From: oleg@redhat.com (Oleg Nesterov)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v7 3/9] seccomp: introduce writer locking
Date: Tue, 24 Jun 2014 20:30:24 +0200 [thread overview]
Message-ID: <20140624183024.GA1258@redhat.com> (raw)
In-Reply-To: <1403560693-21809-4-git-send-email-keescook@chromium.org>
I am puzzled by the usage of smp_load_acquire(),
On 06/23, Kees Cook wrote:
>
> static u32 seccomp_run_filters(int syscall)
> {
> - struct seccomp_filter *f;
> + struct seccomp_filter *f = smp_load_acquire(¤t->seccomp.filter);
> struct seccomp_data sd;
> u32 ret = SECCOMP_RET_ALLOW;
>
> /* Ensure unexpected behavior doesn't result in failing open. */
> - if (WARN_ON(current->seccomp.filter == NULL))
> + if (WARN_ON(f == NULL))
> return SECCOMP_RET_KILL;
>
> populate_seccomp_data(&sd);
> @@ -186,9 +186,8 @@ static u32 seccomp_run_filters(int syscall)
> * All filters in the list are evaluated and the lowest BPF return
> * value always takes priority (ignoring the DATA).
> */
> - for (f = current->seccomp.filter; f; f = f->prev) {
> + for (; f; f = smp_load_acquire(&f->prev)) {
> u32 cur_ret = SK_RUN_FILTER(f->prog, (void *)&sd);
> -
> if ((cur_ret & SECCOMP_RET_ACTION) < (ret & SECCOMP_RET_ACTION))
> ret = cur_ret;
OK, in this case the 1st one is probably fine, altgough it is not
clear to me why it is better than read_barrier_depends().
But why do we need a 2nd one inside the loop? And if we actually need
it (I don't think so) then why it is safe to use f->prog without
load_acquire ?
> void get_seccomp_filter(struct task_struct *tsk)
> {
> - struct seccomp_filter *orig = tsk->seccomp.filter;
> + struct seccomp_filter *orig = smp_load_acquire(&tsk->seccomp.filter);
> if (!orig)
> return;
This one looks unneeded.
First of all, afaics atomic_inc() should work correctly without any barriers,
otherwise it is buggy. But even this doesn't matter.
With this changes get_seccomp_filter() must be called under ->siglock, it can't
race with add-filter and thus tsk->seccomp.filter should be stable.
> /* Reference count is bounded by the number of total processes. */
> @@ -361,7 +364,7 @@ void put_seccomp_filter(struct task_struct *tsk)
> /* Clean up single-reference branches iteratively. */
> while (orig && atomic_dec_and_test(&orig->usage)) {
> struct seccomp_filter *freeme = orig;
> - orig = orig->prev;
> + orig = smp_load_acquire(&orig->prev);
> seccomp_filter_free(freeme);
> }
This one looks unneeded too. And note that this patch does not add
smp_load_acquire() to read tsk->seccomp.filter.
atomic_dec_and_test() adds mb(), we do not need more barriers to access
->prev ?
Oleg.
next prev parent reply other threads:[~2014-06-24 18:30 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-23 21:58 [PATCH v7 0/9] seccomp: add thread sync ability Kees Cook
2014-06-23 21:58 ` [PATCH v7 1/9] seccomp: create internal mode-setting function Kees Cook
2014-06-23 21:58 ` [PATCH v7 2/9] seccomp: split filter prep from check and apply Kees Cook
2014-06-26 12:37 ` David Drysdale
2014-06-27 18:45 ` Kees Cook
2014-06-23 21:58 ` [PATCH v7 3/9] seccomp: introduce writer locking Kees Cook
2014-06-24 16:52 ` Oleg Nesterov
2014-06-24 18:02 ` Kees Cook
2014-06-24 18:35 ` Oleg Nesterov
2014-06-24 20:26 ` Kees Cook
2014-06-24 18:30 ` Oleg Nesterov [this message]
2014-06-24 19:46 ` Kees Cook
2014-06-23 21:58 ` [PATCH v7 4/9] seccomp: move no_new_privs into seccomp Kees Cook
2014-06-24 19:18 ` Oleg Nesterov
2014-06-24 19:20 ` Andy Lutomirski
2014-06-24 19:30 ` Oleg Nesterov
2014-06-24 19:34 ` Andy Lutomirski
2014-06-24 19:50 ` Kees Cook
2014-06-24 19:51 ` Andy Lutomirski
2014-06-23 21:58 ` [PATCH v7 5/9] seccomp: split mode set routines Kees Cook
2014-06-23 21:58 ` [PATCH v7 6/9] seccomp: add "seccomp" syscall Kees Cook
2014-06-23 21:58 ` [PATCH v7 7/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC Kees Cook
2014-06-24 17:08 ` Oleg Nesterov
2014-06-24 18:19 ` Kees Cook
2014-06-24 17:27 ` Oleg Nesterov
2014-06-24 18:05 ` Kees Cook
2014-06-24 18:37 ` Oleg Nesterov
2014-06-24 19:08 ` Kees Cook
2014-06-23 21:58 ` [PATCH v7 8/9] ARM: add seccomp syscall Kees Cook
2014-06-23 21:58 ` [PATCH v7 9/9] MIPS: " Kees Cook
2014-06-23 22:01 ` [PATCH v7 1/1] man-pages: seccomp.2: document syscall Kees Cook
2014-06-24 10:23 ` Michael Kerrisk (man-pages)
2014-06-24 16:43 ` Kees Cook
2014-06-24 17:48 ` [PATCH v7.1 " Kees Cook
2014-06-24 18:06 ` [PATCH v7 " Andy Lutomirski
2014-06-24 19:18 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140624183024.GA1258@redhat.com \
--to=oleg@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).