From: Manfred Spraul <manfred@colorfullife.com>
To: Davidlohr Bueso <dave@stgolabs.net>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH 4/5] ipc/msg: Lockless security checks for msgsnd
Date: Sun, 18 Sep 2016 07:10:45 +0200 [thread overview]
Message-ID: <58c2536e-aebd-e21e-6d78-003dcd10443d@colorfullife.com> (raw)
Hi Davidlohr,
> Just as with msgrcv (along with the rest of sysvipc since a few years
> ago), perform the security checks without holding the ipc object lock.
Thinking about it: isn't this wrong?
CPU1:
* msgrcv()
* ipcperms()
<sleep>
CPU2:
* msgctl(), change permissions
** msgctl() returns, new permissions should now be in effect
* msgsnd(), send secret message
** msgsnd() returns, new message stored.
CPU1: resumes, receives secret message
Obviously, we could argue that the msgrcv() was already ongoing and
therefore the old permissions still apply - but then we don't need to
recheck after sleeping at all.
> This also reduces the hogging of the lock for the entire duration of a
> sender, as we drop the lock upon every iteration -- and this is
> exactly
> why we also check for racing with RMID in the first place.
Which hogging do you mean? The lock is dopped uppon every iteration, the
schedule() is in the middle.
Which your patch, the lock are now dropped twice:
> -
> for (;;) {
> struct msg_sender s;
>
> err = -EACCES;
> if (ipcperms(ns, &msq->q_perm, S_IWUGO))
> - goto out_unlock0;
> + goto out_unlock1;
> +
> + ipc_lock_object(&msq->q_perm);
>
> /* raced with RMID? */
> if (!ipc_valid_object(&msq->q_perm)) {
> @@ -681,6 +681,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
> goto out_unlock0;
> }
>
> + ipc_unlock_object(&msq->q_perm);
> }
>
>
This means the lock is dropped, just for ipcperms().
This doubles the lock acquire/release cycles.
--
Manfred
next reply other threads:[~2016-09-18 5:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-18 5:10 Manfred Spraul [this message]
2016-09-21 22:21 ` [PATCH 4/5] ipc/msg: Lockless security checks for msgsnd Davidlohr Bueso
2016-09-22 19:42 ` Manfred Spraul
-- strict thread matches above, loose matches on Subject: below --
2016-07-28 23:33 [PATCH 0/5] ipc/msg: Sender/receiver optimizations Davidlohr Bueso
2016-07-28 23:33 ` [PATCH 4/5] ipc/msg: Lockless security checks for msgsnd Davidlohr Bueso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58c2536e-aebd-e21e-6d78-003dcd10443d@colorfullife.com \
--to=manfred@colorfullife.com \
--cc=dave@stgolabs.net \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.