From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: eric.snowberg@oracle.com, dhowells@redhat.com,
mathew.j.martineau@linux.intel.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-kernel@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: [PATCH v4 2/2] IMA: Call workqueue functions to measure queued keys
Date: Wed, 18 Dec 2019 02:01:39 +0000 [thread overview]
Message-ID: <1576634499.14900.10.camel@HansenPartnership.com> (raw)
In-Reply-To: <152580f3-2a1f-fa33-cc25-f25747a470a5@linux.microsoft.com>
On Tue, 2019-12-17 at 14:22 -0800, Lakshmi Ramasubramanian wrote:
> Hi James,
>
> > > >
> > > > This is the problem: in the race case you may still be adding
> > > > keys to
> > > > the queue after the other thread has processed it. Those keys
> > > > won't get
> > > > processed because the flag is now false in the post check so
> > > > the
> > > > current thread won't process them either.
> > > >
> > > > James
> > > >
>
> Please let me know if you still think there is a race condition.
>
> If yes, please explain how a key would be added to the queue after
> ima_process_queued_keys() has processed queued keys.
> ima_process_keys flag will be true when queued keys have been
> processed.
This code is confusing me:
+ /*
+ * To avoid holding the mutex when processing queued keys,
+ * transfer the queued keys with the mutex held to a temp list,
+ * release the mutex, and then process the queued keys from
+ * the temp list.
+ *
+ * Since ima_process_keys is set to true, any new key will be
+ * processed immediately and not be queued.
+ */
+ INIT_LIST_HEAD(&temp_ima_keys);
+
+ mutex_lock(&ima_keys_mutex);
+
+ if (!ima_process_keys) {
+ ima_process_keys = true;
+
+ if (!list_empty(&ima_keys)) {
+ list_for_each_entry_safe(entry, tmp, &ima_keys, list)
+ list_move_tail(&entry->list, &temp_ima_keys);
+ process = true;
+ }
+ }
+
+ mutex_unlock(&ima_keys_mutex);
+
+ if (!process)
+ return;
+
+ list_for_each_entry_safe(entry, tmp, &temp_ima_keys, list) {
+ process_buffer_measurement(entry->payload, entry->payload_len,
+ entry->keyring_name, KEY_CHECK, 0,
+ entry->keyring_name);
+ list_del(&entry->list);
+ ima_free_key_entry(entry);
+ }
+}
+
The direct implication of the comment and the lock dance with the
temporary list and the processed flag is that stuff can be added to the
ima_keys list after you drop the mutex. Your explanation in the prior
couple of emails says that nothing can be added because the
ima_process_keys flag setting prevents it. If the latter is true, you
can simply drop the lock after setting the flag and rely on ima_keys
not changing to run it through process_buffer_measurement without
needing any of the intermediate list or the processed flag. If the
latter isn't true then any key added to ima_keys after the mutex is
dropped is never processed.
James
WARNING: multiple messages have this Message-ID (diff)
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: eric.snowberg@oracle.com, dhowells@redhat.com,
mathew.j.martineau@linux.intel.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-kernel@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: [PATCH v4 2/2] IMA: Call workqueue functions to measure queued keys
Date: Wed, 18 Dec 2019 11:01:39 +0900 [thread overview]
Message-ID: <1576634499.14900.10.camel@HansenPartnership.com> (raw)
In-Reply-To: <152580f3-2a1f-fa33-cc25-f25747a470a5@linux.microsoft.com>
On Tue, 2019-12-17 at 14:22 -0800, Lakshmi Ramasubramanian wrote:
> Hi James,
>
> > > >
> > > > This is the problem: in the race case you may still be adding
> > > > keys to
> > > > the queue after the other thread has processed it. Those keys
> > > > won't get
> > > > processed because the flag is now false in the post check so
> > > > the
> > > > current thread won't process them either.
> > > >
> > > > James
> > > >
>
> Please let me know if you still think there is a race condition.
>
> If yes, please explain how a key would be added to the queue after
> ima_process_queued_keys() has processed queued keys.
> ima_process_keys flag will be true when queued keys have been
> processed.
This code is confusing me:
+ /*
+ * To avoid holding the mutex when processing queued keys,
+ * transfer the queued keys with the mutex held to a temp list,
+ * release the mutex, and then process the queued keys from
+ * the temp list.
+ *
+ * Since ima_process_keys is set to true, any new key will be
+ * processed immediately and not be queued.
