100644
> --- a/ipc/namespace.c
> +++ b/ipc/namespace.c
> @@ -50,7 +50,7 @@ static struct ipc_namespace *create_ipc_ns(struct
> user_namespace *user_ns,
> goto fail_free;
> ns->ns.ops = &ipcns_operations;
>
> - atomic_set(&ns->count, 1);
> + refcount_set(&ns->count, 1);
> ns->user_ns = get_user_ns(user_ns);
> ns->ucounts = ucounts;
>
> @@ -144,7 +144,7 @@ static void free_ipc_ns(struct ipc_namespace *ns)
> */
> void put_ipc_ns(struct ipc_namespace *ns)
> {
> - if (atomic_dec_and_lock(&ns->count, &mq_lock)) {
> + if (refcount_dec_and_lock(&ns->count, &mq_lock)) {
> mq_clear_sbinfo(ns);
> spin_unlock(&mq_lock);
> mq_put_mnt(ns);
[PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova
Signed-off-by: Hans Liljestrand
Signed-off-by: Kees Cook
Signed-off-by: David Windsor
---
include/linux/ipc_namespace.h | 5 +++--
ipc/msgutil.c | 2 +-
ipc/namespace.c | 4 ++--
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
index 65327ee..e81445c 100644
--- a/include/linux/ipc_namespace.h
+++ b/include/linux/ipc_namespace.h
@@ -7,6 +7,7 @@
#include
#include
#include
+#include
struct user_namespace;
@@ -19,7 +20,7 @@ struct ipc_ids {
};
struct ipc_namespace {
- atomic_tcount;
+ refcount_t count;
struct ipc_ids ids[3];
int sem_ctls[4];
@@ -118,7 +119,7 @@ extern struct ipc_namespace *copy_ipcs(unsigned long flags,
static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns)
{
if (ns)
- atomic_inc(&ns->count);
+ refcount_inc(&ns->count);
return ns;
}
diff --git a/ipc/msgutil.c b/ipc/msgutil.c
index bf74eaa..8459802 100644
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -29,7 +29,7 @@ DEFINE_SPINLOCK(mq_lock);
* and not CONFIG_IPC_NS.
*/
struct ipc_namespace init_ipc_ns = {
- .count = ATOMIC_INIT(1),
+ .count = REFCOUNT_INIT(1),
.user_ns = &init_user_ns,
.ns.inum = PROC_IPC_INIT_INO,
#ifdef CONFIG_IPC_NS
diff --git a/ipc/namespace.c b/ipc/namespace.c
index b4d80f9..7af6e6b 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -50,7 +50,7 @@ static struct ipc_namespace *create_ipc_ns(struct
user_namespace *user_ns,
goto fail_free;
ns->ns.ops = &ipcns_operations;
- atomic_set(&ns->count, 1);
+ refcount_set(&ns->count, 1);
ns->user_ns = get_user_ns(user_ns);
ns->ucounts = ucounts;
@@ -144,7 +144,7 @@ static void free_ipc_ns(struct ipc_namespace *ns)
*/
void put_ipc_ns(struct ipc_namespace *ns)
{
- if (atomic_dec_and_lock(&ns->count, &mq_lock)) {
+ if (refcount_dec_and_lock(&ns->count, &mq_lock)) {
mq_clear_sbinfo(ns);
spin_unlock(&mq_lock);
mq_put_mnt(ns);
--
2.7.4
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On 05/27/2017 09:41 PM, Kees Cook wrote: On Mon, Feb 20, 2017 at 3:29 AM, Elena Reshetova wrote: refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by: Hans Liljestrand Signed-off-by: Kees Cook Signed-off-by: David Windsor Manfred, is this okay by you? I think this should go via -mm... The patch is ok, the refcounters are not in the critical path. I'll try to test the patches and then I would send an 'Acked-by', but this will take some days. -- Manfred
Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
On Mon, Feb 20, 2017 at 3:29 AM, Elena Reshetova
wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova
> Signed-off-by: Hans Liljestrand
> Signed-off-by: Kees Cook
> Signed-off-by: David Windsor
Manfred, is this okay by you? I think this should go via -mm...
