Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3761986pxb; Mon, 1 Feb 2021 04:10:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJy0aZESW1Yn2KboQi4MZmYWUFPI+nccqwvxrYWMSN3oMNgbfVlwKSfUX+Ii1PNxMLaRfeyp X-Received: by 2002:a17:906:94ce:: with SMTP id d14mr17250046ejy.121.1612181431998; Mon, 01 Feb 2021 04:10:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612181431; cv=none; d=google.com; s=arc-20160816; b=X+cyvHT2hbHiI667y0l8l9/KEGfI5KPIBQ60hoQdRNyJnPgTQIOsq0nb7jHEsFJ/l4 DOShZvvP1y8nATNUflo+IeYHGFnTHjEUct0CeJ2pCzI894MXSxIEYVGw8BOzDGEdepOr jH1WUn1fI+pRMjpkG9SW34iOjUbOLIKDWet+8mDYRFnXjNmM3PciCaLFE21XNPxOC2aJ VjRHpAEj3AjnCFWRcJ+eXP6HykPKy8uaj+j8+IYWRdK2SfMGvr9Q2UxxqZbJtbEAnT3r ixSpLK6acHymMFsMZsi1U65hROZNsGiS/TFuji3rbIvb7vWNG97Mu6lFUoQtyUTyI6AV Flrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=3R5MK1W9SPQUtRDpHsbno9kjFgbaPItgmsMe/cRmTwo=; b=G51M1RchSKWvzJISpW56+bJJbD5clCzbzmdcF5mcDYORZciZtv5EJGnBVUC1zWc18X F5isByIReti+8Bpn5+IlYgvt0v5hgd9sY3/R903dQwZzcnGBXtyWHjW47pVx4V2molA2 wA/GgPcseMBNy7lB6T6CUckK4EFQbzHoI6ZV/2v8KTC7KZf1SSKeqKW4vP2rVH9C5rrN LIbWNoIRQAVtqx/cjl/Gr7I082SNHGvFD398UfIx7Eau22pzH9in4I7tpKQcaaKNOYuB QTrpbbdrP+h0K3qT9kgy3Du49oKplYoNVMQ5qgQ8UtdERTJAuzEX2+tBbo5zq9a1ujaB WSWw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k11si1166676ejr.403.2021.02.01.04.10.07; Mon, 01 Feb 2021 04:10:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230002AbhBAMH6 (ORCPT + 99 others); Mon, 1 Feb 2021 07:07:58 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:11997 "EHLO szxga05-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231322AbhBAMGd (ORCPT ); Mon, 1 Feb 2021 07:06:33 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.58]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4DTmpB4Pl5zjHSs; Mon, 1 Feb 2021 20:04:34 +0800 (CST) Received: from huawei.com (10.175.124.27) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.498.0; Mon, 1 Feb 2021 20:05:44 +0800 From: wanghongzhe To: , , , , , , , , , , , , , CC: Subject: [PATCH] seccomp: Improve performance by optimizing memory barrier Date: Mon, 1 Feb 2021 20:50:30 +0800 Message-ID: <1612183830-15506-1-git-send-email-wanghongzhe@huawei.com> X-Mailer: git-send-email 1.7.12.4 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.175.124.27] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If a thread(A)'s TSYNC flag is set from seccomp(), then it will synchronize its seccomp filter to other threads(B) in same thread group. To avoid race condition, seccomp puts rmb() between reading the mode and filter in seccomp check patch(in B thread). As a result, every syscall's seccomp check is slowed down by the memory barrier. However, we can optimize it by calling rmb() only when filter is NULL and reading it again after the barrier, which means the rmb() is called only once in thread lifetime. The 'filter is NULL' conditon means that it is the first time attaching filter and is by other thread(A) using TSYNC flag. In this case, thread B may read the filter first and mode later in CPU out-of-order exection. After this time, the thread B's mode is always be set, and there will no race condition with the filter/bitmap. In addtion, we should puts a write memory barrier between writing the filter and mode in smp_mb__before_atomic(), to avoid the race condition in TSYNC case. Signed-off-by: wanghongzhe --- kernel/seccomp.c | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 952dc1c90229..b944cb2b6b94 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -397,8 +397,20 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd, READ_ONCE(current->seccomp.filter); /* Ensure unexpected behavior doesn't result in failing open. */ - if (WARN_ON(f == NULL)) - return SECCOMP_RET_KILL_PROCESS; + if (WARN_ON(f == NULL)) { + /* + * Make sure the first filter addtion (from another + * thread using TSYNC flag) are seen. + */ + rmb(); + + /* Read again */ + f = READ_ONCE(current->seccomp.filter); + + /* Ensure unexpected behavior doesn't result in failing open. */ + if (WARN_ON(f == NULL)) + return SECCOMP_RET_KILL_PROCESS; + } if (seccomp_cache_check_allow(f, sd)) return SECCOMP_RET_ALLOW; @@ -614,9 +626,16 @@ static inline void seccomp_sync_threads(unsigned long flags) * equivalent (see ptrace_may_access), it is safe to * allow one thread to transition the other. */ - if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) + if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) { + /* + * Make sure mode cannot be set before the filter + * are set. + */ + smp_mb__before_atomic(); + seccomp_assign_mode(thread, SECCOMP_MODE_FILTER, flags); + } } } @@ -1160,12 +1179,6 @@ static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd, int data; struct seccomp_data sd_local; - /* - * Make sure that any changes to mode from another thread have - * been seen after SYSCALL_WORK_SECCOMP was seen. - */ - rmb(); - if (!sd) { populate_seccomp_data(&sd_local); sd = &sd_local; -- 2.19.1