Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp1249559ybv; Thu, 20 Feb 2020 16:22:07 -0800 (PST) X-Google-Smtp-Source: APXvYqwYnRBR4VtQZr3t8LP/mvrg83LdAssWyNiKE3Q1Ck0pQIZoeJZlhRgtCK60+rDHn8IRAmPT X-Received: by 2002:a05:6830:1385:: with SMTP id d5mr26750067otq.61.1582244527432; Thu, 20 Feb 2020 16:22:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582244527; cv=none; d=google.com; s=arc-20160816; b=IA0cE9qjtkal/KNbdD0HKtlzrI4z1XbPRg7z4b5+g+6E5jIXj5tX8W3XK2lv51l/si oYpoN4brIgfhVce/KxguooUlsAcN9uPnb8DYGXOFADFLhBUYqtDsC+2DWAAVOT9CjQ/P oRnpXJJPgoef0/3LRx2+XjFeK6amzmgE163xBMqL9VabXaI44oTzSDiQbirrgINApDKG lFFzj8lbFfBD/PVFaT5Rv5vSAbIJyO2Ve7BASZECqjP5BNSyuzJEX3i5WlKKLcYs7vWg wsMwsYWc7IS5bQLjKtua3+AAQA9QPizb5hOTwQfBbHynZYQsWZFyVis/F9LPwt6qSSmq JGKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=Plslq0a/WlH9+0wsRfxUN/LmRsw3WQkY4fgXi9ixwsc=; b=tW9fHQUT62gAaezucX0/yOrzaYXgw9lsNy8zZgu3DNZx2UvRYjC4vFAh6FF9LV2nTy DngLjQi/eEtsWYn2+m0IpVGnHz8piNeoEeUeV7sE3K+1bnEEQK8t1uCEwjeDAloJ7FCv eLoaNNGaUdiWvdAafgtl9V1gEYcfBMjnHdIhQahjtKLALV4viKURyGGEEeLBHVjRV3s6 UhH7Zij90dMmoIVFspLsbiGCTenX9Z1nWFn697C2ts/aaSY6TMAIxN63UO7KgZxkfHE/ 6KlXhGN13BrDVoHbkTz7051layfrLkLxMMgCOeLEAYMgONFPu3zPJhEQ3hQjc7yvDWsB B0UA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FkpuTNQL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 25si413245oiz.230.2020.02.20.16.21.55; Thu, 20 Feb 2020 16:22:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FkpuTNQL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729449AbgBUAUp (ORCPT + 99 others); Thu, 20 Feb 2020 19:20:45 -0500 Received: from mail-pl1-f194.google.com ([209.85.214.194]:37371 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729397AbgBUAUo (ORCPT ); Thu, 20 Feb 2020 19:20:44 -0500 Received: by mail-pl1-f194.google.com with SMTP id c23so107081plz.4 for ; Thu, 20 Feb 2020 16:20:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=Plslq0a/WlH9+0wsRfxUN/LmRsw3WQkY4fgXi9ixwsc=; b=FkpuTNQLtoitah5hPi0YUKeg08H4CsA2euPhDcAkduZeFH/lBTvyv7io4vwS17q84B l1Sc/iSRu2T1VNHZHJ7j620/J86Ss52l7jHQbG9hZu38KIdCJ4qKJAZb6Zh8B4felH78 4AhXAmizgyeP7Po6ZqhRnh/9JAR/OuzwwoVm4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=Plslq0a/WlH9+0wsRfxUN/LmRsw3WQkY4fgXi9ixwsc=; b=E0f9FQuQNrbSGUd79J/vuJpcnA8lvSOEWGQ4/mJpRr4JEyMT8eQ4dNRoEyUYzp0Fp5 PyRBY0w8YlNIL9i7w0DJ0bAi9+qBgDLeWU8Omt8nIFkcXFQuZibihQZTLWrwYGJlwL0R 3AAOp/QE9ChIdSTzyHfCMATjQ9kiHjmVe3rlBpZ16HnC4y6QiOOPn7+Ls79xUZ6Pmk6J 9qK2zlVARX5eYNlR0PBR48CcjewrfAN9tiyEEi2/Y8gDy9daaJ279bSMwvegGmSVVCko 72CjF7+g1gcZ5aHdQ9/qp25KPZxu7LUkVXtb0kFXKaI4r4wVRhjGEzBdoV4JVGIV78Nf zuDA== X-Gm-Message-State: APjAAAU4kheVTU6HYDrA0aff5jmYbuyi534zK/INDR2HtIyCyFlrOgHJ DeOUlJv1yCXKn88vsmG0FkNN8g== X-Received: by 2002:a17:902:321:: with SMTP id 30mr35390771pld.130.1582244442771; Thu, 20 Feb 2020 16:20:42 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f9sm698180pfd.141.2020.02.20.16.20.