Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp637078pxb; Thu, 14 Jan 2021 14:54:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJy3Rn2t7ce8LqHyTRG3DVTx7sdTsduQyCABarfvGye/nORhAsnar5bZ7EBm272B65pdHxgo X-Received: by 2002:a17:906:707:: with SMTP id y7mr6699507ejb.212.1610664894503; Thu, 14 Jan 2021 14:54:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610664894; cv=none; d=google.com; s=arc-20160816; b=bxmqzwihJ6jpBvpOiCh0TBElKqeB4882q6ZxpCw+NvLcuN3YfiWgSHcVcDos8qrrBw IWrPxwh6KoAKc8VQrR6i4nSZ1gPxvPKQCld/kUITZz8pQIk6QWxVCIjA8tW+VuKFAMbt Ht4hTexnA9TlBiyvqDeIKr3kqUnkdooTeArBh8M8Vke7k0bpgJvFZhTPOxiGh0oUeskB wgMCjt9k+GUehxzJYVCIK9SOo1JbRO5vL9A3mvIy2oAFdt9yonpdgff856UwWKPuFBt8 XnHpIfQuR6EoPjlhrsscBbMNDXGMcBfGY0hdz/LIGduCs4PcqKCtHU/987qF5F1ssrEC 07gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature; bh=1GIYbQk4Gp7v6M1E5BZJYVNgEi14/UhOP10cB+FUS7U=; b=gxfhG3QqeBeFlQTEw60VCmVqS9pksRFRH0RQxswhRA3/M7xvz0P8ZFwJpwbeUmzHQJ WmrSymYYxuYA/BxiOhSlkoA6VXIvuoJIfmU83rIuD2SYEwgLpaBTNqGeS7l1ovygP28q 4W+V6ElloabLdJxmSL6dnzvMc0F/IRpzBdI09fxhf9vG62SFEdbH0yU97YwOzwvhN3QN jCQV64ZZohM9gS3gMxElryQ8dJWXYwV+EmirWAdtfGfbowZ7uLO0cTWH0RomYdmHGgOP nNVX99KOy5RczmTTGidEiTbgKzu38a2V1y2yHQD1Ir7u0/AvQa24fVMHY1YPtDNOVWwZ +37w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=knIQ32GT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bt21si3581293edb.569.2021.01.14.14.54.30; Thu, 14 Jan 2021 14:54:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=knIQ32GT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730993AbhANWwe (ORCPT + 99 others); Thu, 14 Jan 2021 17:52:34 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:39220 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730988AbhANWwe (ORCPT ); Thu, 14 Jan 2021 17:52:34 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10EMoD9f047144; Thu, 14 Jan 2021 22:51:30 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type; s=corp-2020-01-29; bh=1GIYbQk4Gp7v6M1E5BZJYVNgEi14/UhOP10cB+FUS7U=; b=knIQ32GTS4wk9eBHaer7lidjtvEI5JRPAFIVQS7OREkAa0MPJvCA1WTYbJbuJqYrAoyf wR3mJzDynMFEPn+/kYt+PbVZf1N1kIz/D8gjIKkc+wSOLOvxaaqZVt0SeOuBHR3c6FXp kCsuEvbrWtckScgxbpnpw0wb3jgIFrWbzNx9pn6QFSeZ9uqIbjllR5ZfgQG7Kp4jrWJv /NNKFEuBJkV6UJpQrGEr/sRuPscJHS1P5D5ZzMqVxtZrNlLzHIxNIjugYFqOZtRizSTb tPBCHcsBlnYmEVdqIYnHlfWr0A9cFCeaY67Al0/NKL96AzhkDzFe6QViRvJ1yACYbwVv EQ== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by aserp2120.oracle.com with ESMTP id 360kd02j9v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 14 Jan 2021 22:51:29 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10EMoeUa044319; Thu, 14 Jan 2021 22:51:29 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userp3020.oracle.com with ESMTP id 360kfa695g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 14 Jan 2021 22:51:29 +0000 Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 10EMpK1v016566; Thu, 14 Jan 2021 22:51:21 GMT Received: from localhost (/10.159.145.187) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 14 Jan 2021 14:51:20 -0800 From: Stephen Brennan To: Al Viro , Paul Moore Cc: Linus Torvalds , Alexey Dobriyan , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, Stephen Smalley , Eric Paris , selinux@vger.kernel.org, Casey Schaufler , Eric Biederman , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Matthew Wilcox Subject: Re: [PATCH v4] proc: Allow pid_revalidate() during LOOKUP_RCU In-Reply-To: <20210106003803.GA3579531@ZenIV.linux.org.uk> References: <20210104232123.31378-1-stephen.s.brennan@oracle.com> <20210105055935.GT3579531@ZenIV.linux.org.uk> <20210105165005.GV3579531@ZenIV.linux.org.uk> <20210105195937.GX3579531@ZenIV.linux.org.uk> <87a6tnge5k.fsf@stepbren-lnx.us.oracle.com> <20210106003803.GA3579531@ZenIV.linux.org.uk> Date: Thu, 14 Jan 2021 14:51:17 -0800 Message-ID: <87k0sfyvx6.fsf@stepbren-lnx.us.oracle.com> MIME-Version: 1.0 Content-Type: text/plain X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9864 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 mlxlogscore=999 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101140132 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9864 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 phishscore=0 impostorscore=0 bulkscore=0 adultscore=0 suspectscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1015 mlxlogscore=999 mlxscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101140132 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Al Viro writes: > OTTH, it's not really needed there - see vfs.git #work.audit > for (untested) turning that sucker non-blocking. I hadn't tried > a followup that would get rid of the entire AVC_NONBLOCKING thing yet, > but I suspect that it should simplify the things in there nicely... I went ahead and pulled down this branch and combined it with my pid_revalidate change. Further, I audited all the inode get_link and permission() implementations, as well as dentry d_revalidate() implementations, in fs/proc (more on that below). Together, all these patches have run stable under a steady high load of concurrent PS processes on a 104CPU machine for over an hour, and greatly reduced the %sys utilization which the patch originally addressed. How would you like to proceed with the #work.audit changes? I could include them in a v5 of this patch series. Regarding my audit (ha) of dentry and inode functions in the fs/proc/ directory: * get_link() receives a NULL dentry pointer when called in RCU mode. * permission() receives MAY_NOT_BLOCK in the mode parameter when called from RCU. * d_revalidate() receives LOOKUP_RCU in flags. There were generally three groups I found. Group (1) are functions which contain a check at the top of the function and return -ECHILD, and so appear to be trivially RCU safe (although this is by dropping out of RCU completely). Group (2) are functions which have no explicit check, but on my audit, I was confident that there were no sleeping function calls, and thus were RCU safe as is. Group (3) are functions which appeared to be unsafe for some reason or another. Group (1): proc_ns_get_link() proc_pid_get_link() map_files_d_revalidate() proc_misc_d_revalidate() tid_fd_revalidate() Group (2): proc_get_link() proc_self_get_link() proc_thread_self_get_link() proc_fd_permission() Group (3): pid_revalidate() -- addressed by my patch proc_map_files_get_link() proc_pid_permission() -- addressed by Al's work.audit branch proc_map_files_get_link() calls capable() which ends up calling a security hook, which can get into the audit guts, and so I marked it as potentially unsafe, and added a patch to bail out of this function before the capable() check. However, I doubt this is really necessary. So to conclude, depending on how Al wants to move forward with the work.audit branch, I could send a full series with the proposed changes. Stephen