* [PATCH] shift current_cred() from __f_setown() to f_modown()
[not found] ` <alpine.LFD.2.01.0906161224110.3282@localhost.localdomain>
@ 2009-06-16 20:07 ` Oleg Nesterov
2009-06-16 20:17 ` David Howells
` (2 more replies)
[not found] ` <20090616204941.GB28663@redhat.com>
1 sibling, 3 replies; 8+ messages in thread
From: Oleg Nesterov @ 2009-06-16 20:07 UTC (permalink / raw)
To: Linus Torvalds
Cc: David Howells, Eugene Teo, James Morris, Roland McGrath, solar,
linux-kernel
Shift current_cred() from __f_setown() to f_modown(). This reduces
the number of arguments and saves 48 bytes from fs/fcntl.o.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
--- a/fs/fcntl.c~f_modown 2009-04-06 00:03:41.000000000 +0200
+++ b/fs/fcntl.c 2009-06-16 21:41:18.000000000 +0200
@@ -196,15 +196,19 @@ static int setfl(int fd, struct file * f
}
static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
- uid_t uid, uid_t euid, int force)
+ int force)
{
write_lock_irq(&filp->f_owner.lock);
if (force || !filp->f_owner.pid) {
put_pid(filp->f_owner.pid);
filp->f_owner.pid = get_pid(pid);
filp->f_owner.pid_type = type;
- filp->f_owner.uid = uid;
- filp->f_owner.euid = euid;
+
+ if (pid) {
+ const struct cred *cred = current_cred();
+ filp->f_owner.uid = cred->uid;
+ filp->f_owner.euid = cred->euid;
+ }
}
write_unlock_irq(&filp->f_owner.lock);
}
@@ -212,14 +216,13 @@ static void f_modown(struct file *filp,
int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
int force)
{
- const struct cred *cred = current_cred();
int err;
-
+
err = security_file_set_fowner(filp);
if (err)
return err;
- f_modown(filp, pid, type, cred->uid, cred->euid, force);
+ f_modown(filp, pid, type, force);
return 0;
}
EXPORT_SYMBOL(__f_setown);
@@ -245,7 +248,7 @@ EXPORT_SYMBOL(f_setown);
void f_delown(struct file *filp)
{
- f_modown(filp, NULL, PIDTYPE_PID, 0, 0, 1);
+ f_modown(filp, NULL, PIDTYPE_PID, 1);
}
pid_t f_getown(struct file *filp)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] shift current_cred() from __f_setown() to f_modown()
2009-06-16 20:07 ` [PATCH] shift current_cred() from __f_setown() to f_modown() Oleg Nesterov
@ 2009-06-16 20:17 ` David Howells
2009-06-16 20:21 ` Linus Torvalds
2009-06-16 22:56 ` James Morris
2 siblings, 0 replies; 8+ messages in thread
From: David Howells @ 2009-06-16 20:17 UTC (permalink / raw)
To: Oleg Nesterov
Cc: dhowells, Linus Torvalds, Eugene Teo, James Morris,
Roland McGrath, solar, linux-kernel
Oleg Nesterov <oleg@redhat.com> wrote:
> Shift current_cred() from __f_setown() to f_modown(). This reduces
> the number of arguments and saves 48 bytes from fs/fcntl.o.
>
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: David Howells <dhowells@redhat.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] shift current_cred() from __f_setown() to f_modown()
2009-06-16 20:07 ` [PATCH] shift current_cred() from __f_setown() to f_modown() Oleg Nesterov
2009-06-16 20:17 ` David Howells
@ 2009-06-16 20:21 ` Linus Torvalds
2009-06-16 21:00 ` Oleg Nesterov
2009-06-16 22:56 ` James Morris
2 siblings, 1 reply; 8+ messages in thread
From: Linus Torvalds @ 2009-06-16 20:21 UTC (permalink / raw)
To: Oleg Nesterov
Cc: David Howells, Eugene Teo, James Morris, Roland McGrath, solar,
linux-kernel
On Tue, 16 Jun 2009, Oleg Nesterov wrote:
>
> Shift current_cred() from __f_setown() to f_modown(). This reduces
> the number of arguments and saves 48 bytes from fs/fcntl.o.
Ok, I know I asked for this, but now I suddenly start worrying about
whether f_owner.uid/euid are initialized at all for the pid==NULL case?
They used to be initialized to zero, now they are left alone. Are they
initialized somewhere else earlier?
Linus
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] shift current_cred() from __f_setown() to f_modown()
2009-06-16 20:21 ` Linus Torvalds
@ 2009-06-16 21:00 ` Oleg Nesterov
0 siblings, 0 replies; 8+ messages in thread
From: Oleg Nesterov @ 2009-06-16 21:00 UTC (permalink / raw)
To: Linus Torvalds
Cc: David Howells, Eugene Teo, James Morris, Roland McGrath, solar,
linux-kernel
On 06/16, Linus Torvalds wrote:
>
>
> On Tue, 16 Jun 2009, Oleg Nesterov wrote:
> >
> > Shift current_cred() from __f_setown() to f_modown(). This reduces
> > the number of arguments and saves 48 bytes from fs/fcntl.o.
>
> Ok, I know I asked for this, but now I suddenly start worrying about
> whether f_owner.uid/euid are initialized at all for the pid==NULL case?
>
> They used to be initialized to zero, now they are left alone. Are they
> initialized somewhere else earlier?
I think this is fine, but I should have mentioned this in the changelog.
If f_owner.pid == NULL we never use f_owner.uid/euid. Otherwise we have
a bug anyway: we must not send signals if pid was reset to NULL.
Oleg.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] send_sigio_to_task: sanitize the usage of fown->signum
[not found] ` <20090616215103.GA4853@redhat.com>
@ 2009-06-16 22:27 ` Oleg Nesterov
2009-06-16 23:00 ` James Morris
2009-06-16 23:10 ` David Howells
0 siblings, 2 replies; 8+ messages in thread
From: Oleg Nesterov @ 2009-06-16 22:27 UTC (permalink / raw)
To: Linus Torvalds
Cc: David Howells, Eugene Teo, James Morris, Roland McGrath, solar,
linux-kernel
send_sigio_to_task() reads fown->signum several times, we can race with
F_SETSIG which changes ->signum lockless. In theory, this can fool security
checks or we can call group_send_sig_info() with the wrong ->si_signo which
does not match "int sig".
Change the code to cache ->signum.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
--- a/fs/fcntl.c~signum 2009-06-16 21:41:18.000000000 +0200
+++ b/fs/fcntl.c 2009-06-17 00:11:38.000000000 +0200
@@ -426,14 +426,20 @@ static inline int sigio_perm(struct task
}
static void send_sigio_to_task(struct task_struct *p,
- struct fown_struct *fown,
+ struct fown_struct *fown,
int fd,
int reason)
{
- if (!sigio_perm(p, fown, fown->signum))
+ /*
+ * F_SETSIG can change ->signum lockless in parallel, make
+ * sure we read it once and use the same value throughout.
+ */
+ int signum = ACCESS_ONCE(fown->signum);
+
+ if (!sigio_perm(p, fown, signum))
return;
- switch (fown->signum) {
+ switch (signum) {
siginfo_t si;
default:
/* Queue a rt signal with the appropriate fd as its
@@ -442,7 +448,7 @@ static void send_sigio_to_task(struct ta
delivered even if we can't queue. Failure to
queue in this case _should_ be reported; we fall
back to SIGIO in that case. --sct */
- si.si_signo = fown->signum;
+ si.si_signo = signum;
si.si_errno = 0;
si.si_code = reason;
/* Make sure we are called with one of the POLL_*
@@ -454,7 +460,7 @@ static void send_sigio_to_task(struct ta
else
si.si_band = band_table[reason - POLL_IN];
si.si_fd = fd;
- if (!group_send_sig_info(fown->signum, &si, p))
+ if (!group_send_sig_info(signum, &si, p))
break;
/* fall-through: fall back on the old plain SIGIO signal */
case 0:
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] shift current_cred() from __f_setown() to f_modown()
2009-06-16 20:07 ` [PATCH] shift current_cred() from __f_setown() to f_modown() Oleg Nesterov
2009-06-16 20:17 ` David Howells
2009-06-16 20:21 ` Linus Torvalds
@ 2009-06-16 22:56 ` James Morris
2 siblings, 0 replies; 8+ messages in thread
From: James Morris @ 2009-06-16 22:56 UTC (permalink / raw)
To: Oleg Nesterov
Cc: Linus Torvalds, David Howells, Eugene Teo, Roland McGrath, solar,
linux-kernel
On Tue, 16 Jun 2009, Oleg Nesterov wrote:
> Shift current_cred() from __f_setown() to f_modown(). This reduces
> the number of arguments and saves 48 bytes from fs/fcntl.o.
