Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp7245921ybf; Fri, 6 Mar 2020 13:22:25 -0800 (PST) X-Google-Smtp-Source: ADFU+vvWJCbHx1cUkgdMhbFRU8vjzhVNjLbpg3v+28+TdbkzI6jBDDzmH3rGtdnIrqwieWmtNwjy X-Received: by 2002:a9d:30c1:: with SMTP id r1mr4206612otg.275.1583529745749; Fri, 06 Mar 2020 13:22:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583529745; cv=none; d=google.com; s=arc-20160816; b=hAlTLql9lnN4Kxah5bUrOM30UuWilhZk+Kphg/t6JjiWO4fGczQT1qSdWjb9jY2NyQ HWEL+Qj2LyhCICWRPGaR3DsrS1rJkYT42TFSEBza6H6JQjP5m+CP8TAaVbs3vV1aeHv8 HJ9dj0MMwgZvX4G4aPkuKDVUnYttMzrttajXCSCdzv/pwn0rNRolg+Iyy7InlnEH9J52 E7F357+365Or6xObpVZD+4YuUEK32a976ifeJQFu4UvRrJAbvVFZaQpxjNsQHqXDr0G2 BZ6771e/x4NlAgm/8G6Gy7qhfGlu9ih+UFxRSjYvK6B69JYFdhf+IBjNAFE4KRZ4WkXb Jtjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=h3sj4TUZArG/ZHRGR3KF3peWPmhJg8fD/Q7YKG0OCwM=; b=mcwy3WqbXssM02nSDTejhRira7uW1Q8AyfmWgPDJ1Auir3fIDByyNBr7+M23JgT1Tm ajR26w7Ch/f2tgXIapPesTy+gLXue5Hyy1NgsgUGZ3cLuDMZ7nN96Am0nBmao5Bx1Hl4 nRvzWY15l13UBvz2i4ff9nfP7z3bDs7p5tVNa4Ivg8a0I/+NkEgvcM3Ya2emoDjtAG+3 hkDBA34jKxXnqjStnKa3wHvdB+T90TghiybjjQPHn+YO1EaL/eZKWF79KaMhRwQjw4oM Y4v7SfTkdKjc5lFcDdYpkz2qNnpdQ5JnPsKVPtKgLYh3bUIl2xnyKX0SNbh/QsEDdvWz 96Zw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j12si343086oie.187.2020.03.06.13.22.13; Fri, 06 Mar 2020 13:22:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726674AbgCFVVE (ORCPT + 99 others); Fri, 6 Mar 2020 16:21:04 -0500 Received: from out01.mta.xmission.com ([166.70.13.231]:51586 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726194AbgCFVVD (ORCPT ); Fri, 6 Mar 2020 16:21:03 -0500 Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jAKOf-0001bO-Qo; Fri, 06 Mar 2020 14:20:41 -0700 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1jAKOe-0007Ua-SE; Fri, 06 Mar 2020 14:20:41 -0700 From: ebiederm@xmission.com (Eric W. Biederman) To: Bernd Edlinger Cc: Christian Brauner , Kees Cook , Jann Horn , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra \(Intel\)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc\@vger.kernel.org" , "linux-kernel\@vger.kernel.org" , "linux-fsdevel\@vger.kernel.org" , "linux-mm\@kvack.org" , "stable\@vger.kernel.org" , "linux-api\@vger.kernel.org" References: <202003021531.C77EF10@keescook> <20200303085802.eqn6jbhwxtmz4j2x@wittgenstein> <87v9nlii0b.fsf@x220.int.ebiederm.org> <87a74xi4kz.fsf@x220.int.ebiederm.org> <87r1y8dqqz.fsf@x220.int.ebiederm.org> <87tv32cxmf.fsf_-_@x220.int.ebiederm.org> <87imjicxjw.fsf_-_@x220.int.ebiederm.org> <87k13yawpp.fsf@x220.int.ebiederm.org> Date: Fri, 06 Mar 2020 15:18:20 -0600 In-Reply-To: (Bernd Edlinger's message of "Fri, 6 Mar 2020 11:46:01 +0000") Message-ID: <877dzx9o83.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1jAKOe-0007Ua-SE;;;mid=<877dzx9o83.fsf@x220.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/H7zIdc5Xdrawq/Ho8JIA/FNvc5wTe1Zg= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa07.xmission.com X-Spam-Level: *** X-Spam-Status: No, score=3.2 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,LotsOfNums_01,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01, XMNoVowels,XMSubLong autolearn=disabled version=3.4.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4999] * 0.7 XMSubLong Long Subject * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 1.2 LotsOfNums_01 BODY: Lots of long strings of numbers * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ***;Bernd Edlinger X-Spam-Relay-Country: X-Spam-Timing: total 496 ms - load_scoreonly_sql: 0.09 (0.0%), signal_user_changed: 8 (1.7%), b_tie_ro: 7 (1.5%), parse: 1.84 (0.4%), extract_message_metadata: 25 (5.0%), get_uri_detail_list: 4.8 (1.0%), tests_pri_-1000: 28 (5.7%), tests_pri_-950: 1.30 (0.3%), tests_pri_-900: 1.12 (0.2%), tests_pri_-90: 53 (10.6%), check_bayes: 51 (10.3%), b_tokenize: 14 (2.9%), b_tok_get_all: 19 (3.8%), b_comp_prob: 3.2 (0.6%), b_tok_touch_all: 9 (1.9%), b_finish: 0.64 (0.1%), tests_pri_0: 355 (71.7%), check_dkim_signature: 0.67 (0.1%), check_dkim_adsp: 2.4 (0.5%), poll_dns_idle: 0.81 (0.2%), tests_pri_10: 2.3 (0.5%), tests_pri_500: 15 (2.9%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 2/2] exec: Add a exec_update_mutex to replace cred_guard_mutex X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Bernd Edlinger writes: > Am 06.03.20 um 06:17 schrieb Eric W. Biederman: >> Bernd Edlinger writes: >> >>> On 3/5/20 10:16 PM, Eric W. Biederman wrote: >>>> >>>> The cred_guard_mutex is problematic. The cred_guard_mutex is held >>>> over the userspace accesses as the arguments from userspace are read. >>>> The cred_guard_mutex is held of PTRACE_EVENT_EXIT as the the other >>>> threads are killed. The cred_guard_mutex is held over >>>> "put_user(0, tsk->clear_child_tid)" in exit_mm(). >>>> >>>> Any of those can result in deadlock, as the cred_guard_mutex is held >>>> over a possible indefinite userspace waits for userspace. >>>> >>>> Add exec_update_mutex that is only held over exec updating process >>>> with the new contents of exec, so that code that needs not to be >>>> confused by exec changing the mm and the cred in ways that can not >>>> happen during ordinary execution of a process can take. >>>> >>>> The plan is to switch the users of cred_guard_mutex to >>>> exed_udpate_mutex one by one. This lets us move forward while still >>>> being careful and not introducing any regressions. >>>> >>>> Link: https://lore.kernel.org/lkml/20160921152946.GA24210@dhcp22.suse.cz/ >>>> Link: https://lore.kernel.org/lkml/AM6PR03MB5170B06F3A2B75EFB98D071AE4E60@AM6PR03MB5170.eurprd03.prod.outlook.com/ >>>> Link: https://lore.kernel.org/linux-fsdevel/20161102181806.GB1112@redhat.com/ >>>> Link: https://lore.kernel.org/lkml/20160923095031.GA14923@redhat.com/ >>>> Link: https://lore.kernel.org/lkml/20170213141452.GA30203@redhat.com/ >>>> Ref: 45c1a159b85b ("Add PTRACE_O_TRACEVFORKDONE and PTRACE_O_TRACEEXIT facilities.") >>>> Ref: 456f17cd1a28 ("[PATCH] user-vm-unlock-2.5.31-A2") >>>> Signed-off-by: "Eric W. Biederman" >>>> --- >>>> fs/exec.c | 4 ++++ >>>> include/linux/sched/signal.h | 9 ++++++++- >>>> kernel/fork.c | 1 + >>>> 3 files changed, 13 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/fs/exec.c b/fs/exec.c >>>> index c243f9660d46..ad7b518f906d 100644 >>>> --- a/fs/exec.c >>>> +++ b/fs/exec.c >>>> @@ -1182,6 +1182,7 @@ static int de_thread(struct linux_binprm *bprm, struct task_struct *tsk) >>>> release_task(leader); >>>> } >>>> >>>> + mutex_lock(¤t->signal->exec_update_mutex); > > And by the way, could you make this mutex_lock_killable? For some reason when I first read this suggestion I thought making this mutex_lock_killable would cause me to rework the logic of when I set unrecoverable and when I unlock the mutex. I blame a tired brain. If a process has received a fatal signal none of that matters. So yes I will do that just to make things robust in case we miss something that would still make it possible to deadlock in with the new mutex. I am a little worried that the new mutex might still cover a little too much. But past a certain point I we are not being able to make this code perfect in the first change. The best we can do is to be careful and avoid regressions. Whatever slips through we can fix when we spot the problem. Eric