Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 5:32 PM, Kees Cook wrote: > On Wed, Jun 11, 2014 at 3:28 PM, Andy Lutomirski wrote: >> On Wed, Jun 11, 2014 at 3:27 PM, H. Peter Anvin wrote: >>> On 06/11/2014 03:22 PM, Andy Lutomirski wrote: On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin wrote: > On

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 5:32 PM, Kees Cook keesc...@chromium.org wrote: On Wed, Jun 11, 2014 at 3:28 PM, Andy Lutomirski l...@amacapital.net wrote: On Wed, Jun 11, 2014 at 3:27 PM, H. Peter Anvin h...@zytor.com wrote: On 06/11/2014 03:22 PM, Andy Lutomirski wrote: On Wed, Jun 11, 2014 at 3:18

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 3:28 PM, Andy Lutomirski wrote: > On Wed, Jun 11, 2014 at 3:27 PM, H. Peter Anvin wrote: >> On 06/11/2014 03:22 PM, Andy Lutomirski wrote: >>> On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin wrote: On 06/11/2014 02:56 PM, Andy Lutomirski wrote: > > 13ns is

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 3:27 PM, H. Peter Anvin wrote: > On 06/11/2014 03:22 PM, Andy Lutomirski wrote: >> On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin wrote: >>> On 06/11/2014 02:56 PM, Andy Lutomirski wrote: 13ns is with the simplest nonempty filter. I hope that empty filters

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On 06/11/2014 03:22 PM, Andy Lutomirski wrote: > On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin wrote: >> On 06/11/2014 02:56 PM, Andy Lutomirski wrote: >>> >>> 13ns is with the simplest nonempty filter. I hope that empty filters >>> don't work. >>> >> >> Why wouldn't they? > > Is it

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin wrote: > On 06/11/2014 02:56 PM, Andy Lutomirski wrote: >> >> 13ns is with the simplest nonempty filter. I hope that empty filters >> don't work. >> > > Why wouldn't they? Is it permissible to fall off the end of a BPF program? I'm getting EINVAL

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On 06/11/2014 02:56 PM, Andy Lutomirski wrote: > > 13ns is with the simplest nonempty filter. I hope that empty filters > don't work. > Why wouldn't they? -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 2:29 PM, Alexei Starovoitov wrote: > On Wed, Jun 11, 2014 at 1:23 PM, Andy Lutomirski wrote: >> On my VM, getpid takes about 70ns. Before this patch, adding a >> single-instruction always-accept seccomp filter added about 134ns of >> overhead to getpid. With this patch,

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 1:23 PM, Andy Lutomirski wrote: > On my VM, getpid takes about 70ns. Before this patch, adding a > single-instruction always-accept seccomp filter added about 134ns of > overhead to getpid. With this patch, the overhead is down to about > 13ns. interesting. Is this the

[RFC 5/5] x86,seccomp: Add a seccomp fastpath

On my VM, getpid takes about 70ns. Before this patch, adding a single-instruction always-accept seccomp filter added about 134ns of overhead to getpid. With this patch, the overhead is down to about 13ns. I'm not really thrilled by this patch. It has two main issues: 1. Calling into code in

[RFC 5/5] x86,seccomp: Add a seccomp fastpath

On my VM, getpid takes about 70ns. Before this patch, adding a single-instruction always-accept seccomp filter added about 134ns of overhead to getpid. With this patch, the overhead is down to about 13ns. I'm not really thrilled by this patch. It has two main issues: 1. Calling into code in

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 1:23 PM, Andy Lutomirski l...@amacapital.net wrote: On my VM, getpid takes about 70ns. Before this patch, adding a single-instruction always-accept seccomp filter added about 134ns of overhead to getpid. With this patch, the overhead is down to about 13ns.

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 2:29 PM, Alexei Starovoitov alexei.starovoi...@gmail.com wrote: On Wed, Jun 11, 2014 at 1:23 PM, Andy Lutomirski l...@amacapital.net wrote: On my VM, getpid takes about 70ns. Before this patch, adding a single-instruction always-accept seccomp filter added about 134ns

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On 06/11/2014 02:56 PM, Andy Lutomirski wrote: 13ns is with the simplest nonempty filter. I hope that empty filters don't work. Why wouldn't they? -hpa -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin h...@zytor.com wrote: On 06/11/2014 02:56 PM, Andy Lutomirski wrote: 13ns is with the simplest nonempty filter. I hope that empty filters don't work. Why wouldn't they? Is it permissible to fall off the end of a BPF program? I'm getting

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On 06/11/2014 03:22 PM, Andy Lutomirski wrote: On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin h...@zytor.com wrote: On 06/11/2014 02:56 PM, Andy Lutomirski wrote: 13ns is with the simplest nonempty filter. I hope that empty filters don't work. Why wouldn't they? Is it permissible to

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 3:27 PM, H. Peter Anvin h...@zytor.com wrote: On 06/11/2014 03:22 PM, Andy Lutomirski wrote: On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin h...@zytor.com wrote: On 06/11/2014 02:56 PM, Andy Lutomirski wrote: 13ns is with the simplest nonempty filter. I hope that

Re: [RFC 5/5] x86,seccomp: Add a seccomp fastpath

On Wed, Jun 11, 2014 at 3:28 PM, Andy Lutomirski l...@amacapital.net wrote: On Wed, Jun 11, 2014 at 3:27 PM, H. Peter Anvin h...@zytor.com wrote: On 06/11/2014 03:22 PM, Andy Lutomirski wrote: On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin h...@zytor.com wrote: On 06/11/2014 02:56 PM, Andy