-Kees
> ---
> include/linux/ipc_namespace.h | 5 +++--
> ipc/msgutil.c | 2 +-
> ipc/namespace.c | 4 ++--
> 3 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
> index 848e579..7230638 100644
> --- a/include/linux/ipc_namespace.h
> +++ b/include/linux/ipc_namespace.h
> @@ -7,6 +7,7 @@
> #include
> #include
> #include
> +#include
>
> struct user_namespace;
>
> @@ -19,7 +20,7 @@ struct ipc_ids {
> };
>
> struct ipc_namespace {
> - atomic_tcount;
> + refcount_t count;
> struct ipc_ids ids[3];
>
> int sem_ctls[4];
> @@ -118,7 +119,7 @@ extern struct ipc_namespace *copy_ipcs(unsigned long
> flags,
> static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns)
> {
> if (ns)
> - atomic_inc(&ns->count);
> + refcount_inc(&ns->count);
> return ns;
> }
>
> diff --git a/ipc/msgutil.c b/ipc/msgutil.c
> index bf74eaa..8459802 100644
> --- a/ipc/msgutil.c
> +++ b/ipc/msgutil.c
> @@ -29,7 +29,7 @@ DEFINE_SPINLOCK(mq_lock);
> * and not CONFIG_IPC_NS.
> */
> struct ipc_namespace init_ipc_ns = {
> - .count = ATOMIC_INIT(1),
> + .count = REFCOUNT_INIT(1),
> .user_ns = &init_user_ns,
> .ns.inum = PROC_IPC_INIT_INO,
> #ifdef CONFIG_IPC_NS
> diff --git a/ipc/namespace.c b/ipc/namespace.c
> index 0abdea4..ed10bbc 100644
> --- a/ipc/namespace.c
> +++ b/ipc/namespace.c
> @@ -48,7 +48,7 @@ static struct ipc_namespace *create_ipc_ns(struct
> user_namespace *user_ns,
> goto fail_free;
> ns->ns.ops = &ipcns_operations;
>
> - atomic_set(&ns->count, 1);
> + refcount_set(&ns->count, 1);
> ns->user_ns = get_user_ns(user_ns);
> ns->ucounts = ucounts;
>
> @@ -142,7 +142,7 @@ static void free_ipc_ns(struct ipc_namespace *ns)
> */
> void put_ipc_ns(struct ipc_namespace *ns)
> {
> - if (atomic_dec_and_lock(&ns->count, &mq_lock)) {
> + if (refcount_dec_and_lock(&ns->count, &mq_lock)) {
> mq_clear_sbinfo(ns);
> spin_unlock(&mq_lock);
> mq_put_mnt(ns);
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
[PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova
Signed-off-by: Hans Liljestrand
Signed-off-by: Kees Cook
Signed-off-by: David Windsor
---
include/linux/ipc_namespace.h | 5 +++--
ipc/msgutil.c | 2 +-
ipc/namespace.c | 4 ++--
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
index 848e579..7230638 100644
--- a/include/linux/ipc_namespace.h
+++ b/include/linux/ipc_namespace.h
@@ -7,6 +7,7 @@
#include
#include
#include
+#include
struct user_namespace;
@@ -19,7 +20,7 @@ struct ipc_ids {
};
struct ipc_namespace {
- atomic_tcount;
+ refcount_t count;
struct ipc_ids ids[3];
int sem_ctls[4];
@@ -118,7 +119,7 @@ extern struct ipc_namespace *copy_ipcs(unsigned long flags,
static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns)
{
if (ns)
- atomic_inc(&ns->count);
+ refcount_inc(&ns->count);
return ns;
}
diff --git a/ipc/msgutil.c b/ipc/msgutil.c
index bf74eaa..8459802 100644
--- a/ipc/msgutil.c
+++ b/ipc/msgutil.c
@@ -29,7 +29,7 @@ DEFINE_SPINLOCK(mq_lock);
* and not CONFIG_IPC_NS.
*/
struct ipc_namespace init_ipc_ns = {
- .count = ATOMIC_INIT(1),
+ .count = REFCOUNT_INIT(1),
.user_ns = &init_user_ns,
.ns.inum = PROC_IPC_INIT_INO,
#ifdef CONFIG_IPC_NS
diff --git a/ipc/namespace.c b/ipc/namespace.c
index 0abdea4..ed10bbc 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -48,7 +48,7 @@ static struct ipc_namespace *create_ipc_ns(struct
user_namespace *user_ns,
goto fail_free;
ns->ns.ops = &ipcns_operations;
- atomic_set(&ns->count, 1);
+ refcount_set(&ns->count, 1);
ns->user_ns = get_user_ns(user_ns);
ns->ucounts = ucounts;
@@ -142,7 +142,7 @@ static void free_ipc_ns(struct ipc_namespace *ns)
*/
void put_ipc_ns(struct ipc_namespace *ns)
{
- if (atomic_dec_and_lock(&ns->count, &mq_lock)) {
+ if (refcount_dec_and_lock(&ns->count, &mq_lock)) {
mq_clear_sbinfo(ns);
spin_unlock(&mq_lock);
mq_put_mnt(ns);
--
2.7.4