+ */
+ INIT_LIST_HEAD(&temp_ima_keys);
+
+ mutex_lock(&ima_keys_mutex);
+
+ if (!ima_process_keys) {
+ ima_process_keys = true;
+
+ if (!list_empty(&ima_keys)) {
+ list_for_each_entry_safe(entry, tmp, &ima_keys, list)
+ list_move_tail(&entry->list, &temp_ima_keys);
+ process = true;
+ }
+ }
+
+ mutex_unlock(&ima_keys_mutex);
+
+ if (!process)
+ return;
+
+ list_for_each_entry_safe(entry, tmp, &temp_ima_keys, list) {
+ process_buffer_measurement(entry->payload, entry->payload_len,
+ entry->keyring_name, KEY_CHECK, 0,
+ entry->keyring_name);
+ list_del(&entry->list);
+ ima_free_key_entry(entry);
+ }
+}
+
The direct implication of the comment and the lock dance with the
temporary list and the processed flag is that stuff can be added to the
ima_keys list after you drop the mutex. Your explanation in the prior
couple of emails says that nothing can be added because the
ima_process_keys flag setting prevents it. If the latter is true, you
can simply drop the lock after setting the flag and rely on ima_keys
not changing to run it through process_buffer_measurement without
needing any of the intermediate list or the processed flag. If the
latter isn't true then any key added to ima_keys after the mutex is
dropped is never processed.
James
next prev parent reply other threads:[~2019-12-18 2:01 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-13 17:18 [PATCH v4 0/2] IMA: Deferred measurement of keys Lakshmi Ramasubramanian
2019-12-13 17:18 ` Lakshmi Ramasubramanian
2019-12-13 17:18 ` [PATCH v4 1/2] IMA: Define workqueue for early boot "key" measurements Lakshmi Ramasubramanian
2019-12-13 17:18 ` Lakshmi Ramasubramanian
2019-12-16 12:30 ` Mimi Zohar
2019-12-16 12:30 ` Mimi Zohar
2019-12-16 23:44 ` Lakshmi Ramasubramanian
2019-12-16 23:44 ` Lakshmi Ramasubramanian
2019-12-17 10:54 ` Mimi Zohar
2019-12-17 10:54 ` Mimi Zohar
2019-12-13 17:18 ` [PATCH v4 2/2] IMA: Call workqueue functions to measure queued keys Lakshmi Ramasubramanian
2019-12-13 17:18 ` Lakshmi Ramasubramanian
2019-12-13 17:25 ` James Bottomley
2019-12-13 17:25 ` James Bottomley
2019-12-13 17:31 ` Lakshmi Ramasubramanian
2019-12-13 17:31 ` Lakshmi Ramasubramanian
2019-12-15 15:22 ` James Bottomley
2019-12-15 15:22 ` James Bottomley
2019-12-16 1:12 ` Lakshmi Ramasubramanian
2019-12-16 1:12 ` Lakshmi Ramasubramanian
2019-12-16 6:53 ` James Bottomley
2019-12-16 6:53 ` James Bottomley
2019-12-16 13:05 ` Mimi Zohar
2019-12-16 13:05 ` Mimi Zohar
2019-12-16 19:20 ` Lakshmi Ramasubramanian
2019-12-16 19:20 ` Lakshmi Ramasubramanian
2019-12-16 21:17 ` James Bottomley
2019-12-16 21:17 ` James Bottomley
2019-12-16 21:37 ` Lakshmi Ramasubramanian
2019-12-16 21:37 ` Lakshmi Ramasubramanian
2019-12-16 21:52 ` Lakshmi Ramasubramanian
2019-12-16 21:52 ` Lakshmi Ramasubramanian
2019-12-17 22:22 ` Lakshmi Ramasubramanian
2019-12-17 22:22 ` Lakshmi Ramasubramanian
2019-12-18 2:01 ` James Bottomley [this message]
2019-12-18 2:01 ` James Bottomley
2019-12-18 2:44 ` Lakshmi Ramasubramanian
2019-12-18 2:44 ` Lakshmi Ramasubramanian
2019-12-18 2:59 ` Lakshmi Ramasubramanian
2019-12-18 3:00 ` Lakshmi Ramasubramanian
2019-12-18 3:24 ` James Bottomley
2019-12-18 3:24 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1576634499.14900.10.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=dhowells@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=matthewgarrett@google.com \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.