From nobody Tue Feb 10 04:02:34 2026 Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38AEA313530 for ; Tue, 2 Dec 2025 11:52:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.188.123 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764676349; cv=none; b=qoHmCp+scV9//TGCagBdTHspPiQluGMsnBlGjNY0sckKIQ0uB/PNMx+JMRYIHLxfX9CmCT2ayPETjq+fbU2+aGQQUdIwsFc6DFNwYfGREoorVYilN6cghw57bhTQFDT9RQhXg7pPLk4BiQktUMMPMZzKHXaCkeMD1qpEgLRvW1Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764676349; c=relaxed/simple; bh=WHNHmF8hIKZpzmu+nrdrjtELRB6j+VLgb2GCwkat2Kc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=tej32S1ITWLSGNbsh0KPo7OVjnq8L9u9EMeOpZkwthlGaePLRbXHY9EaifHgx9kbu5SsyS1MKMxc/KTuK3CI2ej1dNgEG7lpj0vh7WkFhE4EY9nV3CoUi/DiQHQGJsjvwrcRF4N1EKr+vAFzmrHNgMJvigYhKF5EH8Ep91oURO4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=canonical.com; spf=pass smtp.mailfrom=canonical.com; dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com header.b=s1vEN0YF; arc=none smtp.client-ip=185.125.188.123 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=canonical.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=canonical.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (4096-bit key) header.d=canonical.com header.i=@canonical.com header.b="s1vEN0YF" Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 917333F79D for ; Tue, 2 Dec 2025 11:52:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20251003; t=1764676341; bh=Ao9gzuH4BGTjv5LjAckU+RfPM0upQZdwIhj7zaaLSko=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=s1vEN0YFiRK2/0DwAORTpZNvZuRnut+x4aZtIm+gQVkqjnkiwj2gG0zQGazNlD3ez GwcLeNJdyFNJxXDjKw6QUOnwjXbkCR/LnUTu0lFfy4E4MhCmsHbRzIVTEy5q8yv3Nd F1rnhW6HKXxsR2fSyvBj0bFQDv6U6otUkoj/yPke0heJq4j1yHbq6+pF17NhXlN7qc g8FMsaCOjh6zR+awbkQfXLR0WNL7NYS8e4Opmbyr2Y95ybVeX+RL9e85LYICVzS05o pAxNIQbKCuS1b6a4/nZtGiiPRph2F6QiIt0SGwaBZ1DACzh7InQCkgRNmZMf+r8wUf GQVj4daOGYmHJO7Gom96CNuknmfgCFZFaLCPWNENh3p6+wd4BVhS72LoHWFRIRm/nq sVBrHSrLW5gikyjqAm+oYklBa0ug9Wypkcq89PXuxf2JSpCdYn+35U4j1gOC40m94+ eloijjAj2F0nN7+7l0DPZ7B/R+gGuASKZeEqxkXn4LGd9khuIdtF3BgJcYiilDPd10 uwjeTiDN697zDG9iXMv+gcDi1CDrZ8tBUe13kf0G3mETZ7YiYZ1JskGg7RR8Ok20Ws 40uxsBM1S6K4X6oqfG9WSVh3g05PveBZnBlLs6zYhWHM/WPDHbqknqfUw7jwHSBLGd cltDjiCPc2XUDBnqlwvAkqRg= Received: by mail-ed1-f69.google.com with SMTP id 4fb4d7f45d1cf-640c4609713so6265666a12.2 for ; Tue, 02 Dec 2025 03:52:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764676336; x=1765281136; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Ao9gzuH4BGTjv5LjAckU+RfPM0upQZdwIhj7zaaLSko=; b=Bxpxf4P+AQYtm1dy5PVg5N6qujE2qb8TqvqNZFuDu/neE/BSsPdJAWEtW2S+BmHh7G sT4xFPO/dAAheX7+VLfnYZwzilfrKTQBf/CPCAhzbEt6cICFKCaGa9Pa2BLZil6Hx1an tpDQ5RN8JkAlcd+koQ4XeQPZzSp/1VrzGQLQCeH4fcwlnCxAOE3O33Jg/l6sk9e4sxm/ kuPOGlyoWEUH18s6KNkiRS8m1wEtp3Mhq6d+IUC7fqaaaK2EzzLpQzuWicGwoUZE1Xe/ 3JcL6ofm+4JogVFIEBAJm/CLc4GY3MD94bNJ9GgxMMLH96AXk7kRcVbA9/yjt4wb99aI 9ARg== X-Gm-Message-State: AOJu0YxJTrOi+/YmVpSP234+xm4B8NE+/bZ4Fx6nIFujUwHN4LwCkinC UL3NQ06WGC2TC/WtZGsnOCWAPqHrU5rYGdfvalBUEy4BQxRNwFmIZ5mc0qInI9Q5kF7q1RZoAEO z96v2E/aavwIVRuWbhK0mKBwdoAC+UR1OkJqtG8HYH9l5lMkf+WiBRbIGMS4TtdDwIqdO8hRx3M 3aA0r48Q== X-Gm-Gg: ASbGncuhV4gCi53pM85kCr87pgWKOeBIJ+DIV2kblrbXs6o2+LBy3Hn3VrOqC+ZvV8r N1PZucdtBj+cVQAFU9tgZ5HRhkgVFZzrz3N5qYTCBvW/NYfNv/VsssCmwv2JKyrzaQnNjdt1B/d THRxaHwNMyLinj+ZcKt4s50wAXhx189o88yhCC7V11RRYS5UPdH7uj9NwxJDcBBMf3Fh9VzMh7p MH0A0mK6tBfuFJyTXsuiYWIm5l7AJI5DR9dNowN+ALfF4FRKU8eTFlbvakW0VCGdWCtXUNxR04J 8bV6z5XVZyrb/+VaEftgf1rBvvRSiHkVuhiDsKpiB3AHVuw7jsZ5C8xVP1WIMhSh25bhflHc2zK 