[PATCH] shift current_cred() from __f_setown() to f

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] shift current_cred() from __f_setown() to f_modown()
       [not found]       ` <alpine.LFD.2.01.0906161224110.3282@localhost.localdomain>
@ 2009-06-16 20:07         ` Oleg Nesterov
  2009-06-16 20:17           ` David Howells
                             ` (2 more replies)
       [not found]         ` <20090616204941.GB28663@redhat.com>
  1 sibling, 3 replies; 8+ messages in thread
From: Oleg Nesterov @ 2009-06-16 20:07 UTC (permalink / raw)
  To: Linus Torvalds
  Cc: David Howells, Eugene Teo, James Morris, Roland McGrath, solar,
	linux-kernel

Shift current_cred() from __f_setown() to f_modown(). This reduces
the number of arguments and saves 48 bytes from fs/fcntl.o.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>

--- a/fs/fcntl.c~f_modown	2009-04-06 00:03:41.000000000 +0200
+++ b/fs/fcntl.c	2009-06-16 21:41:18.000000000 +0200
@@ -196,15 +196,19 @@ static int setfl(int fd, struct file * f
 }
 
 static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
-                     uid_t uid, uid_t euid, int force)
+                     int force)
 {
 	write_lock_irq(&filp->f_owner.lock);
 	if (force || !filp->f_owner.pid) {
 		put_pid(filp->f_owner.pid);
 		filp->f_owner.pid = get_pid(pid);
 		filp->f_owner.pid_type = type;
-		filp->f_owner.uid = uid;
-		filp->f_owner.euid = euid;
+
+		if (pid) {
+			const struct cred *cred = current_cred();
+			filp->f_owner.uid = cred->uid;
+			filp->f_owner.euid = cred->euid;
+		}
 	}
 	write_unlock_irq(&filp->f_owner.lock);
 }
@@ -212,14 +216,13 @@ static void f_modown(struct file *filp, 
 int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
 		int force)
 {
-	const struct cred *cred = current_cred();
 	int err;
-	
+
 	err = security_file_set_fowner(filp);
 	if (err)
 		return err;
 
-	f_modown(filp, pid, type, cred->uid, cred->euid, force);
+	f_modown(filp, pid, type, force);
 	return 0;
 }
 EXPORT_SYMBOL(__f_setown);
@@ -245,7 +248,7 @@ EXPORT_SYMBOL(f_setown);
 
 void f_delown(struct file *filp)
 {
-	f_modown(filp, NULL, PIDTYPE_PID, 0, 0, 1);
+	f_modown(filp, NULL, PIDTYPE_PID, 1);
 }
 
 pid_t f_getown(struct file *filp)


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] shift current_cred() from __f_setown() to f_modown()
  2009-06-16 20:07         ` [PATCH] shift current_cred() from __f_setown() to f_modown() Oleg Nesterov
@ 2009-06-16 20:17           ` David Howells
  2009-06-16 20:21           ` Linus Torvalds
  2009-06-16 22:56           ` James Morris
  2 siblings, 0 replies; 8+ messages in thread
From: David Howells @ 2009-06-16 20:17 UTC (permalink / raw)
  To: Oleg Nesterov
  Cc: dhowells, Linus Torvalds, Eugene Teo, James Morris,
	Roland McGrath, solar, linux-kernel

Oleg Nesterov <oleg@redhat.com> wrote:

> Shift current_cred() from __f_setown() to f_modown(). This reduces
> the number of arguments and saves 48 bytes from fs/fcntl.o.
> 
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>

Acked-by: David Howells <dhowells@redhat.com>

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] shift current_cred() from __f_setown() to f_modown()
  2009-06-16 20:07         ` [PATCH] shift current_cred() from __f_setown() to f_modown() Oleg Nesterov
  2009-06-16 20:17           ` David Howells
@ 2009-06-16 20:21           ` Linus Torvalds
  2009-06-16 21:00             ` Oleg Nesterov
  2009-06-16 22:56           ` James Morris
  2 siblings, 1 reply; 8+ messages in thread
From: Linus Torvalds @ 2009-06-16 20:21 UTC (permalink / raw)
  To: Oleg Nesterov
  Cc: David Howells, Eugene Teo, James Morris, Roland McGrath, solar,
	linux-kernel



On Tue, 16 Jun 2009, Oleg Nesterov wrote:
>
> Shift current_cred() from __f_setown() to f_modown(). This reduces
> the number of arguments and saves 48 bytes from fs/fcntl.o.

