Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4000209pxy; Mon, 26 Apr 2021 15:16:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJye5/BrXeMdV41Cz/mIz3zTanJSRIEVFR7VrrCtsB8QtaSjOqBhmaMLP4ypKqYO5Z6fZMd9 X-Received: by 2002:a17:906:3949:: with SMTP id g9mr20734232eje.7.1619475417184; Mon, 26 Apr 2021 15:16:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619475417; cv=none; d=google.com; s=arc-20160816; b=nY1Z4ZCm1VMWaMDabO7a/Qyle/1WTt5ibY0VRwsNHwqr7F9ygmL8Ok8wlleF/7gB0z eQiCLf8eYH9cA9A/2e4lbF2fnkhgLd0wfKQm06CWhcVKH/PVwAxRdPrp6Kg+NhKhbOPl 3RS5SIDsbrH7Z90Gt8bgiGjqV18JYAe2iAxWdc02UiK1QkfsuQacKPiKTUqKeJb9VAti CtMVarQ3nN9WZHQIVJxOJJteuVNSKuEWT68mFZzP/Wm5a9Z6qym7ufYoSPSmSJWXQxRi 5JcEgpXskydbK+8qWe9OwNcvuWAGNDBgULo1mzp5TvqBOjz7Kfi4t7qi2VufovMLJxLG RxRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=35JE14+U46LYE27Y6OGkQt/0x6BwuS4vBffRxgk3Bik=; b=ejmcqcq0EpNSm2448I5q5b7j20ITTjgaUkwGl0wri8x7M6bykiyzeXWon2hrGby8sQ OOxWK4O3FxDbDbWvg8HyYcEjm0Ia4Vzp1Tyhblm170pEAiH8ctd4jXdzEoRL74LqQ0Zp WL0OlSrabORuuoBKjKdTJsjjVg4x6CTLZza8h2fkoRuWtzq3vPm84mlmYCF8iykL6Jou 3hVigeT8DRJNxmVnLOKdUnfMvDGEJ3vIporFoj5PlFoPDEwBjxO+nIEd9SLVlhESCm18 DKcJN1vAQRBvNgnmyIbIk7gMOduJ+FHb05TRodtb5tq34SutihgJTK9H88Q35l537r7L m+QQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=Pwf6jVJ8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d22si14827228eje.277.2021.04.26.15.16.32; Mon, 26 Apr 2021 15:16:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sargun.me header.s=google header.b=Pwf6jVJ8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232647AbhDZWQN (ORCPT + 99 others); Mon, 26 Apr 2021 18:16:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37810 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232116AbhDZWQN (ORCPT ); Mon, 26 Apr 2021 18:16:13 -0400 Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AA4AC061574 for ; Mon, 26 Apr 2021 15:15:31 -0700 (PDT) Received: by mail-il1-x132.google.com with SMTP id i22so5141632ila.11 for ; Mon, 26 Apr 2021 15:15:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=35JE14+U46LYE27Y6OGkQt/0x6BwuS4vBffRxgk3Bik=; b=Pwf6jVJ8R2S4o1XwZ2UFmoLLEj98OH9UhK967+HXKQPF5cEHyeAfVpuSotNh0jUoTq S6OR0N3aqSFQ5AbCkosdrTrR/iUQXM5NZfa2Tpdexe0PFKSWNDMal7ed6OLsV1nNxBeh 4HH/h/abhCmIuOOK9nqSSCw/rb7qD5p5V+KB0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=35JE14+U46LYE27Y6OGkQt/0x6BwuS4vBffRxgk3Bik=; b=daCNagTCwUh9+mUa4KxdbIZnXP3w8hZWmraRcBswyXnylSUlwztaeYC2xfEYBt/ew8 9AhdyJLo4xtPICB776GcYjxZ2QQGggVPNuYjn+polvk68JPqEsHUARVMCjRzbh189xmK p5F3mGNDYE7dHhPBFiehikPB8rDmFFi1/KRCnUm6xTZpo94FrbKmiuV/DHnFpTWqB06Y 8MPWO6BWQPIhBijZnVpUqeowe68uCwF5B8cqVT6sfkcJ8VkT+nkgcfOFIkwwIziTUA/m qyEBk9GWNFmA6eQwBXD9eScwBctYbPZSBTNCCY+6kSHqiZPlB8Qy9V+q8KjgPm4OFE0A rE5g== X-Gm-Message-State: AOAM532MrKZ63G12miBmo2HIWRG1NS1EGE9qK5smIN/636KDTAFW5XCy MelImq3DdcCuCPHiOwHi4LgDGw== X-Received: by 2002:a05:6e02:92c:: with SMTP id o12mr16072169ilt.256.1619475330555; Mon, 26 Apr 2021 15:15:30 -0700 (PDT) Received: from ircssh-2.c.rugged-nimbus-611.internal (80.60.198.104.bc.googleusercontent.com. [104.198.60.80]) by smtp.gmail.com with ESMTPSA id h17sm490657ilh.55.2021.04.26.15.15.30 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 26 Apr 2021 15:15:30 -0700 (PDT) Date: Mon, 26 Apr 2021 22:15:28 +0000 From: Sargun Dhillon To: Tycho Andersen Cc: Kees Cook , LKML , Linux Containers , Rodrigo Campos , Christian Brauner , Mauricio =?iso-8859-1?Q?V=E1squez?