Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Tue, Sep 26, 2017 at 10:15 PM, Tycho Andersen wrote: > Hi, > > On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote: >> On 09/21, Kees Cook wrote: >> > Can you resend the two patches; I can send the backport to -stable >> > manually... >> >> Not sure I understand...

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Tue, Sep 26, 2017 at 10:15 PM, Tycho Andersen wrote: > Hi, > > On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote: >> On 09/21, Kees Cook wrote: >> > Can you resend the two patches; I can send the backport to -stable >> > manually... >> >> Not sure I understand... Do you mean this

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

Hi, On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote: > On 09/21, Kees Cook wrote: > > Can you resend the two patches; I can send the backport to -stable > > manually... > > Not sure I understand... Do you mean this fix + untested "introduce > get_nth_filter()" ? Just want to

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

Hi, On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote: > On 09/21, Kees Cook wrote: > > Can you resend the two patches; I can send the backport to -stable > > manually... > > Not sure I understand... Do you mean this fix + untested "introduce > get_nth_filter()" ? Just want to

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote: > On 09/21, Kees Cook wrote: > > > > On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote: > > > On 09/20, Kees Cook wrote: > > >> > > >> Given how reference counting is done for filters, I'd be happier with > > >>

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Fri, Sep 22, 2017 at 05:22:29PM +0200, Oleg Nesterov wrote: > On 09/21, Kees Cook wrote: > > > > On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote: > > > On 09/20, Kees Cook wrote: > > >> > > >> Given how reference counting is done for filters, I'd be happier with > > >> leaving the

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On 09/21, Kees Cook wrote: > > On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote: > > On 09/20, Kees Cook wrote: > >> > >> Given how reference counting is done for filters, I'd be happier with > >> leaving the get_seccomp_filter() as-is, > > > > No, please note that filter !=

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On 09/21, Kees Cook wrote: > > On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote: > > On 09/20, Kees Cook wrote: > >> > >> Given how reference counting is done for filters, I'd be happier with > >> leaving the get_seccomp_filter() as-is, > > > > No, please note that filter !=

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote: > On 09/20, Kees Cook wrote: >> >> On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote: >> > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, >> > unsigned long filter_off, >> >

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Thu, Sep 21, 2017 at 3:57 AM, Oleg Nesterov wrote: > On 09/20, Kees Cook wrote: >> >> On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote: >> > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, >> > unsigned long filter_off, >> > if (!data) >> >

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On 09/20, Kees Cook wrote: > > I like doing these sanity checks -- this isn't fast-path at all. Yes, but see another "introduce get_nth_filter()" cleanup I sent, it is similar but more suitable for Tycho's "retrieving seccomp flags" patch. > > + for (filter = orig; count > 1; filter =

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On 09/20, Kees Cook wrote: > > I like doing these sanity checks -- this isn't fast-path at all. Yes, but see another "introduce get_nth_filter()" cleanup I sent, it is similar but more suitable for Tycho's "retrieving seccomp flags" patch. > > + for (filter = orig; count > 1; filter =

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On 09/20, Kees Cook wrote: > > On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote: > > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, > > unsigned long filter_off, > > if (!data) > > goto out; > > > > -

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On 09/20, Kees Cook wrote: > > On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote: > > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, > > unsigned long filter_off, > > if (!data) > > goto out; > > > > - get_seccomp_filter(task); > > +

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Wed, Sep 20, 2017 at 6:04 AM, Oleg Nesterov wrote: > On 09/20, Oleg Nesterov wrote: >> >> @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, >> unsigned long filter_off, >> if (!data) >> goto out; >> >> - get_seccomp_filter(task);

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Wed, Sep 20, 2017 at 6:04 AM, Oleg Nesterov wrote: > On 09/20, Oleg Nesterov wrote: >> >> @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, >> unsigned long filter_off, >> if (!data) >> goto out; >> >> - get_seccomp_filter(task); >> +

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote: > As Chris explains, get_seccomp_filter() and put_seccomp_filter() can > use the different filters, once we drop ->siglock task->seccomp.filter > can be replaced by SECCOMP_FILTER_FLAG_TSYNC. > > Fixes: f8e529ed941b ("seccomp,

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Wed, Sep 20, 2017 at 5:56 AM, Oleg Nesterov wrote: > As Chris explains, get_seccomp_filter() and put_seccomp_filter() can > use the different filters, once we drop ->siglock task->seccomp.filter > can be replaced by SECCOMP_FILTER_FLAG_TSYNC. > > Fixes: f8e529ed941b ("seccomp, ptrace: add

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Wed, Sep 20, 2017 at 03:04:43PM +0200, Oleg Nesterov wrote: > On 09/20, Oleg Nesterov wrote: > > > > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, > > unsigned long filter_off, > > if (!data) > > goto out; > > > > - get_seccomp_filter(task); > > +

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Wed, Sep 20, 2017 at 03:04:43PM +0200, Oleg Nesterov wrote: > On 09/20, Oleg Nesterov wrote: > > > > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, > > unsigned long filter_off, > > if (!data) > > goto out; > > > > - get_seccomp_filter(task); > > +

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Wed, Sep 20, 2017 at 02:56:21PM +0200, Oleg Nesterov wrote: > As Chris explains, get_seccomp_filter() and put_seccomp_filter() can > use the different filters, once we drop ->siglock task->seccomp.filter > can be replaced by SECCOMP_FILTER_FLAG_TSYNC. > > Fixes: f8e529ed941b ("seccomp, ptrace:

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On Wed, Sep 20, 2017 at 02:56:21PM +0200, Oleg Nesterov wrote: > As Chris explains, get_seccomp_filter() and put_seccomp_filter() can > use the different filters, once we drop ->siglock task->seccomp.filter > can be replaced by SECCOMP_FILTER_FLAG_TSYNC. > > Fixes: f8e529ed941b ("seccomp, ptrace:

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On 09/20, Oleg Nesterov wrote: > > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, > unsigned long filter_off, > if (!data) > goto out; > > - get_seccomp_filter(task); > + refcount_inc(>usage); > spin_unlock_irq(>sighand->siglock); > >

Re: [PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

On 09/20, Oleg Nesterov wrote: > > @@ -908,13 +912,13 @@ long seccomp_get_filter(struct task_struct *task, > unsigned long filter_off, > if (!data) > goto out; > > - get_seccomp_filter(task); > + refcount_inc(>usage); > spin_unlock_irq(>sighand->siglock); > >

[PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

As Chris explains, get_seccomp_filter() and put_seccomp_filter() can use the different filters, once we drop ->siglock task->seccomp.filter can be replaced by SECCOMP_FILTER_FLAG_TSYNC. Fixes: f8e529ed941b ("seccomp, ptrace: add support for dumping seccomp filters") Reported-by: Chris Salls

[PATCH] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()

As Chris explains, get_seccomp_filter() and put_seccomp_filter() can use the different filters, once we drop ->siglock task->seccomp.filter can be replaced by SECCOMP_FILTER_FLAG_TSYNC. Fixes: f8e529ed941b ("seccomp, ptrace: add support for dumping seccomp filters") Reported-by: Chris Salls Cc: