Re: [PATCH 4/4] refcount: Report failures through CHECK_DATA_CORRUPTION
From: Kees Cook
Date: Sun Feb 05 2017 - 18:33:49 EST
On Sun, Feb 5, 2017 at 7:40 AM, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> On Fri, Feb 03, 2017 at 03:26:52PM -0800, Kees Cook wrote:
>> This converts from WARN_ON() to CHECK_DATA_CORRUPTION() in the
>> CONFIG_DEBUG_REFCOUNT case. Additionally moves refcount_t sanity check
>> conditionals into regular function flow. Since CHECK_DATA_CORRUPTION()
>> is marked __much_check, we override few cases where the failure has
>> already been handled but we want to explicitly report it.
>>
>> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>> ---
>> include/linux/refcount.h | 35 ++++++++++++++++++++++-------------
>> lib/Kconfig.debug | 2 ++
>> 2 files changed, 24 insertions(+), 13 deletions(-)
>>
>> diff --git a/include/linux/refcount.h b/include/linux/refcount.h
>> index 5b89cad62237..ef32910c7dd8 100644
>> --- a/include/linux/refcount.h
>> +++ b/include/linux/refcount.h
>> @@ -43,10 +43,10 @@
>> #include <linux/spinlock.h>
>>
>> #if CONFIG_DEBUG_REFCOUNT
>> -#define REFCOUNT_WARN(cond, str) WARN_ON(cond)
>> +#define REFCOUNT_CHECK(cond, str) CHECK_DATA_CORRUPTION(cond, str)
>
> OK, so that goes back to a full WARN() which will make the generated
> code gigantic due to the whole printk() trainwreck :/
Hrm, perhaps we need three levels? WARN_ON, WARN, and BUG?
-Kees
--
Kees Cook
Pixel Security