Received: by 10.192.165.148 with SMTP id m20csp1323974imm;
        Sat, 5 May 2018 09:24:56 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqdEq6/isGvwZ60om4Y7w8SuSy46PwDHj4W34rPnOh2Kt4SZ1dhgIRfi3U58JeA6f7gWnn9
X-Received: by 2002:a17:902:8ec4:: with SMTP id x4-v6mr31695137plo.370.1525537496184;
        Sat, 05 May 2018 09:24:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525537496; cv=none;
        d=google.com; s=arc-20160816;
        b=hXhLCWOytty0pYq5KbGCMRkjcRDY/KJ7/OieP3WIYYVwZag9pN5lc8Jfi/Ju+EfOQG
         tQU5XW6hICS1j9U8AODBNWKYwkxQoQgj+CcqNY9AqgKjHJvz/cMG9axtNX8z4kFfCbMP
         CzSVg+Nj3NGAHTqe6AFSRUStZ3jljSkL4YfKhrjdX9rKEpGs9H6g09R5Gs0M41Cdjg/o
         VPBjQEJmvgTEI3+AueWnrXZAKo2kplFso+lS/f+7Z0jG9/xIJD3f8ccURZLlVFVEhlGu
         LYWOK1Spa1CpcbJWYrpMeimRPEuzPbXIkn+lQE8OJwS9uX/KFr8uCyS0g19MismSG48A
         Ahvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=nLCRsToTox2IRoBRieaHW6caU/Zs3povL6LRhKQ/mrQ=;
        b=pOwnntrtj2Vq+4AiV1u2JVR3fwsEnxVNpun+CxTRpZP4QSqOipWkL0/oGzxGTgcZG0
         TB8mnkhWmKylWgYn04lzkmG+cLco15fizXwgguqvOey0bu8nUZ8R9jagxNbKyoyZ4V72
         4OKVGUtG69HzJJbiTYza2IgKOnrkqAfcB0EangYeRpWcnWGRKqop3hBi9JT1JRU/AEZO
         nI9EXE7unJFqm8dIq7QN1HJgo/2Mo7LjvdxCCExbZlely1yJ/KLHkZrBmXnzIkq9WQoQ
         H9NBAsvXHYUfkACLP0uiOBgW95dm9J/o302NtNsjTmQbsthhdxXhSBEa5Xy5eUumq7iP
         F3BA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=SoSIcxxg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 69-v6si18968666plc.436.2018.05.05.09.24.30;
        Sat, 05 May 2018 09:24:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=SoSIcxxg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751739AbeEEQYW (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Sat, 5 May 2018 12:24:22 -0400
Received: from mail-pf0-f196.google.com ([209.85.192.196]:32908 "EHLO
        mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751118AbeEEQYT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 5 May 2018 12:24:19 -0400
Received: by mail-pf0-f196.google.com with SMTP id f20so10904762pfn.0;
        Sat, 05 May 2018 09:24:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=nLCRsToTox2IRoBRieaHW6caU/Zs3povL6LRhKQ/mrQ=;
        b=SoSIcxxg6vzaCQo/KRqKutO4hhXyK1pvbMIK9xYPxLPmd5NKsILffndPoCVMdfy0xp
         l3P2ct+JLn0m0TKUbqoUTCOeiu/vOyRYb+/MzAk77f+jkwxXMPO69qDReDV1tUo3vMaU
         /kANjBgu/iI8oGON0fBf+5cI1Ft5VowIw0XCU/Goc47e2r++xfexyP6tJcOALIEbW2zf
         wl1tHx6mY0VcSOcNL3S1V9u3xqfIN+F9F+fBbKScPXNiH0sDo1PyK67nyljnmRC2lbj0
         nZ0E6jIMSwqcJpZFTd66nM669FnECY7p3WegxjPoSNSEOCvSso6BuORmKQH5gluyYaAH
         3u7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=nLCRsToTox2IRoBRieaHW6caU/Zs3povL6LRhKQ/mrQ=;
        b=t24ojh8Gmco1YvYHkUI/F+iZ4S+88bNVKLZfFVRdjivqah9FxZ33A7DTFwjYtaB2w7
         f1QhpMg8No1U/82+xfFuIO7AQZQu75MuhyAyGyYv2OYGupvVGsNgBg71QzXteoEHmqeo
         3BkZwePzsBS0O558bVJOgeaQVlKLkXzlmNJ261oaLC9MHbTFmlnWvjODhp5eHPNF6YaQ
         WRECOZEuhdIDPk5W5wZeMcHeOq/npgHPixvfhizIycxckVkRcHt++iKnKpmARmi4BL3y
         ZkvuCkgfTENAJPOdOgLbAdiPZgXnOqLljVg6OAdZD9ms1RJg2CH7OFZUx/t7dmX0N3B8
         qbYw==
X-Gm-Message-State: ALQs6tAlPJlyn8nBz3mZFWvYfh+/GOmW9swIdmhiZdb8aPTRXuf6kuYp
        5Qe8LVdTFMnivJFoIT1xjJQ=
X-Received: by 2002:a17:902:20eb:: with SMTP id v40-v6mr31878819plg.277.1525537458987;
        Sat, 05 May 2018 09:24:18 -0700 (PDT)
Received: from ast-mbp ([2620:10d:c090:180::1:a512])
        by smtp.gmail.com with ESMTPSA id p71sm41499964pfl.170.2018.05.05.09.24.16
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 05 May 2018 09:24:17 -0700 (PDT)
Date:   Sat, 5 May 2018 09:24:15 -0700
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
To:     Jann Horn <jannh@google.com>
Cc:     Alexei Starovoitov <ast@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andy Lutomirski <luto@amacapital.net>,
        Network Development <netdev@vger.kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>, kernel-team@fb.com
Subject: Re: [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob()
 helper
Message-ID: <20180505162413.tmmtdgdds5yme64j@ast-mbp>
References: <20180503043604.1604587-1-ast@kernel.org>
 <20180503043604.1604587-2-ast@kernel.org>
 <CAG48ez3gB=zFebJAvFCj+6iuicgTiw_0UDEdeWW1Ri82pz8zkw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAG48ez3gB=zFebJAvFCj+6iuicgTiw_0UDEdeWW1Ri82pz8zkw@mail.gmail.com>
User-Agent: NeoMutt/20180223
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, May 05, 2018 at 12:48:24AM -0400, Jann Horn wrote:
> On Thu, May 3, 2018 at 12:36 AM, Alexei Starovoitov <ast@kernel.org> wrote:
> > Introduce helper:
> > int fork_usermode_blob(void *data, size_t len, struct umh_info *info);
> > struct umh_info {
> >        struct file *pipe_to_umh;
> >        struct file *pipe_from_umh;
> >        pid_t pid;
> > };
> >
> > that GPLed kernel modules (signed or unsigned) can use it to execute part
> > of its own data as swappable user mode process.
> >
> > The kernel will do:
> > - mount "tmpfs"
> > - allocate a unique file in tmpfs
> > - populate that file with [data, data + len] bytes
> > - user-mode-helper code will do_execve that file and, before the process
> >   starts, the kernel will create two unix pipes for bidirectional
> >   communication between kernel module and umh
> > - close tmpfs file, effectively deleting it
> > - the fork_usermode_blob will return zero on success and populate
> >   'struct umh_info' with two unix pipes and the pid of the user process
> >
> > As the first step in the development of the bpfilter project
> > the fork_usermode_blob() helper is introduced to allow user mode code
> > to be invoked from a kernel module. The idea is that user mode code plus
> > normal kernel module code are built as part of the kernel build
> > and installed as traditional kernel module into distro specified location,
> > such that from a distribution point of view, there is
> > no difference between regular kernel modules and kernel modules + umh code.
> > Such modules can be signed, modprobed, rmmod, etc. The use of this new helper
> > by a kernel module doesn't make it any special from kernel and user space
> > tooling point of view.
> [...]
> > +static struct vfsmount *umh_fs;
> > +
> > +static int init_tmpfs(void)
> > +{
> > +       struct file_system_type *type;
> > +
> > +       if (umh_fs)
> > +               return 0;
> > +       type = get_fs_type("tmpfs");
> > +       if (!type)
> > +               return -ENODEV;
> > +       umh_fs = kern_mount(type);
> > +       if (IS_ERR(umh_fs)) {
> > +               int err = PTR_ERR(umh_fs);
> > +
> > +               put_filesystem(type);
> > +               umh_fs = NULL;
> > +               return err;
> > +       }
> > +       return 0;
> > +}
> 
> Should init_tmpfs() be holding some sort of mutex if it's fiddling
> with `umh_fs`? The current code only calls it in initcall context, but
> if that ever changes and two processes try to initialize the tmpfs at
> the same time, a few things could go wrong.

I thought that module loading is serialized, so calls to
fork_usermode_blob() will be serialized as well, but looking at the code
again that doesn't seem to be the case, so need to revisit not only
this function, but the rest of it too.

> I guess Luis' suggestion (putting a call to init_tmpfs() in
> do_basic_setup()) might be the easiest way to get rid of that problem.

I still think that two mounts where umh mount is dynamic is cleaner.
Why waste the mount if no module uses this helper?
I'm thinking to wrap init_tmpfs into DO_ONCE instead or use a mutex.
Looks like shmem_file_setup_with_mnt() can be called in parallel
on the same mount, so that should be fine.