From: Davidlohr Bueso <dave@stgolabs.net>
To: Manfred Spraul <manfred@colorfullife.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
akpm@linux-foundation.org
Subject: Re: [PATCH 4/5] ipc/msg: Lockless security checks for msgsnd
Date: Wed, 21 Sep 2016 15:21:22 -0700 [thread overview]
Message-ID: <20160921222122.GA13358@linux-80c1.suse> (raw)
In-Reply-To: <58c2536e-aebd-e21e-6d78-003dcd10443d@colorfullife.com>
On Sun, 18 Sep 2016, Manfred Spraul wrote:
>>Just as with msgrcv (along with the rest of sysvipc since a few years
>> ago), perform the security checks without holding the ipc object lock.
>Thinking about it: isn't this wrong?
>
>CPU1:
>* msgrcv()
>* ipcperms()
><sleep>
>
>CPU2:
>* msgctl(), change permissions
>** msgctl() returns, new permissions should now be in effect
>* msgsnd(), send secret message
>** msgsnd() returns, new message stored.
>
>CPU1: resumes, receives secret message
Hmm, would this not apply to everything IPC_SET, we do lockless ipcperms()
all over the place.
>Obviously, we could argue that the msgrcv() was already ongoing and
>therefore the old permissions still apply - but then we don't need to
>recheck after sleeping at all.
There is that, and furthermore we make no such guarantees under concurrency.
Another way of looking at it could perhaps be IPC_SET returning EPERM if
there's an unserviced msgrcv -- but I'm not suggesting doing this btw ;)
>
>> This also reduces the hogging of the lock for the entire duration of a
>> sender, as we drop the lock upon every iteration -- and this is
>>exactly
>> why we also check for racing with RMID in the first place.
>
>Which hogging do you mean? The lock is dopped uppon every iteration,
>the schedule() is in the middle.
>Which your patch, the lock are now dropped twice:
>>-
>> for (;;) {
>> struct msg_sender s;
>> err = -EACCES;
>> if (ipcperms(ns, &msq->q_perm, S_IWUGO))
>>- goto out_unlock0;
>>+ goto out_unlock1;
>>+
>>+ ipc_lock_object(&msq->q_perm);
>> /* raced with RMID? */
>> if (!ipc_valid_object(&msq->q_perm)) {
>>@@ -681,6 +681,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
>> goto out_unlock0;
>> }
>>+ ipc_unlock_object(&msq->q_perm);
>> }
>>
>>
>This means the lock is dropped, just for ipcperms().
>This doubles the lock acquire/release cycles.
The effectiveness all depends on the workload and degree of contention. But
I have no problem dropping this patch either, although this is standard for
all things ipc.
Thanks,
Davidlohr
next prev parent reply other threads:[~2016-09-21 22:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-18 5:10 [PATCH 4/5] ipc/msg: Lockless security checks for msgsnd Manfred Spraul
2016-09-21 22:21 ` Davidlohr Bueso [this message]
2016-09-22 19:42 ` Manfred Spraul
-- strict thread matches above, loose matches on Subject: below --
2016-07-28 23:33 [PATCH 0/5] ipc/msg: Sender/receiver optimizations Davidlohr Bueso
2016-07-28 23:33 ` [PATCH 4/5] ipc/msg: Lockless security checks for msgsnd Davidlohr Bueso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160921222122.GA13358@linux-80c1.suse \
--to=dave@stgolabs.net \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox