Received: by 10.223.148.5 with SMTP id 5csp6004137wrq; Wed, 17 Jan 2018 08:17:45 -0800 (PST) X-Google-Smtp-Source: ACJfBotHFL6Z8Ovjee3QINskRZLHDjg43Wv7J9P/0gL9afo8uH5JvklktIGu6oWGIzyTFoWJ2Dkz X-Received: by 10.101.88.66 with SMTP id s2mr11859778pgr.341.1516205865266; Wed, 17 Jan 2018 08:17:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516205865; cv=none; d=google.com; s=arc-20160816; b=stWLcE+xPYosvaPHMGER5/8ZuzZxgBIKGy2Kt9kS4UxIGk3hKRwjij72VrAQfFBlqx h7oDOrHOVnMGHYXs3vtxE7XJlSqmnYk+gcG7viAZWd9IiuAYbMraBcJkMpIWUh3oQED5 DL4A+f6haRuKOP1rqiW9WOv6DFqoZWfCmf88x86m78njTcnNtHC1zhOYRjU/klXUw9C+ RRKOz3qEGF7mtcnZA4X/YhBu4Y/ADJ0BycXgrVdpcOLSNOvgM+Qxo4CIfZNNKnyE0NC4 3w8C7JRXQKVFfnGe6cyU2W/FwYFep6YmSc+KCwC9rs2ScScl5+6VWmRS3qgiYru3l1dP Xdkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:to:from:subject:message-id :ironport-phdr:arc-authentication-results; bh=6OONb57q02Kft0U4UzCq3C7hFuQinO4ktno5WCIMoeI=; b=JDFCTeiextThZr88HVPRZ8XyJd3+xIVSLkc4W972viOVcejq+8ooILLmQ1Sc2Vok36 N7BGnodPJ9+u+U7REQYtYb1W+AvNlEIn02sV5Y6cNS96sF/h2nYpuyD5NGaJONviI0dN FXA7BjsnztkLs4h647PAg259OqkhlsOE8WCojkLdh+pQ3RlvCw6FL7ZZWZitww3kMkqB O9xF8FXMuMf8+TaeD5TFgL/xqr1XNHx+uAFWt7kRXfHV+8cvSW25isX1lNwwrBd/bWir WO7yi6tOP78kgHlQZeRqJWnh/79wae2gztVg+I6NLgepRsvTgGkYGmUhdsoAz1UHUhaf t6ZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y6si4129169pgc.112.2018.01.17.08.17.30; Wed, 17 Jan 2018 08:17:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754222AbeAQQP3 (ORCPT + 99 others); Wed, 17 Jan 2018 11:15:29 -0500 Received: from uhil19pa09.eemsg.mail.mil ([214.24.21.82]:18812 "EHLO uhil19pa09.eemsg.mail.mil" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932227AbeAQQOB (ORCPT ); Wed, 17 Jan 2018 11:14:01 -0500 Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by uhil19pa09.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 17 Jan 2018 16:13:57 +0000 X-IronPort-AV: E=Sophos;i="5.46,372,1511827200"; d="scan'208";a="7705979" IronPort-PHdr: =?us-ascii?q?9a23=3AyWXn0ROuftc3axZ1Vvol6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0K/vypMbcNUDSrc9gkEXOFd2Cra4c0ayO6eu9CSQp2tWoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7?= =?us-ascii?q?Ovr6GpLIj8Swyuu+54Dfbx9HiTahf79+Ngm6oRveusQWgoZpN7o8xAbOrnZUYe?= =?us-ascii?q?pd2HlmJUiUnxby58ew+IBs/iFNsP8/9MBOTLv3cb0gQbNXEDopPWY15Nb2tRbY?= =?us-ascii?q?VguA+mEcUmQNnRVWBQXO8Qz3UY3wsiv+sep9xTWaMMjrRr06RTiu86FmQwLzhS?= =?us-ascii?q?wZKzA27n3Yis1ojKJavh2hoQB/w5XJa42RLfZyY7/Rcc8fSWdHUMlRTShBCZ6i?= =?us-ascii?q?YYUJAeQKIOJUo5Djq1cSqBezAxSnCuHyxT9SnnL43rA03eQ/Hw/I3gMgEdUOv2?= =?us-ascii?q?jTotr6O6kfSvy1warSwDnfdf5axTXw5Y7VeR4hu/GMWrdwfNLMx0kzCQzFllWQ?= =?us-ascii?q?ppLjPziIy+oNtnKU7+5kVe2xi28stgZ8oiOyycc3kYTJmoIUxUzE9SV+2oo1I8?= =?us-ascii?q?a4R1Rhbd6rF5tQqTiXOo1rSc0hW2FloDs2x7IJtJKhfCUG1Y4rywDQZvCZaYSE?= =?us-ascii?q?/xTuX/uLLzhinnJqYre/ig638Uin1+LzSNG50E1PripZitnMsW0N1wDL5siHVP?= =?us-ascii?q?R9+kCh1C6T1w/J8OFEIF00lbHBJ549wr8/ipoTsUPZEi/whEr2l7OZel8h+uip?= =?us-ascii?q?7+TrerTmppmCOI9okgzyL6sjl8OlDek4LwQCRXaX9Oui2LH54EH1WLBKgec3kq?= =?us-ascii?q?ndvpDaP8MbpquhDg9Oz4kj8A2yDyum0dsEnXkHK0hJeBScj4fzIV3OL/f4Demn?= =?us-ascii?q?j1S2jDhr3+zGPqHmApjVNXjMjq3hfblj5ENHyAo819Rf55ZUC7EHOv78RkjxtN?= =?us-ascii?q?nABB8jLwO02/rnCMl61o4GQ22PBrSZP7nLvVCV+O0vPfeDZIsOtTnnL/gl/OTh?= =?us-ascii?q?gWYhmV8Heqmp34UYZ2ykHvh8JEWZe3XsiM8bEWgWpgo+UPDqiFqaXD5WZnayWa?