Re: RCU issue with SELinux (Re: SELINUX performance issues)

[Kaigai Kohei]

Hi Stephen, thanks for your comment.

> > You are right. Indeed, the lock for hash bucket is also necessary
> > when avc_insert() is called. I fixed them.
> 
> avc_has_perm* can be called from interrupt or bh, e.g. send_sigio or
> sock_rcv_skb.  So using just spin_lock/spin_unlock rather than
> spin_lock_irqsave/restore is unsafe, right?

Indeed, spin_lock/spin_unlock should be replaced by spin_lock_irqsave/restore.
I fixed it.

The attached take3-patch is modified as follows:
- avc_node_dual was eliminated by Paul E.McKenny's suggestion.
  avc_update_node() calls kmalloc() and may return -ENOMEM.
  (But, I think this effect is so limited.)
- All list_for_each_entry() were replaced by list_for_each_entry_rcu().
- All spin_lock()/spin_unlock() were replaced by spin_lock_irqsave()
  /spin_unlock_restore().
- In avc_node_insert(), if an entry with the same ssid/tsid/tclass as new
  one exists, the older entry is replaced by the new one.

Thanks. I want to make it the last edition hopefully. :)

--------
Kai Gai <kaigai@xxxxxxxxxxxxx>

Attachment: list_replace_rcu-2.6.8.1.patch
Description: Binary data

Attachment: selinux.rcu-2.6.8.1-take3.patch
Description: Binary data