Received: by 10.192.165.148 with SMTP id m20csp1323974imm; Sat, 5 May 2018 09:24:56 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqdEq6/isGvwZ60om4Y7w8SuSy46PwDHj4W34rPnOh2Kt4SZ1dhgIRfi3U58JeA6f7gWnn9 X-Received: by 2002:a17:902:8ec4:: with SMTP id x4-v6mr31695137plo.370.1525537496184; Sat, 05 May 2018 09:24:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525537496; cv=none; d=google.com; s=arc-20160816; b=hXhLCWOytty0pYq5KbGCMRkjcRDY/KJ7/OieP3WIYYVwZag9pN5lc8Jfi/Ju+EfOQG tQU5XW6hICS1j9U8AODBNWKYwkxQoQgj+CcqNY9AqgKjHJvz/cMG9axtNX8z4kFfCbMP CzSVg+Nj3NGAHTqe6AFSRUStZ3jljSkL4YfKhrjdX9rKEpGs9H6g09R5Gs0M41Cdjg/o VPBjQEJmvgTEI3+AueWnrXZAKo2kplFso+lS/f+7Z0jG9/xIJD3f8ccURZLlVFVEhlGu LYWOK1Spa1CpcbJWYrpMeimRPEuzPbXIkn+lQE8OJwS9uX/KFr8uCyS0g19MismSG48A Ahvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=nLCRsToTox2IRoBRieaHW6caU/Zs3povL6LRhKQ/mrQ=; b=pOwnntrtj2Vq+4AiV1u2JVR3fwsEnxVNpun+CxTRpZP4QSqOipWkL0/oGzxGTgcZG0 TB8mnkhWmKylWgYn04lzkmG+cLco15fizXwgguqvOey0bu8nUZ8R9jagxNbKyoyZ4V72 4OKVGUtG69HzJJbiTYza2IgKOnrkqAfcB0EangYeRpWcnWGRKqop3hBi9JT1JRU/AEZO nI9EXE7unJFqm8dIq7QN1HJgo/2Mo7LjvdxCCExbZlely1yJ/KLHkZrBmXnzIkq9WQoQ H9NBAsvXHYUfkACLP0uiOBgW95dm9J/o302NtNsjTmQbsthhdxXhSBEa5Xy5eUumq7iP F3BA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SoSIcxxg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 69-v6si18968666plc.436.2018.05.05.09.24.30; Sat, 05 May 2018 09:24:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SoSIcxxg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751739AbeEEQYW (ORCPT + 99 others); Sat, 5 May 2018 12:24:22 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:32908 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751118AbeEEQYT (ORCPT ); Sat, 5 May 2018 12:24:19 -0400 Received: by mail-pf0-f196.google.com with SMTP id f20so10904762pfn.0; Sat, 05 May 2018 09:24:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=nLCRsToTox2IRoBRieaHW6caU/Zs3povL6LRhKQ/mrQ=; b=SoSIcxxg6vzaCQo/KRqKutO4hhXyK1pvbMIK9xYPxLPmd5NKsILffndPoCVMdfy0xp l3P2ct+JLn0m0TKUbqoUTCOeiu/vOyRYb+/MzAk77f+jkwxXMPO69qDReDV1tUo3vMaU /kANjBgu/iI8oGON0fBf+5cI1Ft5VowIw0XCU/Goc47e2r++xfexyP6tJcOALIEbW2zf wl1tHx6mY0VcSOcNL3S1V9u3xqfIN+F9F+fBbKScPXNiH0sDo1PyK67nyljnmRC2lbj0 nZ0E6jIMSwqcJpZFTd66nM669FnECY7p3WegxjPoSNSEOCvSso6BuORmKQH5gluyYaAH 3u7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=nLCRsToTox2IRoBRieaHW6caU/Zs3povL6LRhKQ/mrQ=; b=t24ojh8Gmco1YvYHkUI/F+iZ4S+88bNVKLZfFVRdjivqah9FxZ33A7DTFwjYtaB2w7 f1QhpMg8No1U/82+xfFuIO7AQZQu75MuhyAyGyYv2OYGupvVGsNgBg71QzXteoEHmqeo 3BkZwePzsBS0O558bVJOgeaQVlKLkXzlmNJ261oaLC9MHbTFmlnWvjODhp5eHPNF6YaQ WRECOZEuhdIDPk5W5wZeMcHeOq/npgHPixvfhizIycxckVkRcHt++iKnKpmARmi4BL3y ZkvuCkgfTENAJPOdOgLbAdiPZgXnOqLljVg6OAdZD9ms1RJg2CH7OFZUx/t7dmX0N3B8 qbYw== X-Gm-Message-State: ALQs6tAlPJlyn8nBz3mZFWvYfh+/GOmW9swIdmhiZdb8aPTRXuf6kuYp 5Qe8LVdTFMnivJFoIT1xjJQ= X-Received: by 2002:a17:902:20eb:: with SMTP id v40-v6mr31878819plg.277.1525537458987; Sat, 05 May 2018 09:24:18 -0700 (PDT) Received: from ast-mbp ([2620:10d:c090:180::1:a512]) by smtp.gmail.com with ESMTPSA id p71sm41499964pfl.170.2018.05.05.09.24.