From: Oleg Nesterov <oleg@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: linux-arch <linux-arch@vger.kernel.org>,
linux-mips@linux-mips.org, Will Drewry <wad@chromium.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Daniel Borkmann <dborkman@redhat.com>,
Julien Tinnes <jln@chromium.org>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
David Drysdale <drysdale@google.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
Alexei Starovoitov <ast@plumgrid.com>
Subject: Re: [PATCH v9 09/11] seccomp: introduce writer locking
Date: Thu, 10 Jul 2014 19:35:52 +0200 [thread overview]
Message-ID: <20140710173552.GA27410@redhat.com> (raw)
In-Reply-To: <CAGXu5jKNUn0OcXPyTmqbHwQ_GPMNTeajyrxpd2xAtzjTRFyhpg@mail.gmail.com>
On 07/10, Kees Cook wrote:
>
> On Thu, Jul 10, 2014 at 8:24 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > Just to simplify. Suppose TIF_SECCOMP was set a long ago. This thread
> > has a single filter F1 and it enters seccomp_run_filters().
> >
> > Right before it does ACCESS_ONCE() to read the pointer, another thread
> > does seccomp_sync_threads() and sets .filter = F2.
> >
> > If ACCESS_ONCE() returns F1 - everything is fine. But it can see the new
> > pointer F2, and in this case we need a barrier to ensure that, say,
> > LOAD(F2->prog) will see all the preceding changes in this memory.
>
> And the rmb() isn't sufficient for that?
But it has no effect if the pointer was changed _after_ rmb() was already
called.
And, you need a barrier _after_ ACCESS_ONCE().
(Unless, again, we know that this is the first filter, but this is only
by accident).
> Is another barrier needed
> before assigning the filter pointer to make sure the contents it
> points to are flushed?
I think smp_store_release() should be moved from seccomp_attach_filter()
to seccomp_sync_threads(). Although probably it _should_ work either way,
but at least this looks confusing because a) "current" doesn't need a
barrier to serialize wuth itself, and b) it is not clear why it is safe
to change the pointer dereferenced by another thread without a barrier.
> What's the least time-consuming operation I can use in run_filters?
As I said smp_read_barrier_depends() (nop unless alpha) or
smp_load_acquire() which you used in the previous version.
And to remind, afaics smp_load_acquire() in put_filter() should die ;)
Oleg.
WARNING: multiple messages have this Message-ID (diff)
From: oleg@redhat.com (Oleg Nesterov)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v9 09/11] seccomp: introduce writer locking
Date: Thu, 10 Jul 2014 19:35:52 +0200 [thread overview]
Message-ID: <20140710173552.GA27410@redhat.com> (raw)
In-Reply-To: <CAGXu5jKNUn0OcXPyTmqbHwQ_GPMNTeajyrxpd2xAtzjTRFyhpg@mail.gmail.com>
On 07/10, Kees Cook wrote:
>
> On Thu, Jul 10, 2014 at 8:24 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > Just to simplify. Suppose TIF_SECCOMP was set a long ago. This thread
> > has a single filter F1 and it enters seccomp_run_filters().
> >
> > Right before it does ACCESS_ONCE() to read the pointer, another thread
> > does seccomp_sync_threads() and sets .filter = F2.
> >
> > If ACCESS_ONCE() returns F1 - everything is fine. But it can see the new
> > pointer F2, and in this case we need a barrier to ensure that, say,
> > LOAD(F2->prog) will see all the preceding changes in this memory.
>
> And the rmb() isn't sufficient for that?
But it has no effect if the pointer was changed _after_ rmb() was already
called.
And, you need a barrier _after_ ACCESS_ONCE().
(Unless, again, we know that this is the first filter, but this is only
by accident).
> Is another barrier needed
> before assigning the filter pointer to make sure the contents it
> points to are flushed?
I think smp_store_release() should be moved from seccomp_attach_filter()
to seccomp_sync_threads(). Although probably it _should_ work either way,
but at least this looks confusing because a) "current" doesn't need a
barrier to serialize wuth itself, and b) it is not clear why it is safe
to change the pointer dereferenced by another thread without a barrier.
> What's the least time-consuming operation I can use in run_filters?
As I said smp_read_barrier_depends() (nop unless alpha) or
smp_load_acquire() which you used in the previous version.
And to remind, afaics smp_load_acquire() in put_filter() should die ;)
Oleg.
next prev parent reply other threads:[~2014-07-10 17:35 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-27 23:22 [PATCH v9 0/11] seccomp: add thread sync ability Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` [PATCH v9 01/11] seccomp: create internal mode-setting function Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` [PATCH v9 02/11] seccomp: extract check/assign mode helpers Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` [PATCH v9 03/11] seccomp: split mode setting routines Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` [PATCH v9 04/11] seccomp: add "seccomp" syscall Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` [PATCH v9 05/11] ARM: add seccomp syscall Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` [PATCH v9 06/11] MIPS: " Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` [PATCH v9 07/11] sched: move no_new_privs into new atomic flags Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` [PATCH v9 08/11] seccomp: split filter prep from check and apply Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` [PATCH v9 09/11] seccomp: introduce writer locking Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-07-09 18:42 ` Oleg Nesterov
2014-07-09 18:42 ` Oleg Nesterov
2014-07-09 18:55 ` Oleg Nesterov
2014-07-09 18:55 ` Oleg Nesterov
2014-07-10 9:25 ` Kees Cook
2014-07-10 9:25 ` Kees Cook
2014-07-10 15:24 ` Oleg Nesterov
2014-07-10 15:24 ` Oleg Nesterov
2014-07-10 16:54 ` Kees Cook
2014-07-10 16:54 ` Kees Cook
2014-07-10 17:35 ` Oleg Nesterov [this message]
2014-07-10 17:35 ` Oleg Nesterov
2014-07-09 18:59 ` Oleg Nesterov
2014-07-09 18:59 ` Oleg Nesterov
2014-06-27 23:22 ` [PATCH v9 10/11] seccomp: allow mode setting across threads Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:22 ` Kees Cook
2014-06-27 23:23 ` [PATCH v9 11/11] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC Kees Cook
2014-06-27 23:23 ` Kees Cook
2014-06-27 23:23 ` Kees Cook
2014-07-09 18:05 ` Oleg Nesterov
2014-07-09 18:05 ` Oleg Nesterov
2014-07-10 9:17 ` Kees Cook
2014-07-10 9:17 ` Kees Cook
2014-07-10 15:08 ` Oleg Nesterov
2014-07-10 15:08 ` Oleg Nesterov
[not found] ` <20140710150832.GA20861-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-07-10 16:03 ` Kees Cook
2014-07-10 16:03 ` Kees Cook
2014-07-10 16:03 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140710173552.GA27410@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ast@plumgrid.com \
--cc=dborkman@redhat.com \
--cc=drysdale@google.com \
--cc=jln@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.