>
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] send_sigio_to_task: sanitize the usage of fown->signum
2009-06-16 22:27 ` [PATCH] send_sigio_to_task: sanitize the usage of fown->signum Oleg Nesterov
@ 2009-06-16 23:00 ` James Morris
2009-06-16 23:10 ` David Howells
1 sibling, 0 replies; 8+ messages in thread
From: James Morris @ 2009-06-16 23:00 UTC (permalink / raw)
To: Oleg Nesterov
Cc: Linus Torvalds, David Howells, Eugene Teo, Roland McGrath, solar,
linux-kernel
On Wed, 17 Jun 2009, Oleg Nesterov wrote:
> send_sigio_to_task() reads fown->signum several times, we can race with
> F_SETSIG which changes ->signum lockless. In theory, this can fool security
> checks or we can call group_send_sig_info() with the wrong ->si_signo which
> does not match "int sig".
>
> Change the code to cache ->signum.
>
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: James Morris <jmorris@namei.org>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] send_sigio_to_task: sanitize the usage of fown->signum
2009-06-16 22:27 ` [PATCH] send_sigio_to_task: sanitize the usage of fown->signum Oleg Nesterov
2009-06-16 23:00 ` James Morris
@ 2009-06-16 23:10 ` David Howells
1 sibling, 0 replies; 8+ messages in thread
From: David Howells @ 2009-06-16 23:10 UTC (permalink / raw)
To: Oleg Nesterov
Cc: dhowells, Linus Torvalds, Eugene Teo, James Morris,
Roland McGrath, solar, linux-kernel
Oleg Nesterov <oleg@redhat.com> wrote:
> send_sigio_to_task() reads fown->signum several times, we can race with
> F_SETSIG which changes ->signum lockless. In theory, this can fool security
> checks or we can call group_send_sig_info() with the wrong ->si_signo which
> does not match "int sig".
>
> Change the code to cache ->signum.
>
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: David Howells <dhowells@redhat.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2009-06-16 23:11 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <4A36532E.3050006@redhat.com>
[not found] ` <20090615174544.GA10467@redhat.com>
[not found] ` <4A36E555.80206@redhat.com>
[not found] ` <20090616183829.GA10027@redhat.com>
[not found] ` <alpine.LFD.2.01.0906161224110.3282@localhost.localdomain>
2009-06-16 20:07 ` [PATCH] shift current_cred() from __f_setown() to f_modown() Oleg Nesterov
2009-06-16 20:17 ` David Howells
2009-06-16 20:21 ` Linus Torvalds
2009-06-16 21:00 ` Oleg Nesterov
2009-06-16 22:56 ` James Morris
[not found] ` <20090616204941.GB28663@redhat.com>
[not found] ` <alpine.LFD.2.01.0906161433270.16802@localhost.localdomain>
[not found] ` <20090616215103.GA4853@redhat.com>
2009-06-16 22:27 ` [PATCH] send_sigio_to_task: sanitize the usage of fown->signum Oleg Nesterov
2009-06-16 23:00 ` James Morris
2009-06-16 23:10 ` David Howells
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox