Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4514167pxy; Tue, 27 Apr 2021 06:53:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx43xXdhS9Sf3wt7LawyptrZI4lF1nc/wzXYk23LQJB/DCHwazPRuRqyZIhjAqBNWkfTDgJ X-Received: by 2002:a05:6402:5248:: with SMTP id t8mr4542386edd.42.1619531615246; Tue, 27 Apr 2021 06:53:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619531615; cv=none; d=google.com; s=arc-20160816; b=zw8zEUfnhCPa1fsT6XZ0HZrvsTIjwaJ48SWmuC/yPpPVrPPcEgpAHJ1Ew8QCeOEoy7 CyDpWR4eaVPz2qKaMOJgJ+Aho085juvNOSCNhqPswoeYsdi9Hq9WzVYvTcb64P1UJ4xn +ciYS8rI0WvvwgIDBVbBHAnMBBHtFOJRv2xJw7a/9IGNGPrVU0L+AD7XWvZKI8FSgL+l rudDgsZVvmVVw5Q0UcU6gBHVnRWL/FTA1xq67JJWqGFlBsZexQWGy7HldJS6CEQDxbPT KyJmqqV52jb/g6uYWWIamG+auxYvlwCH/E0J2Y5e3m4Zk+lY/lmtTqX04N9PnmBBbaA7 oULw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=b5wS/V0vTP6vNmB11i0KyHFvJObCf57C/oZYcJ4cqJY=; b=yP1219/umDsT+mJ9+ullB0LCGmn5dg8cJiFDq3atbTnhjIOkKmcSSrMpwjqeoSbDhh fAEZ9YHDB+UiKVnt4C9McYunaZHjOJ5P4owlxEJTuzO+Y2FphpUBbnq7DpS9U1jxzMvY kMxZ7bU2ASZQ0R1iCkrfoFwnyfvTJJmkQblPq+/y6Vgm0q1+cFkCuL+mfd5HlzcfmWkj mR7uoD/GGIEAQuAQk204mv7DHPxfCjUzv9QYKLnKWNskx/NRi4ht/aeOdqZOrzW32PuJ dGMUXbFtjI4roxGlDRj6LRw+bEtPOVK4uhR+B1/WbKCR9lwKA0VQHL8tfiVui1FdMHtf HzrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho.pizza header.s=fm3 header.b=6uwTs8Qi; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=IPF6WClQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cw10si2417341edb.406.2021.04.27.06.53.11; Tue, 27 Apr 2021 06:53:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho.pizza header.s=fm3 header.b=6uwTs8Qi; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=IPF6WClQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235652AbhD0NuV (ORCPT + 99 others); Tue, 27 Apr 2021 09:50:21 -0400 Received: from wnew3-smtp.messagingengine.com ([64.147.123.17]:42677 "EHLO wnew3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236347AbhD0Ntx (ORCPT ); Tue, 27 Apr 2021 09:49:53 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailnew.west.internal (Postfix) with ESMTP id 60E3DFB2; Tue, 27 Apr 2021 09:48:56 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Tue, 27 Apr 2021 09:48:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.pizza; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm3; bh=b5wS/V0vTP6vNmB11i0KyHFvJOb Cf57C/oZYcJ4cqJY=; b=6uwTs8Qi5kJXxXKXrFMn5xsdAhX/28iA7BjY1nWjh3X N7QyolRzmcnM+72P/VJrYNyhtcitbMd6vWVf2sImQytOpPFTDZMAEJux9luWrVUW KoY0evfCjktmUonK4MD14B/xU28NNHzdRd3oNm6ztZzxU/locgTuvHLo10/luUCe epi1B54FOsg6OY8SMNZ3w8kvvqMShvcJ1eZ2j2Cvvj059s9o97a2cD+raXl+qB9K Paya/cx2XL4Ne1O25FjqX3x+nMlFiz2kAiTcGDaBePd9pG8g66APxDTsXvcygl1b OkEZuHtQPbcls74/A/Qk2cwyYwcFMrMplyuUpWyOghg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=b5wS/V 0vTP6vNmB11i0KyHFvJObCf57C/oZYcJ4cqJY=; b=IPF6WClQh8pi/fB3lqyG6O pf3x0MZLcYoRl5jA2IZ634Nq5s3nowBpbxHCG5tUCm1Xbx9c355FLViHPR1UWffQ wS0wA+I//PuZSPdiFF3bhpUBhGd2w3VU2RKYR03QFIyu4kX4spZMc6uCXH+SUVgQ RXus1g3eGipu+jnfweW3fwAdbfjD4xIOp9urMfejIegRllirUUlq9anpnM/plSnR NV27SOrjpGqAg996hl8bhWKFPi4Ohs+ojEiVcDz5D3D4Ai4I62ijHhK0/qsusnv8 