= =?us-ascii?q?085jYgBYK8E4jMW4Ctj6ad3CuhApJWYWVGAEiWEXj0b4WER+sMaCWKL89lkzwE?= =?us-ascii?q?U6WhSoA42RGtqgD60bxnIfTQ+iADq5Lj28Z65/fJmREx6zN0FcKd3H+JT21umW?= =?us-ascii?q?MIXTA21rhloUNh0leDzbR4g/tAGNxX5vNJVBo6NJHFw+xhFd/9Rh/Bfs2ISFa6?= =?us-ascii?q?QtSqGDQxTtUszN8TZ0ZyBc6vjg7M3yW0Gb8Zjb+LC4Iu8qLawXfxI9xxy3Hc1K?= =?us-ascii?q?kul1MmWNdANXW6hq5j8AjeH5PGk0GHmKm3e6Qc2zTN+3qYwGqUok5XTQ5wXr/Z?= =?us-ascii?q?XXwFekTWqtH57FvYT7CyEbQnLhdBycmaJ6RXcNLpi1RGS+nnONTceG+xnnm/BR?= =?us-ascii?q?KMxryWaorqfGoc0D/BB0gDlgAZ5WyGOhQmBie9v2LeCyRjFVD1bEPp7+Z+s2m3?= =?us-ascii?q?TksuwwGPaE1hzaC1+h8OhfGHTPMTxKgLtzslqzpqBlqyw9XWC9+YrQp7YKpcec?= =?us-ascii?q?894EtA1W/BqQN9JoavL7pjhl4FaAl3p1nh1w92CoVbicgqqGklwxZsJq6C11NB?= =?us-ascii?q?bTyY14jqOrLLMmny4Ayva6nO11HGytmW56MP5e8gq1r5oQGpElMu83Bg09lSyX?= =?us-ascii?q?uT+I/GAxYVUZL0Skw37QR1p6nGYikh4IPZzWVsPreosjDcwdIlHvUqyhC9cNhB?= =?us-ascii?q?KqOLDwjyE9cVB8W1M+wqnF6pbxIeMO9O8640OpDuS/zTwKO3MfwmkTSqgH5N55?= =?us-ascii?q?py+lmL8Ts6QenNm949yuycli6AUC3xxAO5u93zsZhNeDVXG2240yWiD4lUMOk6?= =?us-ascii?q?UJwKAi+WKte23Z0qiobkQX9D3EaqHVIdwMugchfUaEbyi0kY900SrGfvvCyi1T?= =?us-ascii?q?1v22Urp6+Sx2rKheHlbgAGIUZMXmBpiVqqKo+x2ZRScEGubgUt3Dm4/0n3wbMT?= =?us-ascii?q?8Kh2KWjeRUVgeiXyK2hkVbv2vb2HNYoHxJQ1vm1zXeiyZkqWAurxpxYW3ST5E0?= =?us-ascii?q?NEyTw7fi3ssZL8yVgyk2+ZLXBuvFLFaMpwwlHZ/9WaSvlPmnICRS9lmXzMC1Oh?= =?us-ascii?q?Jdi17JCRkJvetu2WSW2sTNtQfDPtwIfGszG0oSVuABuij7Wwl8fhHAwSzyD2zZ?= =?us-ascii?q?9pWD/OoRK6ZZPkk+ybN+1gNmxvAFn18YIuH4B4nYwYnpwc2XEGwJ6S+CxD2W73?= =?us-ascii?q?Ktwe1a/gYX4lTDoQypvN+g/n1UZ/aHWTyMaxHE6Q2MRsL/TyJCs20yY5/sYAQP?= =?us-ascii?q?OP4aZLkAN1q168vASXav94yGQz0/wrvUUGjvkJtQxl9SCUBrQfDAEMJiD3vwiZ?= =?us-ascii?q?5NC56qNMbSCgdqbmhxk2psyoELzX+lIUY33+YJp3WHYqtsg=3D?= X-IPAS-Result: =?us-ascii?q?A2CwAACqdV9a/wHyM5BbGQEBAQEBAQEBAQEBAQcBAQEBAYM?= =?us-ascii?q?VLIFaJ4QTiiSOXkYBAQaBNJcughaFRQKEZD8YAQEBAQEBAQEBAWoogjgkAYJGA?= =?us-ascii?q?QEBAQIBIwQLAVYJAhUDAgImAgJXBgESiAuCGwUIh2OdcIFtOoQWAQGFNQEKAQE?= =?us-ascii?q?BASOBD4VCgQ+CMYMugy8EhQaCZQWKV4dVgRWQK5VTlBNImCMfOYFQKggCGAghD?= =?us-ascii?q?4JnglQcgSwBWCM3jBwBAQE?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 17 Jan 2018 16:13:56 +0000 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w0HGDqI8031545; Wed, 17 Jan 2018 11:13:52 -0500 Message-ID: <1516205656.6979.7.camel@tycho.nsa.gov> Subject: Re: [PATCH] selinux:Significant reduce of preempt_disable holds From: Stephen Smalley To: peter.enderborg@sony.com, Paul Moore , Eric Paris , James Morris , Daniel Jurgens , Doug Ledford , selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Ingo Molnar , alsa-devel@alsa-project.org, "Serge E . Hallyn" Date: Wed, 17 Jan 2018 11:14:16 -0500 In-Reply-To: <20180117145551.4961-1-peter.enderborg@sony.com> References: <20180117145551.4961-1-peter.enderborg@sony.com> Organization: National Security Agency Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-01-17 at 15:55 +0100, peter.enderborg@sony.com wrote: > From: Peter Enderborg > > Holding the preempt_disable is very bad for low latency tasks > as audio and therefore we need to break out the rule-set dependent > part from this disable. By using a rwsem instead of rwlock we > have an efficient locking and less preemption interference. > > Selinux uses a lot of read_locks. This patch replaces the rwlock > with rwsem/percpu_down_read() that does not