= Bernal , Giuseppe Scrivano , Andy Lutomirski , Will Drewry , Alban Crequy Subject: Re: [PATCH RESEND 2/5] seccomp: Add wait_killable semantic to seccomp user notifier Message-ID: <20210426221527.GA30835@ircssh-2.c.rugged-nimbus-611.internal> References: <20210426180610.2363-1-sargun@sargun.me> <20210426180610.2363-3-sargun@sargun.me> <20210426190229.GB1605795@cisco> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210426190229.GB1605795@cisco> User-Agent: Mutt/1.9.4 (2018-02-28) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 26, 2021 at 01:02:29PM -0600, Tycho Andersen wrote: > On Mon, Apr 26, 2021 at 11:06:07AM -0700, Sargun Dhillon wrote: > > @@ -1103,11 +1111,31 @@ static int seccomp_do_user_notification(int this_syscall, > > * This is where we wait for a reply from userspace. > > */ > > do { > > + interruptible = notification_interruptible(&n); > > + > > mutex_unlock(&match->notify_lock); > > - err = wait_for_completion_interruptible(&n.ready); > > + if (interruptible) > > + err = wait_for_completion_interruptible(&n.ready); > > + else > > + err = wait_for_completion_killable(&n.ready); > > mutex_lock(&match->notify_lock); > > - if (err != 0) > > + > > + if (err != 0) { > > + /* > > + * There is a race condition here where if the > > + * notification was received with the > > + * SECCOMP_USER_NOTIF_FLAG_WAIT_KILLABLE flag, but a > > + * non-fatal signal was received before we could > > + * transition we could erroneously end our wait early. > > + * > > + * The next wait for completion will ensure the signal > > + * was not fatal. > > + */ > > + if (interruptible && !notification_interruptible(&n)) > > + continue; > > I'm trying to understand how one would hit this race, > I'm thinking: P: Process that "generates" notification S: Supervisor U: User P: Generated notification S: ioctl(RECV...) // With wait_killable flag. ...complete is called in the supervisor, but the P may not be woken up... U: kill -SIGTERM $P ...signal gets delivered to p and causes wakeup and wait_for_completion_interruptible returns 1... Then you need to check the race > > @@ -1457,6 +1487,12 @@ static long seccomp_notify_recv(struct seccomp_filter *filter, > > unotif.pid = task_pid_vnr(knotif->task); > > unotif.data = *(knotif->data); > > > > + if (unotif.flags & SECCOMP_USER_NOTIF_FLAG_WAIT_KILLABLE) { > > + knotif->wait_killable = true; > > + complete(&knotif->ready); > > + } > > + > > + > > knotif->state = SECCOMP_NOTIFY_SENT; > > wake_up_poll(&filter->wqh, EPOLLOUT | EPOLLWRNORM); > > ret = 0; > > Seems like the idea is that if someone does a ioctl(RECV, ...) twice > they'll hit it? But doesn't the test for NOTIFY_INIT and return > -ENOENT above this hunk prevent that? > > Thanks, > > Tycho