Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp1273646imd;
        Thu, 1 Nov 2018 13:00:52 -0700 (PDT)
X-Google-Smtp-Source: AJdET5dA4FDeJV8oj87Vqtnn6mP06rsPzDIlwp98bgHZbywdTjaG3xki8FlyHq7Ey1PMqeRNxecn
X-Received: by 2002:a63:4665:: with SMTP id v37mr1066239pgk.425.1541102452774;
        Thu, 01 Nov 2018 13:00:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1541102452; cv=none;
        d=google.com; s=arc-20160816;
        b=QAJ9G2bMcWvlVhEwgQe203i4eX9roCem5Rj+UI1EFgLSEup7VdH753agk+ZWXMF7HC
         Ohcwk1wmn4QKwaBXKiHHLHZz1Jvlq0BsxP4fG7aQwsW+bzqfm9JMW6wydQQvGf35/ylK
         z3GPihRbz1n1lrOCuBdwErAqI0MO5NZrZKW0MeUVsi/coL5iQp4xjTsofYiKtGaJukdA
         XMWQx93FcqOdaN0+DTxYo3PtWsYgGp4b0HzezV2Oyg2PhsNVMXsM7b2t9tXEA2jnNvc5
         ASMx6Q1j2qmeASgvOJWXvpIdOjAgbxLRsgE6zQ32u8ssJqtqEV13FhfTmxpDmUMCt+CZ
         E0Og==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=Mmgk75cJXidoCv81Y0dtxwSajKQaiOFFFRwydPMkARo=;
        b=Gvflm5E5zxRa09mNoev8gISOkTW1KBb4V+6don+82xCPHfTn9TuBJ+/rzqoUVc+ywp
         2kn/93e2/wi87XeVNl26RfjLpU7LZUszXICAFXZb60rN08Axj7vPtI1liZPR1LelREPM
         eif74nwSwiGaIGmIRT3mYMZ/dxFAkMROp9rrsOBLN/WwaXFCND+DL7/Oz0Z6SI/Tgl1/
         1BrE3trzaLQkOckd1QkHDyRvrXS2OdCFpRPyazfnz6+viM542rRWHWpD5yWXl5FzusMY
         ffxGth5UAuK0RlA9A4x3dvYBbnPUmIh5eqvzWkZE3qLoquGwE4MacDKUkxAZRMbSDFxA
         iqtw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b="PLv11++/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t21-v6si31550218pgg.123.2018.11.01.13.00.38;
        Thu, 01 Nov 2018 13:00:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b="PLv11++/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727704AbeKBFCn (ORCPT <rfc822;haroldgmz11@gmail.com>
        + 99 others); Fri, 2 Nov 2018 01:02:43 -0400
Received: from mail-qk1-f195.google.com ([209.85.222.195]:45799 "EHLO
        mail-qk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726594AbeKBFCn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Nov 2018 01:02:43 -0400
Received: by mail-qk1-f195.google.com with SMTP id d135so12234843qkc.12
        for <linux-kernel@vger.kernel.org>; Thu, 01 Nov 2018 12:58:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=tycho-ws.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=Mmgk75cJXidoCv81Y0dtxwSajKQaiOFFFRwydPMkARo=;
        b=PLv11++/ta02IYIVD0fVsnb5zSTVpZ4JZTmG3MF/DVX0h8wn0faXk5MFj13VPjD879
         /h469xctayJxNs0YI730bUAKK+yeonEjbGhoxiGX4cfJBh5ITd2sLqAC/0TSDmfNcBJQ
         czj+TTryLTcY0jhcAcXVBrmfV/SduqO2SCgq+GYyflq6HL23woiKdRVnYU6T5jjm9jH6
         RelGMQb48nvUXPXEJbMCm0haTDdD2FSoO/7IVr7KOUtK3pYzH0rz7A5y28xJ6eYXXqut
         rakfXSW5YzTn6hrGyK8O99dDKvVwiKtUO06IfniVyRUtEwrOf3TkwO0UmcSWKNxImanO
         FVnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=Mmgk75cJXidoCv81Y0dtxwSajKQaiOFFFRwydPMkARo=;
        b=ljqVRBwOPDfJ5UXTwhm5iwP3J2ehpTDcO7i9QjLzlIJrHnHYac+cJ0/m1x1O76ChMz
         Ejvq/aYdc+ZKlvRL6+2ZBC5fMvNtubqIVlYPZJ6ja5bu3rLmj5xEzKr6Vf6T50orky61
         SsTORQoZD9YoSFtjNFzzpXAe2S5PwYy3ts4IWC45VSpnXQ0Vd5wvsbJzlde7wmpjuRTb
         Ph0Mu0Gc/7MWHdBgSICcvcdJ7ijcPHmFmWMn4le3nfccGam2nso5yfTQiIT/dzoacvIo
