From: Mateusz Guzik <mjguzik@gmail.com>
To: kees@kernel.org, luto@amacapital.net, wad@chromium.org
Cc: linux-kernel@vger.kernel.org, Mateusz Guzik <mjguzik@gmail.com>
Subject: [PATCH] seccomp: avoid the lock trip in seccomp_filter_release in common case
Date: Mon, 10 Feb 2025 22:05:41 +0100 [thread overview]
Message-ID: <20250210210541.867037-1-mjguzik@gmail.com> (raw)
Vast majority of threads don't have any seccomp filters, all while the
lock taken here is shared between all threads in given process and
frequently used.
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
---
Here is a splat from parallel thread creation/destruction within onep
rocess:
bpftrace -e 'kprobe:__pv_queued_spin_lock_slowpath { @[kstack()] = count(); }'
[snip]
@[
__pv_queued_spin_lock_slowpath+5
_raw_spin_lock_irq+42
seccomp_filter_release+32
do_exit+286
__x64_sys_exit+27
x64_sys_call+4703
do_syscall_64+82
entry_SYSCALL_64_after_hwframe+118
]: 475601
@[
__pv_queued_spin_lock_slowpath+5
_raw_spin_lock_irq+42
acct_collect+77
do_exit+1380
__x64_sys_exit+27
x64_sys_call+4703
do_syscall_64+82
entry_SYSCALL_64_after_hwframe+118
]: 478335
@[
__pv_queued_spin_lock_slowpath+5
_raw_spin_lock_irq+42
sigprocmask+106
__x64_sys_rt_sigprocmask+121
do_syscall_64+82
entry_SYSCALL_64_after_hwframe+118
]: 1825572
There are more spots which take the same lock, with seccomp being top 3.
I could not be bothered to bench before/after, but I can do it if you
insist. The fact that this codepath is a factor can be seen above.
This is a minor patch, I'm not going to insist on it.
To my reading seccomp only ever gets populated for current, so this
should be perfectly safe to test on exit without any synchronisation.
This may need a data_race annotation if some tooling decides to protest.
kernel/seccomp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 7bbb408431eb..c839674966e2 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -576,6 +576,9 @@ void seccomp_filter_release(struct task_struct *tsk)
if (WARN_ON((tsk->flags & PF_EXITING) == 0))
return;
+ if (tsk->seccomp.filter == NULL)
+ return;
+
spin_lock_irq(&tsk->sighand->siglock);
orig = tsk->seccomp.filter;
/* Detach task from its filter tree. */
--
2.43.0
next reply other threads:[~2025-02-10 21:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-10 21:05 Mateusz Guzik [this message]
2025-02-10 22:57 ` [PATCH] seccomp: avoid the lock trip in seccomp_filter_release in common case Kees Cook
2025-02-10 23:08 ` Mateusz Guzik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250210210541.867037-1-mjguzik@gmail.com \
--to=mjguzik@gmail.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox