Hi Will, On Thu, Mar 29, 2012 at 03:01:53PM -0500, Will Drewry wrote: snipped > + > +/* Limit any path through the tree to 256KB worth of instructions. */ > +#define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter)) > + > +static void seccomp_filter_log_failure(int syscall) > +{ > + int compat = 0; > +#ifdef CONFIG_COMPAT > + compat = is_compat_task(); > +#endif > + pr_info("%s[%d]: %ssystem call %d blocked at 0x%lx\n", > + current->comm, task_pid_nr(current), > + (compat ? "compat " : ""), > + syscall, KSTK_EIP(current)); > +} snipped > +/** > + * seccomp_attach_user_filter - attaches a user-supplied sock_fprog > + * @user_filter: pointer to the user data containing a sock_fprog. > + * > + * Returns 0 on success and non-zero otherwise. > + */ > +long seccomp_attach_user_filter(char __user *user_filter) > +{ > + struct sock_fprog fprog; > + long ret = -EFAULT; > + > +#ifdef CONFIG_COMPAT > + if (is_compat_task()) { > + struct compat_sock_fprog fprog32; > + if (copy_from_user(&fprog32, user_filter, sizeof(fprog32))) > + goto out; > + fprog.len = fprog32.len; > + fprog.filter = compat_ptr(fprog32.filter); > + } else /* falls through to the if below. */ > +#endif > + if (copy_from_user(&fprog, user_filter, sizeof(fprog))) > + goto out; > + ret = seccomp_attach_filter(&fprog); > +out: > + return ret; > +} Do we really need to surround is_compat_task() with CNFIG_COMPAT? It seems that this case has already handled in compat.h [1] [1] http://lxr.linux.no/#linux+v3.3/include/linux/compat.h#L566 Best wishes Vladimir Murzin -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html