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 05 May 2018 09:24:17 -0700 (PDT) Date: Sat, 5 May 2018 09:24:15 -0700 From: Alexei Starovoitov To: Jann Horn Cc: Alexei Starovoitov , "David S. Miller" , Daniel Borkmann , Linus Torvalds , Greg Kroah-Hartman , Andy Lutomirski , Network Development , kernel list , kernel-team@fb.com Subject: Re: [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob() helper Message-ID: <20180505162413.tmmtdgdds5yme64j@ast-mbp> References: <20180503043604.1604587-1-ast@kernel.org> <20180503043604.1604587-2-ast@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180223 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 05, 2018 at 12:48:24AM -0400, Jann Horn wrote: > On Thu, May 3, 2018 at 12:36 AM, Alexei Starovoitov wrote: > > Introduce helper: > > int fork_usermode_blob(void *data, size_t len, struct umh_info *info); > > struct umh_info { > > struct file *pipe_to_umh; > > struct file *pipe_from_umh; > > pid_t pid; > > }; > > > > that GPLed kernel modules (signed or unsigned) can use it to execute part > > of its own data as swappable user mode process. > > > > The kernel will do: > > - mount "tmpfs" > > - allocate a unique file in tmpfs > > - populate that file with [data, data + len] bytes > > - user-mode-helper code will do_execve that file and, before the process > > starts, the kernel will create two unix pipes for bidirectional > > communication between kernel module and umh > > - close tmpfs file, effectively deleting it > > - the fork_usermode_blob will return zero on success and populate > > 'struct umh_info' with two unix pipes and the pid of the user process > > > > As the first step in the development of the bpfilter project > > the fork_usermode_blob() helper is introduced to allow user mode code > > to be invoked from a kernel module. The idea is that user mode code plus > > normal kernel module code are built as part of the kernel build > > and installed as traditional kernel module into distro specified location, > > such that from a distribution point of view, there is > > no difference between regular kernel modules and kernel modules + umh code. > > Such modules can be signed, modprobed, rmmod, etc. The use of this new helper > > by a kernel module doesn't make it any special from kernel and user space > > tooling point of view. > [...] > > +static struct vfsmount *umh_fs; > > + > > +static int init_tmpfs(void) > > +{ > > + struct file_system_type *type; > > + > > + if (umh_fs) > > + return 0; > > + type = get_fs_type("tmpfs"); > > + if (!type) > > + return -ENODEV; > > + umh_fs = kern_mount(type); > > + if (IS_ERR(umh_fs)) { > > + int err = PTR_ERR(umh_fs); > > + > > + put_filesystem(type); > > + umh_fs = NULL; > > + return err; > > + } > > + return 0; > > +} > > Should init_tmpfs() be holding some sort of mutex if it's fiddling > with `umh_fs`? The current code only calls it in initcall context, but > if that ever changes and two processes try to initialize the tmpfs at > the same time, a few things could go wrong. I thought that module loading is serialized, so calls to fork_usermode_blob() will be serialized as well, but looking at the code again that doesn't seem to be the case, so need to revisit not only this function, but the rest of it too. > I guess Luis' suggestion (putting a call to init_tmpfs() in > do_basic_setup()) might be the easiest way to get rid of that problem. I still think that two mounts where umh mount is dynamic is cleaner. Why waste the mount if no module uses this helper? I'm thinking to wrap init_tmpfs into DO_ONCE instead or use a mutex. Looks like shmem_file_setup_with_mnt() can be called in parallel on the same mount, so that should be fine.