Ok, I know I asked for this, but now I suddenly start worrying about 
whether f_owner.uid/euid are initialized at all for the pid==NULL case?

They used to be initialized to zero, now they are left alone. Are they 
initialized somewhere else earlier?

		Linus

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] shift current_cred() from __f_setown() to f_modown()
  2009-06-16 20:21           ` Linus Torvalds
@ 2009-06-16 21:00             ` Oleg Nesterov
  0 siblings, 0 replies; 8+ messages in thread
From: Oleg Nesterov @ 2009-06-16 21:00 UTC (permalink / raw)
  To: Linus Torvalds
  Cc: David Howells, Eugene Teo, James Morris, Roland McGrath, solar,
	linux-kernel

On 06/16, Linus Torvalds wrote:
>
>
> On Tue, 16 Jun 2009, Oleg Nesterov wrote:
> >
> > Shift current_cred() from __f_setown() to f_modown(). This reduces
> > the number of arguments and saves 48 bytes from fs/fcntl.o.
>
> Ok, I know I asked for this, but now I suddenly start worrying about
> whether f_owner.uid/euid are initialized at all for the pid==NULL case?
>
> They used to be initialized to zero, now they are left alone. Are they
> initialized somewhere else earlier?

I think this is fine, but I should have mentioned this in the changelog.

If f_owner.pid == NULL we never use f_owner.uid/euid. Otherwise we have
a bug anyway: we must not send signals if pid was reset to NULL.

Oleg.


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] shift current_cred() from __f_setown() to f_modown()
  2009-06-16 20:07         ` [PATCH] shift current_cred() from __f_setown() to f_modown() Oleg Nesterov
  2009-06-16 20:17           ` David Howells
  2009-06-16 20:21           ` Linus Torvalds
@ 2009-06-16 22:56           ` James Morris
  2 siblings, 0 replies; 8+ messages in thread
From: James Morris @ 2009-06-16 22:56 UTC (permalink / raw)
  To: Oleg Nesterov
  Cc: Linus Torvalds, David Howells, Eugene Teo, Roland McGrath, solar,
	linux-kernel

On Tue, 16 Jun 2009, Oleg Nesterov wrote:

> Shift current_cred() from __f_setown() to f_modown(). This reduces
> the number of arguments and saves 48 bytes from fs/fcntl.o.
> 
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>

Reviewed-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 8+ messages in thread

[parent not found: <20090616204941.GB28663@redhat.com>]

[parent not found: <alpine.LFD.2.01.0906161433270.16802@localhost.localdomain>]

[parent not found: <20090616215103.GA4853@redhat.com>]

* [PATCH] send_sigio_to_task: sanitize the usage of fown->signum
       [not found]             ` <20090616215103.GA4853@redhat.com>
@ 2009-06-16 22:27               ` Oleg Nesterov
  2009-06-16 23:00                 ` James Morris
  2009-06-16 23:10                 ` David Howells
  0 siblings, 2 replies; 8+ messages in thread
From: Oleg Nesterov @ 2009-06-16 22:27 UTC (permalink / raw)
  To: Linus Torvalds
  Cc: David Howells, Eugene Teo, James Morris, Roland McGrath, solar,
	linux-kernel

send_sigio_to_task() reads fown->signum several times, we can race with
F_SETSIG which changes ->signum lockless. In theory, this can fool security
checks or we can call group_send_sig_info() with the wrong ->si_signo which
does not match "int sig".

Change the code to cache ->signum.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>

--- a/fs/fcntl.c~signum	2009-06-16 21:41:18.000000000 +0200
+++ b/fs/fcntl.c	2009-06-17 00:11:38.000000000 +0200
@@ -426,14 +426,20 @@ static inline int sigio_perm(struct task
 }
 
 static void send_sigio_to_task(struct task_struct *p,
-			       struct fown_struct *fown, 
+			       struct fown_struct *fown,
 			       int fd,
 			       int reason)
 {
-	if (!sigio_perm(p, fown, fown->signum))
+	/*
+	 * F_SETSIG can change ->signum lockless in parallel, make
+	 * sure we read it once and use the same value throughout.
+	 */
+	int signum = ACCESS_ONCE(fown->signum);
+
+	if (!sigio_perm(p, fown, signum))
 		return;
 