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 20 Feb 2020 16:20:41 -0800 (PST) Date: Thu, 20 Feb 2020 16:20:40 -0800 From: Kees Cook To: Thomas Gleixner Cc: Vinicius Costa Gomes , LKML , David Miller , bpf@vger.kernel.org, netdev@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Sebastian Sewior , Peter Zijlstra , Clark Williams , Steven Rostedt , Juri Lelli , Ingo Molnar , Will Drewry , Andy Lutomirski Subject: Re: [RFC patch 09/19] bpf: Use BPF_PROG_RUN_PIN_ON_CPU() at simple call sites. Message-ID: <202002201616.21FA55E@keescook> References: <20200214133917.304937432@linutronix.de> <20200214161503.804093748@linutronix.de> <87a75ftkwu.fsf@linux.intel.com> <875zg3q7cn.fsf@nanos.tec.linutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <875zg3q7cn.fsf@nanos.tec.linutronix.de> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 19, 2020 at 10:00:56AM +0100, Thomas Gleixner wrote: > Vinicius Costa Gomes writes: > > Cc+: seccomp folks > > > Thomas Gleixner writes: > > > >> From: David Miller > > Leaving content for reference > > >> All of these cases are strictly of the form: > >> > >> preempt_disable(); > >> BPF_PROG_RUN(...); > >> preempt_enable(); > >> > >> Replace this with BPF_PROG_RUN_PIN_ON_CPU() which wraps BPF_PROG_RUN() > >> with: > >> > >> migrate_disable(); > >> BPF_PROG_RUN(...); > >> migrate_enable(); > >> > >> On non RT enabled kernels this maps to preempt_disable/enable() and on RT > >> enabled kernels this solely prevents migration, which is sufficient as > >> there is no requirement to prevent reentrancy to any BPF program from a > >> preempting task. The only requirement is that the program stays on the same > >> CPU. > >> > >> Therefore, this is a trivially correct transformation. > >> > >> [ tglx: Converted to BPF_PROG_RUN_PIN_ON_CPU() ] > >> > >> Signed-off-by: David S. Miller > >> Signed-off-by: Thomas Gleixner > >> > >> --- > >> include/linux/filter.h | 4 +--- > >> kernel/seccomp.c | 4 +--- > >> net/core/flow_dissector.c | 4 +--- > >> net/core/skmsg.c | 8 ++------ > >> net/kcm/kcmsock.c | 4 +--- > >> 5 files changed, 6 insertions(+), 18 deletions(-) > >> > >> --- a/include/linux/filter.h > >> +++ b/include/linux/filter.h > >> @@ -713,9 +713,7 @@ static inline u32 bpf_prog_run_clear_cb( > >> if (unlikely(prog->cb_access)) > >> memset(cb_data, 0, BPF_SKB_CB_LEN); > >> > >> - preempt_disable(); > >> - res = BPF_PROG_RUN(prog, skb); > >> - preempt_enable(); > >> + res = BPF_PROG_RUN_PIN_ON_CPU(prog, skb); > >> return res; > >> } > >> > >> --- a/kernel/seccomp.c > >> +++ b/kernel/seccomp.c > >> @@ -268,16 +268,14 @@ static u32 seccomp_run_filters(const str > >> * All filters in the list are evaluated and the lowest BPF return > >> * value always takes priority (ignoring the DATA). > >> */ > >> - preempt_disable(); > >> for (; f; f = f->prev) { > >> - u32 cur_ret = BPF_PROG_RUN(f->prog, sd); > >> + u32 cur_ret = BPF_PROG_RUN_PIN_ON_CPU(f->prog, sd); > >> > > > > More a question really, isn't the behavior changing here? i.e. shouldn't > > migrate_disable()/migrate_enable() be moved to outside the loop? Or is > > running seccomp filters on different cpus not a problem? > > In my understanding this is a list of filters and they are independent > of each other. > > Kees, Will. Andy? They're technically independent, but they are related to each other. (i.e. order matters, process hierarchy matters, etc). There's no reason I can see that we can't switch CPUs between running them, though. (AIUI, nothing here would suddenly make these run in parallel, right?) As long as "current" is still "current", and they run in the same order, we'll get the same final result as far as seccomp is concerned. -- Kees Cook