28riIWXRxcZ2QoD8QehkUAl7WFGqACHGRBzG/oYeTLGT6iv90oFa2JJCc+7AajfFZUOoL4yngMc 28HnAmUApKgbVjSa35lKSwDy8= X-Received: by 2002:a05:6402:5346:10b0:640:c9ff:c06a with SMTP id 4fb4d7f45d1cf-645eb2530camr26516061a12.15.1764676336432; Tue, 02 Dec 2025 03:52:16 -0800 (PST) X-Google-Smtp-Source: AGHT+IH0dPM+LONfO5/1YrOnVnNAEeubJe6IeVmz26gJepHDWE6FmTwEDfIbV84I+xJ8HFdBhqNWBw== X-Received: by 2002:a05:6402:5346:10b0:640:c9ff:c06a with SMTP id 4fb4d7f45d1cf-645eb2530camr26516030a12.15.1764676335989; Tue, 02 Dec 2025 03:52:15 -0800 (PST) Received: from amikhalitsyn.lan (p200300cf5702200011ee99ed0f378a51.dip0.t-ipconnect.de. [2003:cf:5702:2000:11ee:99ed:f37:8a51]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-647510519efsm15206765a12.29.2025.12.02.03.52.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 03:52:15 -0800 (PST) From: Alexander Mikhalitsyn To: kees@kernel.org Cc: linux-kernel@vger.kernel.org, bpf@vger.kernel.org, Andy Lutomirski , Will Drewry , Jonathan Corbet , Shuah Khan , Aleksa Sarai , Tycho Andersen , Andrei Vagin , Christian Brauner , =?UTF-8?q?St=C3=A9phane=20Graber?= , Alexander Mikhalitsyn Subject: [PATCH v2 3/6] seccomp: limit number of listeners in seccomp tree Date: Tue, 2 Dec 2025 12:51:55 +0100 Message-ID: <20251202115200.110646-4-aleksandr.mikhalitsyn@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251202115200.110646-1-aleksandr.mikhalitsyn@canonical.com> References: <20251202115200.110646-1-aleksandr.mikhalitsyn@canonical.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable We need to limit number of listeners in seccomp tree to MAX_LISTENERS_PER_PATH, because we don't want to use dynamic memory allocations in a very hot __seccomp_filter() function and we use preallocated static array on the stack. Also, let's return ELOOP to userspace if it attempts to install more than MAX_LISTENERS_PER_PATH listeners, instead of ENOMEM as we do when userspace hits the limit of cBPF instructions. This will make uAPI a bit more convenient. Notice, that has_duplicate_listener() check is still in place, so this change is a preparational. Cc: linux-kernel@vger.kernel.org Cc: bpf@vger.kernel.org Cc: Kees Cook Cc: Andy Lutomirski Cc: Will Drewry Cc: Jonathan Corbet Cc: Shuah Khan Cc: Aleksa Sarai Cc: Tycho Andersen Cc: Andrei Vagin Cc: Christian Brauner Cc: St=C3=A9phane Graber Signed-off-by: Alexander Mikhalitsyn --- kernel/seccomp.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index c9a1062a53bd..ded3f6a6430b 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -931,17 +931,25 @@ static long seccomp_attach_filter(unsigned int flags, struct seccomp_filter *filter) { unsigned long total_insns; + unsigned char total_listeners; struct seccomp_filter *walker; =20 assert_spin_locked(¤t->sighand->siglock); =20 - /* Validate resulting filter length. */ + /* Validate resulting filter length and number of nested listeners. */ total_insns =3D filter->prog->len; - for (walker =3D current->seccomp.filter; walker; walker =3D walker->prev) + total_listeners =3D filter->notif ? 1 : 0; + for (walker =3D current->seccomp.filter; walker; walker =3D walker->prev)= { total_insns +=3D walker->prog->len + 4; /* 4 instr penalty */ + total_listeners +=3D walker->notif ? 1 : 0; + } + if (total_insns > MAX_INSNS_PER_PATH) return -ENOMEM; =20 + if (total_listeners > MAX_LISTENERS_PER_PATH) + return -ELOOP; + /* If thread sync has been requested, check that it is possible. */ if (flags & SECCOMP_FILTER_FLAG_TSYNC) { int ret; --=20 2.43.0