         rmzedOi1sJK50p88jhqsNcEfUc9PcRw0VIPh+fbYyhj0zk1FY4oa59gyIjmv9Qt1iRh0
         EPYg==
X-Gm-Message-State: AGRZ1gLlvIteU6AqZzxtSw6yCZZPiHwkhqBMz7OPTxNSBmmr3ry8bTcF
        gDrmd7t+Qf52PoyLoKhy5A8UKxaWuENQxA==
X-Received: by 2002:aed:2741:: with SMTP id n59-v6mr8108882qtd.380.1541102298047;
        Thu, 01 Nov 2018 12:58:18 -0700 (PDT)
Received: from cisco ([173.38.117.87])
        by smtp.gmail.com with ESMTPSA id v3-v6sm21693005qth.74.2018.11.01.12.58.15
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Thu, 01 Nov 2018 12:58:16 -0700 (PDT)
Date:   Thu, 1 Nov 2018 13:58:14 -0600
From:   Tycho Andersen <tycho@tycho.ws>
To:     Oleg Nesterov <oleg@redhat.com>
Cc:     Kees Cook <keescook@chromium.org>,
        Andy Lutomirski <luto@amacapital.net>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Christian Brauner <christian@brauner.io>,
        Tyler Hicks <tyhicks@canonical.com>,
        Akihiro Suda <suda.akihiro@lab.ntt.co.jp>,
        Aleksa Sarai <asarai@suse.de>, linux-kernel@vger.kernel.org,
        containers@lists.linux-foundation.org, linux-api@vger.kernel.org
Subject: Re: [PATCH v8 1/2] seccomp: add a return code to trap to userspace
Message-ID: <20181101195814.GH2180@cisco>
References: <20181029224031.29809-1-tycho@tycho.ws>
 <20181029224031.29809-2-tycho@tycho.ws>
 <20181101135633.GB23232@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20181101135633.GB23232@redhat.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Nov 01, 2018 at 02:56:34PM +0100, Oleg Nesterov wrote:
> On 10/29, Tycho Andersen wrote:
> >
> > +static int seccomp_notify_release(struct inode *inode, struct file *file)
> > +{
> > +	struct seccomp_filter *filter = file->private_data;
> > +	struct seccomp_knotif *knotif;
> > +
> > +	mutex_lock(&filter->notify_lock);
> > +
> > +	/*
> > +	 * If this file is being closed because e.g. the task who owned it
> > +	 * died, let's wake everyone up who was waiting on us.
> > +	 */
> > +	list_for_each_entry(knotif, &filter->notif->notifications, list) {
> > +		if (knotif->state == SECCOMP_NOTIFY_REPLIED)
> > +			continue;
> > +
> > +		knotif->state = SECCOMP_NOTIFY_REPLIED;
> > +		knotif->error = -ENOSYS;
> > +		knotif->val = 0;
> > +
> > +		complete(&knotif->ready);
> > +	}
> > +
> > +	wake_up_all(&filter->notif->wqh);
> 
> Why? __fput() is not possible if there is another user of this file sleeping
> in seccomp_notify_poll().

Yes, I was just trying to be extra defensive. But I can drop it.

> > +	kfree(filter->notif);
> 
> Hmm, this looks wrong... we can't kfree ->notif if its ->notifications list
> is not empty, otherwise seccomp_do_user_notification()->list_del(&n.list)
> can write to the freed memory.
> 
> I think _release() should do list_for_each_entry_safe() + list_del_init()
> and seccomp_do_user_notification() should use list_del_init() too.
> 
> Or, simpler, seccomp_do_user_notification() should do
> 
> 	if (!match->notif)
> 		goto out;
> 
> instead of "goto remove_list".

Yes, and we need another such check in this case after we re-acquire
the lock from the signal send. Thanks for catching this!

Tycho