Received: by 10.223.185.111 with SMTP id b44csp682686wrg; Fri, 9 Mar 2018 11:40:53 -0800 (PST) X-Google-Smtp-Source: AG47ELuSM/yvVbJhOi/0+TYh1H7Bd2Bd38fmsg8v06qN5dxBHzxyHO9U1t2WhdijBlvyzXVDtFci X-Received: by 10.101.81.135 with SMTP id h7mr25734341pgq.121.1520624453523; Fri, 09 Mar 2018 11:40:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520624453; cv=none; d=google.com; s=arc-20160816; b=Z3vak+FRLV2oKBPX0yTzT2wj4h3BFhxsgEGiZe6UU9ss5Fqmz2XjYvZBYz+iTTG7xA uMvyP0ICTDR7ILZZGngis+tF819/yqeh07MYdoQeTvP2Eu+gpqs7jfCoyu4qPxE5Oe6m 4HjiA9Oyr96KBaPQJmY64ANbYKA6lPA96zmxWRJKyVK3l+kRH/gM/bwZc31AEj4XfICy h14jWgZ5xLtnOoqx2aAsWTKKZgyAA9L6vePCnD9QqelFYyPEdyZAkCAnhFarb1fU9m5m STM2V89DrmTt7W0e4bQqpqzxEhGIwW3xP/aoiwCUd5Hxmn82DNLT0wBbTsRAZuPZNtl0 0Iyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=r/z7pAnGqjo/H9QRZzfiCHUf4R5vTJqAD/sJMq2ydfQ=; b=IjOMCKGOB24PQPpcScVNjpRPEL6840F5JF5tLgOqiuSJxz1jPPhI63tQPdnAoeyhxm 9wd7WfDo96uWjmwRjex3mm0NIas9TLn77jxOeQUqciW0101fBmQWAgqqNIIgG2j0a1x1 /4326s6XjnaqD48UtUceF1cf4Au4ZG99Jz8WjXT3ERSToh/1ode1bD7max8gVHfcd6Np W/WK7qyhbxSKzECFS+rVZd18ViiLWTTufodt+8uzVPgalRxWmWIZGfgJ7zMiChAXlIlB +Anzhd+vbeaBJ6eEU+b1TWHx3Tpm/LhliqB6JZyLnXAa3onijCKd8j73t2msEuvIGW0L cH/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=UnzXmp4E; dkim=fail header.i=@linux-foundation.org header.s=google header.b=HrbDoUHf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 196si1362161pfv.144.2018.03.09.11.40.39; Fri, 09 Mar 2018 11:40:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=UnzXmp4E; dkim=fail header.i=@linux-foundation.org header.s=google header.b=HrbDoUHf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932671AbeCITia (ORCPT + 99 others); Fri, 9 Mar 2018 14:38:30 -0500 Received: from mail-it0-f52.google.com ([209.85.214.52]:40146 "EHLO mail-it0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932288AbeCITi0 (ORCPT ); Fri, 9 Mar 2018 14:38:26 -0500 Received: by mail-it0-f52.google.com with SMTP id e64-v6so4154568ita.5; Fri, 09 Mar 2018 11:38:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=r/z7pAnGqjo/H9QRZzfiCHUf4R5vTJqAD/sJMq2ydfQ=; b=UnzXmp4Ef25PryGDQXArkbN0zDjBprF4w2mWrob47Z2/RR86E9k4aUPHiBQiIpE7Qe dEZwDtnyu7pCHGue+QhRs59/uhpN9KFUDPLAVcXlPKIrgRHagCShBULb8K83zuJgG0Ju rqfrWovbbdMVsMdskEz4cBeu9Tb1eWrkqD1Zmrbd5qYSI60awmy0yOXBX2lqGi9DcfCm g6MyUVPjLuXuHInmMgKGemjrJsu3W15ibvF3ug53Oho7jMZ8lRM6EWe5tILGKX3trIrx r5SN+ncVGZS0dUdX9Z72uU15FzS/oT6DAEu9bFtpKkyxZkz5KMBheQauXThsVUJOlJxV GCGQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=r/z7pAnGqjo/H9QRZzfiCHUf4R5vTJqAD/sJMq2ydfQ=; b=HrbDoUHfryX7kdZ5TvPyWGfHcPfYwBfFjZPQi0vCB/OvWZS7aDIXCwR1Aw1xE7C85Z 3Ba4n+4TPimEDFcBmRu+S45bG0jNwlGMatpf8T3n5YcGc2XOAQi8N/4PyEHgUIM3ojDM CVB8XZ1Wzaq85ymIdkwFKa84TNiwanI47RH/Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=r/z7pAnGqjo/H9QRZzfiCHUf4R5vTJqAD/sJMq2ydfQ=; b=tbUD2Org0YdoKGFxC4B9kdirELHbdjfiauqqRSgrK2ztKa5DZ9Xm64BcKPwN0TzoXb aIzrA4KuCzljAal7mQZ3xiNW8TM2rKw0DXkZrQh5rWTwGRjcOpIRMlzT0R+MGUOCF70N BGtppridVLCTbADT43RQ5vniZ9uiJoclKqg7NITY0MhRl/mELiYG4WVRJ94lzT6cRmSQ K/2tAhLH9g7zau2OG/bZlCAOhIPLYq7O70m6E2ScMaXm3dK5UlU6EGd2VbfIMp+MzNty YtUwb7HFwaXkGhbIaa2MXIAiEq9KBQVKZxHG591PGFs4PJdDeWd7JTobAjq8s7o6b5k1 Ssrw== X-Gm-Message-State: AElRT7F4qGXOtUMEeP3h0Rum9CgjTFWfjyav/O3zRrf+bizO8XUsAmKW VN97rXyP4NTOBE18Yz2Ba8WBpz8Ftao5l3gSzQs= X-Received: by 10.36.89.137 with SMTP id p131mr4869340itb.113.1520624305778; Fri, 09 Mar 2018 11:38:25 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Fri, 9 Mar 2018 11:38:25 -0800 (PST) In-Reply-To: References: <20180309.135724.452219538059491199.davem@davemloft.net> From: Linus Torvalds Date: Fri, 9 Mar 2018 11:38:25 -0800 X-Google-Sender-Auth: MyQFvo6jolBuI_BnkZubaZEbPHE Message-ID: Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries To: David Miller Cc: Andy Lutomirski , Alexei Starovoitov , Kees Cook , Alexei Starovoitov , Djalal Harouni , Al Viro , Daniel Borkmann , Greg Kroah-Hartman , "Luis R. Rodriguez" , Network Development , Linux Kernel Mailing List , kernel-team , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 9, 2018 at 11:12 AM, Linus Torvalds wrote: > > How are you going to handle five processes doing the same setup concurrently? Side note: it's not just serialization. It's also "is it actually up and running". The rule for "request_module()" (for a real module) has been that it returns when the module is actually alive and active and have done their initcalls. The UMH_WAIT_EXEC behavior (ignore the serialization - you could do that in the caller) behavior doesn't actually have any semantics AT ALL. It only means that you get the error returns from execve() itself, so you know that the executable file actually existed and parsed right enough to get started. But you don't actually have any reason to believe that it has *done* anything, and started processing any requests. There's no reason what-so-ever to believe that it has registered itself for any asynchronous requests or anything like that. So in the real module case, you can do request_module("modulename"); and just start using whatever resource you just requested. So the netfilter code literally does request_module("nft-chain-%u-%.*s", family, nla_len(nla), (const char *)nla_data(nla)); nfnl_lock(NFNL_SUBSYS_NFTABLES); type = __nf_tables_chain_type_lookup(nla, family); if (type != NULL) return ERR_PTR(-EAGAIN); and doesn't even care about error handling for request_module() itself, because it knows that either the module got loaded and is ready, or something failed. And it needs to look that chain type up anyway, so the failure is indicated by _that_. With a UMH_WAIT_EXEC? No. You have *nothing*. You know the thing started, but it might have SIGSEGV'd immediately, and you have absolutely no way of knowing, and absolutely no way of even figuring it out. You can wait - forever - for something to bind to whatever dynamic resource you're expecting. You'll just fundamentally never know. You can try again, of course. Add a timeout, and try again in five seconds or something. Maybe it will work then. Maybe it won't. You won't have any way to know the _second_ time around either. Or the third. Or... See why I say it has to be synchronous? If it's synchronous, you can actually do things like (a) maybe you only need a one-time thing, and don't have any state ("load fixed tables, be done") and that's it. If the process returns with no error code, you're all done, and you know it's fine. (b) maybe the process wants to start a listener daemon or something like the traditional inetd model. It can open the socket, it can start listening on it, and it can fork off a child and check it's status. It can then do exit(0) if everything is fine, and now request_module() returns. see the difference? Even if you ended up with a background process (like in that (b) case), you did so with *error* handling, and you did so knowing that the state has actually been set up by the time the request_module() returns. And if you use the proper module loading exclusion, it also means that that (b) can know it's the only process starting up, and it's not racing with another one. It might still want to do the usual lock-files in user space to protect against just the admin starting it manually, but at least you don't have the situation that a hundred threads just had a thundering herd where they all ended up using the same kernel facility, and they all independently started a hundred usermode helpers. Linus