S9Y9E6JbAZShDHctPbmbz9e7w1dWnoLN4IyoqxgyGscxPdeh6vssuL42fcSs8gKQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddvtddgjedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefvhigthhho ucetnhguvghrshgvnhcuoehthigthhhosehthigthhhordhpihiiiigrqeenucggtffrrg htthgvrhhnpeegkeefjeegkedtjefgfeduleekueetjeeghffhuefgffefleehgeeifedv gfethfenucfkphepudejfedrfeekrdduudejrdejjeenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehthigthhhosehthigthhhordhpihiiiigr X-ME-Proxy: Received: from cisco (unknown [173.38.117.77]) by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 27 Apr 2021 09:48:54 -0400 (EDT) Date: Tue, 27 Apr 2021 07:48:53 -0600 From: Tycho Andersen To: Sargun Dhillon Cc: Kees Cook , LKML , Linux Containers , Rodrigo Campos , Christian Brauner , Mauricio =?iso-8859-1?Q?V=E1squez?= Bernal , Giuseppe Scrivano , Andy Lutomirski , Will Drewry , Alban Crequy Subject: Re: [PATCH RESEND 2/5] seccomp: Add wait_killable semantic to seccomp user notifier Message-ID: <20210427134853.GA1746081@cisco> References: <20210426180610.2363-1-sargun@sargun.me> <20210426180610.2363-3-sargun@sargun.me> <20210426190229.GB1605795@cisco> <20210426221527.GA30835@ircssh-2.c.rugged-nimbus-611.internal> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210426221527.GA30835@ircssh-2.c.rugged-nimbus-611.internal> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 26, 2021 at 10:15:28PM +0000, Sargun Dhillon wrote: > On Mon, Apr 26, 2021 at 01:02:29PM -0600, Tycho Andersen wrote: > > On Mon, Apr 26, 2021 at 11:06:07AM -0700, Sargun Dhillon wrote: > > > @@ -1103,11 +1111,31 @@ static int seccomp_do_user_notification(int this_syscall, > > > * This is where we wait for a reply from userspace. > > > */ > > > do { > > > + interruptible = notification_interruptible(&n); > > > + > > > mutex_unlock(&match->notify_lock); > > > - err = wait_for_completion_interruptible(&n.ready); > > > + if (interruptible) > > > + err = wait_for_completion_interruptible(&n.ready); > > > + else > > > + err = wait_for_completion_killable(&n.ready); > > > mutex_lock(&match->notify_lock); > > > - if (err != 0) > > > + > > > + if (err != 0) { > > > + /* > > > + * There is a race condition here where if the > > > + * notification was received with the > > > + * SECCOMP_USER_NOTIF_FLAG_WAIT_KILLABLE flag, but a > > > + * non-fatal signal was received before we could > > > + * transition we could erroneously end our wait early. > > > + * > > > + * The next wait for completion will ensure the signal > > > + * was not fatal. > > > + */ > > > + if (interruptible && !notification_interruptible(&n)) > > > + continue; > > > > I'm trying to understand how one would hit this race, > > > > I'm thinking: > P: Process that "generates" notification > S: Supervisor > U: User > > P: Generated notification > S: ioctl(RECV...) // With wait_killable flag. > ...complete is called in the supervisor, but the P may not be woken up... > U: kill -SIGTERM $P > ...signal gets delivered to p and causes wakeup and > wait_for_completion_interruptible returns 1... > > Then you need to check the race I see, thanks. This seems like a consequence of having the flag be per-RECV-call vs. per-filter. Seems like it might be simpler to have it be per-filter? Tycho