hold preempt_disable. Many of these functions are called while holding spinlocks, and some of them are called from interrupt. Unless I misunderstand, you can't just replace read_lock() with percpu_down_read(), which might sleep. What you might be able to do is to convert the whole thing to RCU, but this would require reworking how policy booleans are changed and how policy is reloaded. You might also try increasing your AVC size via /sys/fs/selinux/avc/cache_threshold to reduce cache misses and thus calls to security_compute_av(). > > Intel Xeon W3520 2.67 Ghz running FC27 with 4.15.0-rc8git > (+measurement) > I get preempt_disable in worst case for 1.2ms in > security_compute_av(). > With the patch I get 960us as the longest security_compute_av() > without preempt disabeld. It very much noise in the measurement > but it is not likely a degrade. > > And the preempt_disable times is also very dependent on the selinux > rule-set. > > In security_get_user_sids() we have two nested for-loops and the > inner part calls sittab_context_to_sid() that calls > sidtab_search_context() that has a for loop() over a while() where > the loops is dependent on the rules. > > On the test system the average lookup time is 60us and does > not change with the rwsem usage. > > Reported-by: Björn Davidsson > Signed-off-by: Peter Enderborg > --- >  security/selinux/ss/services.c | 134 ++++++++++++++++++++----------- > ---------- >  1 file changed, 67 insertions(+), 67 deletions(-) > > diff --git a/security/selinux/ss/services.c > b/security/selinux/ss/services.c > index 33cfe5d..a3daaf2 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -87,7 +87,7 @@ int selinux_policycap_alwaysnetwork; >  int selinux_policycap_cgroupseclabel; >  int selinux_policycap_nnp_nosuid_transition; >   > -static DEFINE_RWLOCK(policy_rwlock); > +DEFINE_STATIC_PERCPU_RWSEM(policy_rwsem); >   >  static struct sidtab sidtab; >  struct policydb policydb; > @@ -779,7 +779,7 @@ static int security_compute_validatetrans(u32 > oldsid, u32 newsid, u32 tasksid, >   if (!ss_initialized) >   return 0; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   if (!user) >   tclass = unmap_class(orig_tclass); > @@ -833,7 +833,7 @@ static int security_compute_validatetrans(u32 > oldsid, u32 newsid, u32 tasksid, >   } >   >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -867,7 +867,7 @@ int security_bounded_transition(u32 old_sid, u32 > new_sid) >   int index; >   int rc; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   rc = -EINVAL; >   old_context = sidtab_search(&sidtab, old_sid); > @@ -929,7 +929,7 @@ int security_bounded_transition(u32 old_sid, u32 > new_sid) >   kfree(old_name); >   } >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   >   return rc; >  } > @@ -1017,7 +1017,7 @@ void security_compute_xperms_decision(u32 ssid, >   memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow- > >p)); >   memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit- > >p)); >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   if (!ss_initialized) >   goto allow; >   > @@ -1070,7 +1070,7 @@ void security_compute_xperms_decision(u32 ssid, >   } >   } >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return; >  allow: >   memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed- > >p)); > @@ -1097,7 +1097,7 @@ void security_compute_av(u32 ssid, >   u16 tclass; >   struct context *scontext = NULL, *tcontext = NULL; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   avd_init(avd); >   xperms->len = 0; >   if (!ss_initialized) > @@ -1130,7 +1130,7 @@ void security_compute_av(u32 ssid, >   context_struct_compute_av(scontext, tcontext, tclass, avd, > xperms); >   map_decision(orig_tclass, avd, policydb.allow_unknown); >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return; >  allow: >   avd->allowed = 0xffffffff; > @@ -1144,7 +1144,7 @@ void security_compute_av_user(u32 ssid, >  { >   struct context *scontext = NULL, *tcontext = NULL; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   avd_init(avd); >   if (!ss_initialized) >   goto allow; > @@ -1175,7 +1175,7 @@ void security_compute_av_user(u32 ssid, >   >   context_struct_compute_av(scontext, tcontext, tclass, avd, > NULL); >   out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return; >  allow: >   avd->allowed = 0xffffffff; > @@ -1277,7 +1277,7 @@ static int security_sid_to_context_core(u32 > sid, char **scontext, >   rc = -EINVAL; >   goto out; >   } > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   if (force) >   context = sidtab_search_force(&sidtab, sid); >   else > @@ -1290,7 +1290,7 @@ static int security_sid_to_context_core(u32 > sid, char **scontext, >   } >   rc = context_struct_to_string(context, scontext, > scontext_len); >  out_unlock: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >  out: >   return rc; >   > @@ -1442,7 +1442,7 @@ static int security_context_to_sid_core(const > char *scontext, u32 scontext_len, >   goto out; >   } >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   rc = string_to_context_struct(&policydb, &sidtab, scontext2, >         scontext_len, &context, > def_sid); >   if (rc == -EINVAL && force) { > @@ -1454,7 +1454,7 @@ static int security_context_to_sid_core(const > char *scontext, u32 scontext_len, >   rc = sidtab_context_to_sid(&sidtab, &context, sid); >   context_destroy(&context); >  out_unlock: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >  out: >   kfree(scontext2); >   kfree(str); > @@ -1604,7 +1604,7 @@ static int security_compute_sid(u32 ssid, >   >   context_init(&newcontext); >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   if (kern) { >   tclass = unmap_class(orig_tclass); > @@ -1738,7 +1738,7 @@ static int security_compute_sid(u32 ssid, >   /* Obtain the sid for the context. */ >   rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid); >  out_unlock: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   context_destroy(&newcontext); >  out: >   return rc; > @@ -2160,7 +2160,7 @@ int security_load_policy(void *data, size_t > len) >   sidtab_set(&oldsidtab, &sidtab); >   >   /* Install the new policydb and SID table. */ > - write_lock_irq(&policy_rwlock); > + percpu_down_write(&policy_rwsem); >   memcpy(&policydb, newpolicydb, sizeof(policydb)); >   sidtab_set(&sidtab, &newsidtab); >   security_load_policycaps(); > @@ -2168,7 +2168,7 @@ int security_load_policy(void *data, size_t > len) >   current_mapping = map; >   current_mapping_size = map_size; >   seqno = ++latest_granting; > - write_unlock_irq(&policy_rwlock); > + percpu_up_write(&policy_rwsem); >   >   /* Free the old policydb and SID table. */ >   policydb_destroy(oldpolicydb); > @@ -2198,9 +2198,9 @@ size_t security_policydb_len(void) >  { >   size_t len; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   len = policydb.len; > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   >   return len; >  } > @@ -2216,7 +2216,7 @@ int security_port_sid(u8 protocol, u16 port, > u32 *out_sid) >   struct ocontext *c; >   int rc = 0; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   c = policydb.ocontexts[OCON_PORT]; >   while (c) { > @@ -2241,7 +2241,7 @@ int security_port_sid(u8 protocol, u16 port, > u32 *out_sid) >   } >   >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -2256,7 +2256,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 > pkey_num, u32 *out_sid) >   struct ocontext *c; >   int rc = 0; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   c = policydb.ocontexts[OCON_IBPKEY]; >   while (c) { > @@ -2281,7 +2281,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 > pkey_num, u32 *out_sid) >   *out_sid = SECINITSID_UNLABELED; >   >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -2296,7 +2296,7 @@ int security_ib_endport_sid(const char > *dev_name, u8 port_num, u32 *out_sid) >   struct ocontext *c; >   int rc = 0; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   c = policydb.ocontexts[OCON_IBENDPORT]; >   while (c) { > @@ -2322,7 +2322,7 @@ int security_ib_endport_sid(const char > *dev_name, u8 port_num, u32 *out_sid) >   *out_sid = SECINITSID_UNLABELED; >   >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -2336,7 +2336,7 @@ int security_netif_sid(char *name, u32 *if_sid) >   int rc = 0; >   struct ocontext *c; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   c = policydb.ocontexts[OCON_NETIF]; >   while (c) { > @@ -2363,7 +2363,7 @@ int security_netif_sid(char *name, u32 *if_sid) >   *if_sid = SECINITSID_NETIF; >   >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -2395,7 +2395,7 @@ int security_node_sid(u16 domain, >   int rc; >   struct ocontext *c; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   switch (domain) { >   case AF_INET: { > @@ -2450,7 +2450,7 @@ int security_node_sid(u16 domain, >   >   rc = 0; >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -2489,7 +2489,7 @@ int security_get_user_sids(u32 fromsid, >   if (!ss_initialized) >   goto out; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   context_init(&usercon); >   > @@ -2539,7 +2539,7 @@ int security_get_user_sids(u32 fromsid, >   } >   rc = 0; >  out_unlock: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   if (rc || !mynel) { >   kfree(mysids); >   goto out; > @@ -2580,7 +2580,7 @@ int security_get_user_sids(u32 fromsid, >   * cannot support xattr or use a fixed labeling behavior like >   * transition SIDs or task SIDs. >   * > - * The caller must acquire the policy_rwlock before calling this > function. > + * The caller must acquire the policy_rwsem before calling this > function. >   */ >  static inline int __security_genfs_sid(const char *fstype, >          char *path, > @@ -2639,7 +2639,7 @@ static inline int __security_genfs_sid(const > char *fstype, >   * @sclass: file security class >   * @sid: SID for path >   * > - * Acquire policy_rwlock before calling __security_genfs_sid() and > release > + * Acquire policy_rwsem before calling __security_genfs_sid() and > release >   * it afterward. >   */ >  int security_genfs_sid(const char *fstype, > @@ -2649,9 +2649,9 @@ int security_genfs_sid(const char *fstype, >  { >   int retval; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   retval = __security_genfs_sid(fstype, path, orig_sclass, > sid); > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return retval; >  } >   > @@ -2666,7 +2666,7 @@ int security_fs_use(struct super_block *sb) >   struct superblock_security_struct *sbsec = sb->s_security; >   const char *fstype = sb->s_type->name; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   c = policydb.ocontexts[OCON_FSUSE]; >   while (c) { > @@ -2696,7 +2696,7 @@ int security_fs_use(struct super_block *sb) >   } >   >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -2704,7 +2704,7 @@ int security_get_bools(int *len, char ***names, > int **values) >  { >   int i, rc; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   *names = NULL; >   *values = NULL; >   > @@ -2733,7 +2733,7 @@ int security_get_bools(int *len, char ***names, > int **values) >   } >   rc = 0; >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  err: >   if (*names) { > @@ -2751,7 +2751,7 @@ int security_set_bools(int len, int *values) >   int lenp, seqno = 0; >   struct cond_node *cur; >   > - write_lock_irq(&policy_rwlock); > + percpu_down_write(&policy_rwsem); >   >   rc = -EFAULT; >   lenp = policydb.p_bools.nprim; > @@ -2784,7 +2784,7 @@ int security_set_bools(int len, int *values) >   seqno = ++latest_granting; >   rc = 0; >  out: > - write_unlock_irq(&policy_rwlock); > + percpu_up_write(&policy_rwsem); >   if (!rc) { >   avc_ss_reset(seqno); >   selnl_notify_policyload(seqno); > @@ -2799,7 +2799,7 @@ int security_get_bool_value(int index) >   int rc; >   int len; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   rc = -EFAULT; >   len = policydb.p_bools.nprim; > @@ -2808,7 +2808,7 @@ int security_get_bool_value(int index) >   >   rc = policydb.bool_val_to_struct[index]->state; >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -2864,7 +2864,7 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, > u32 *new_sid) >   >   context_init(&newcon); >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   rc = -EINVAL; >   context1 = sidtab_search(&sidtab, sid); > @@ -2906,7 +2906,7 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, > u32 *new_sid) >   >   rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid); >  out_unlock: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   context_destroy(&newcon); >  out: >   return rc; > @@ -2963,7 +2963,7 @@ int security_net_peersid_resolve(u32 nlbl_sid, > u32 nlbl_type, >   if (!policydb.mls_enabled) >   return 0; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   rc = -EINVAL; >   nlbl_ctx = sidtab_search(&sidtab, nlbl_sid); > @@ -2990,7 +2990,7 @@ int security_net_peersid_resolve(u32 nlbl_sid, > u32 nlbl_type, >    * expressive */ >   *peer_sid = xfrm_sid; >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -3011,7 +3011,7 @@ int security_get_classes(char ***classes, int > *nclasses) >  { >   int rc; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   rc = -ENOMEM; >   *nclasses = policydb.p_classes.nprim; > @@ -3029,7 +3029,7 @@ int security_get_classes(char ***classes, int > *nclasses) >   } >   >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -3051,7 +3051,7 @@ int security_get_permissions(char *class, char > ***perms, int *nperms) >   int rc, i; >   struct class_datum *match; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   rc = -EINVAL; >   match = hashtab_search(policydb.p_classes.table, class); > @@ -3080,11 +3080,11 @@ int security_get_permissions(char *class, > char ***perms, int *nperms) >   goto err; >   >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >   >  err: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   for (i = 0; i < *nperms; i++) >   kfree((*perms)[i]); >   kfree(*perms); > @@ -3115,9 +3115,9 @@ int security_policycap_supported(unsigned int > req_cap) >  { >   int rc; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   rc = ebitmap_get_bit(&policydb.policycaps, req_cap); > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   >   return rc; >  } > @@ -3181,7 +3181,7 @@ int selinux_audit_rule_init(u32 field, u32 op, > char *rulestr, void **vrule) >   >   context_init(&tmprule->au_ctxt); >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   tmprule->au_seqno = latest_granting; >   > @@ -3221,7 +3221,7 @@ int selinux_audit_rule_init(u32 field, u32 op, > char *rulestr, void **vrule) >   } >   rc = 0; >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   >   if (rc) { >   selinux_audit_rule_free(tmprule); > @@ -3271,7 +3271,7 @@ int selinux_audit_rule_match(u32 sid, u32 > field, u32 op, void *vrule, >   return -ENOENT; >   } >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   if (rule->au_seqno < latest_granting) { >   match = -ESTALE; > @@ -3362,7 +3362,7 @@ int selinux_audit_rule_match(u32 sid, u32 > field, u32 op, void *vrule, >   } >   >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return match; >  } >   > @@ -3448,7 +3448,7 @@ int security_netlbl_secattr_to_sid(struct > netlbl_lsm_secattr *secattr, >   return 0; >   } >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   if (secattr->flags & NETLBL_SECATTR_CACHE) >   *sid = *(u32 *)secattr->cache->data; > @@ -3484,12 +3484,12 @@ int security_netlbl_secattr_to_sid(struct > netlbl_lsm_secattr *secattr, >   } else >   *sid = SECSID_NULL; >   > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return 0; >  out_free: >   ebitmap_destroy(&ctx_new.range.level[0].cat); >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >   > @@ -3511,7 +3511,7 @@ int security_netlbl_sid_to_secattr(u32 sid, > struct netlbl_lsm_secattr *secattr) >   if (!ss_initialized) >   return 0; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   >   rc = -ENOENT; >   ctx = sidtab_search(&sidtab, sid); > @@ -3529,7 +3529,7 @@ int security_netlbl_sid_to_secattr(u32 sid, > struct netlbl_lsm_secattr *secattr) >   mls_export_netlbl_lvl(ctx, secattr); >   rc = mls_export_netlbl_cat(ctx, secattr); >  out: > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   return rc; >  } >  #endif /* CONFIG_NETLABEL */ > @@ -3557,9 +3557,9 @@ int security_read_policy(void **data, size_t > *len) >   fp.data = *data; >   fp.len = *len; >   > - read_lock(&policy_rwlock); > + percpu_down_read(&policy_rwsem); >   rc = policydb_write(&policydb, &fp); > - read_unlock(&policy_rwlock); > + percpu_up_read(&policy_rwsem); >   >   if (rc) >   return rc;