-	switch (fown->signum) {
+	switch (signum) {
 		siginfo_t si;
 		default:
 			/* Queue a rt signal with the appropriate fd as its
@@ -442,7 +448,7 @@ static void send_sigio_to_task(struct ta
 			   delivered even if we can't queue.  Failure to
 			   queue in this case _should_ be reported; we fall
 			   back to SIGIO in that case. --sct */
-			si.si_signo = fown->signum;
+			si.si_signo = signum;
 			si.si_errno = 0;
 		        si.si_code  = reason;
 			/* Make sure we are called with one of the POLL_*
@@ -454,7 +460,7 @@ static void send_sigio_to_task(struct ta
 			else
 				si.si_band = band_table[reason - POLL_IN];
 			si.si_fd    = fd;
-			if (!group_send_sig_info(fown->signum, &si, p))
+			if (!group_send_sig_info(signum, &si, p))
 				break;
 		/* fall-through: fall back on the old plain SIGIO signal */
 		case 0:


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] send_sigio_to_task: sanitize the usage of fown->signum
  2009-06-16 22:27               ` [PATCH] send_sigio_to_task: sanitize the usage of fown->signum Oleg Nesterov
@ 2009-06-16 23:00                 ` James Morris
  2009-06-16 23:10                 ` David Howells
  1 sibling, 0 replies; 8+ messages in thread
From: James Morris @ 2009-06-16 23:00 UTC (permalink / raw)
  To: Oleg Nesterov
  Cc: Linus Torvalds, David Howells, Eugene Teo, Roland McGrath, solar,
	linux-kernel

On Wed, 17 Jun 2009, Oleg Nesterov wrote:

> send_sigio_to_task() reads fown->signum several times, we can race with
> F_SETSIG which changes ->signum lockless. In theory, this can fool security
> checks or we can call group_send_sig_info() with the wrong ->si_signo which
> does not match "int sig".
> 
> Change the code to cache ->signum.
> 
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>

Reviewed-by: James Morris <jmorris@namei.org>


-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] send_sigio_to_task: sanitize the usage of fown->signum
  2009-06-16 22:27               ` [PATCH] send_sigio_to_task: sanitize the usage of fown->signum Oleg Nesterov
  2009-06-16 23:00                 ` James Morris
@ 2009-06-16 23:10                 ` David Howells
  1 sibling, 0 replies; 8+ messages in thread
From: David Howells @ 2009-06-16 23:10 UTC (permalink / raw)
  To: Oleg Nesterov
  Cc: dhowells, Linus Torvalds, Eugene Teo, James Morris,
	Roland McGrath, solar, linux-kernel

Oleg Nesterov <oleg@redhat.com> wrote:

> send_sigio_to_task() reads fown->signum several times, we can race with
> F_SETSIG which changes ->signum lockless. In theory, this can fool security
> checks or we can call group_send_sig_info() with the wrong ->si_signo which
> does not match "int sig".
> 
> Change the code to cache ->signum.
> 
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>

Acked-by: David Howells <dhowells@redhat.com>

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2009-06-16 23:11 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <4A36532E.3050006@redhat.com>
     [not found] ` <20090615174544.GA10467@redhat.com>
     [not found]   ` <4A36E555.80206@redhat.com>
     [not found]     ` <20090616183829.GA10027@redhat.com>
     [not found]       ` <alpine.LFD.2.01.0906161224110.3282@localhost.localdomain>
2009-06-16 20:07         ` [PATCH] shift current_cred() from __f_setown() to f_modown() Oleg Nesterov
2009-06-16 20:17           ` David Howells
2009-06-16 20:21           ` Linus Torvalds
2009-06-16 21:00             ` Oleg Nesterov
2009-06-16 22:56           ` James Morris
     [not found]         ` <20090616204941.GB28663@redhat.com>
     [not found]           ` <alpine.LFD.2.01.0906161433270.16802@localhost.localdomain>
     [not found]             ` <20090616215103.GA4853@redhat.com>
2009-06-16 22:27               ` [PATCH] send_sigio_to_task: sanitize the usage of fown->signum Oleg Nesterov
2009-06-16 23:00                 ` James Morris
2009-06-16 23:10                 ` David Howells

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox