Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp853600ybh;
        Wed, 11 Mar 2020 12:09:10 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vuhKIs/YhczHLoadGtNQxdvjdbZku/6S2NEwGKUDoXbZeVRe1StFUrZTbauz1wyocIUCmgQ
X-Received: by 2002:a9d:7359:: with SMTP id l25mr3568197otk.18.1583953750318;
        Wed, 11 Mar 2020 12:09:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1583953750; cv=none;
        d=google.com; s=arc-20160816;
        b=j6BgIx1/PYOyDcJ5YaowquijnZqzw8zn/uDvwIjQyJYlBExubdgwFt2jhCSSSEVNh9
         /o7V5QQ/yOlQ2uLxvH7PKSTpF6vw9UbyBbfn3h4/NkXfNBqtYBxK/bbSs7CzXRETI/JJ
         pYygx4O29+pcoKmInHtZGyjkoY4/Jl1zNMpnxrLSBOHX70P01j94VWnH1gMx15uNldT/
         LksrZ4TUSs0yrLpAmxvVUD78H+n8a5wxn9Xmed+k9hDCg1sNonlaO6ooOhBv5Ea6Dkcl
         8mdMD9S1MpOhI3zPdzsTolKxJ7vwRlC6/NI5YktMRXv9z163mhmyRex+vdw8Aryfot53
         kxVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=DbOSuRE3mJHRT6NEoUnJAt4STBzgkZE2dyC9jqZCCLc=;
        b=fBerEM5W+A00fALwj2Dtc1O/a04C/EbFgOhArFeDtv/fPO57tnzGKpHC7HZCPuhqyb
         QuGT+uY0LyXH0JbPWo6yhK112/SiicHFBxaZsXYBsi4YafKHCvCLYPztuPTsvjwQcqoS
         DCm/AwQp/Cl0vQHQ7AWzIq8c6HW4XqHEW2LicMkmKDmhTvtCVw4IglQeffebzShqRqlY
         9UwKilE4piorUa0303j6P9CagMD4wlJloIVRx3rCTu9/Fe5p6eTXl1Ok6BIMeVyMYt1N
         O5RL9qWxoERkFxANDMNQ683aH5IDtuNmbztSc1O2GJNyLad2ciq3qrD+53Gg2pCflyrj
         W9pQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=ezUxUUOX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s8si1451129oij.275.2020.03.11.12.08.34;
        Wed, 11 Mar 2020 12:09:10 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=ezUxUUOX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730925AbgCKTIM (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Wed, 11 Mar 2020 15:08:12 -0400
Received: from mail-pl1-f193.google.com ([209.85.214.193]:39730 "EHLO
        mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730926AbgCKTIM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Mar 2020 15:08:12 -0400
Received: by mail-pl1-f193.google.com with SMTP id j20so1525506pll.6
        for <linux-kernel@vger.kernel.org>; Wed, 11 Mar 2020 12:08:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=DbOSuRE3mJHRT6NEoUnJAt4STBzgkZE2dyC9jqZCCLc=;
        b=ezUxUUOXDCiz09sL7ns9GljqAjBmqhyjSwvJorFlESxa+y3+f/0qlxnha+BOKyFFyf
         ERAU18z6eUiNgcbSjL1jsVciaLtO3QRYSLsFs8TwKJvof5riGga9gNTN9V0/psEVhU2x
         V/bi7iIGw3G5TZdWYOJ4NUQjucYxGZhfQRnwo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=DbOSuRE3mJHRT6NEoUnJAt4STBzgkZE2dyC9jqZCCLc=;
        b=hj0C+/96IMMX3ke+RiYrpQ/6gNzaQT0XB0iU9bHoU+1JqVLzP8wNB/25YeV31c9/lZ
         t1pfO7hL+ATzSfQcYEyDRYuOh/u/EZrNi6I+RiClx5tQBgibfeTTVzd7AzIDObdMNS4W
         gevul1PSieN+D2SVBZg3hIm9NXW/GGRy14oP3rxePh4EbP215W2d+qoGRLcZWO/ENZHN
         OwxgrxtlEuJreM1kKWXl14V5n7k9cdZleifFpM1QMjRptWOJU1WZcfrXYJgfHRV554eA
         VHO3AA7ntR6HLEpI/bVjz6p+jnPhItGUNJkVV7AqO7EYpAAythYnncHcz1X92S4yU4S8
         DULA==
X-Gm-Message-State: ANhLgQ2JtEMb8J8hA6PtYY7Tt86xubfq1XKxX4bV3unkwmssyO37IYUy
        kLiwvedQjF36mfKnKnXGRBo+Dg==
X-Received: by 2002:a17:90a:da01:: with SMTP id e1mr225598pjv.100.1583953691168;
        Wed, 11 Mar 2020 12:08:11 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id y207sm1468232pfb.189.2020.03.11.12.08.09
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Mar 2020 12:08:09 -0700 (PDT)
Date:   Wed, 11 Mar 2020 12:08:08 -0700
From:   Kees Cook <keescook@chromium.org>
To:     Bernd Edlinger <bernd.edlinger@hotmail.de>
Cc:     "Eric W. Biederman" <ebiederm@xmission.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Andrew Morton <akpm@linux-foundation.org>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Oleg Nesterov <oleg@redhat.com>,
        Frederic Weisbecker <frederic@kernel.org>,
        Andrei Vagin <avagin@gmail.com>,
        Ingo Molnar <mingo@kernel.org>,
        "Peter Zijlstra (Intel)" <peterz@infradead.org>,
        Yuyang Du <duyuyang@gmail.com>,
        David Hildenbrand <david@redhat.com>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Anshuman Khandual <anshuman.khandual@arm.com>,
        David Howells <dhowells@redhat.com>,
        James Morris <jamorris@linux.microsoft.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Shakeel Butt <shakeelb@google.com>,
        Jason Gunthorpe <jgg@ziepe.ca>,
        Christian Kellner <christian@kellner.me>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Aleksa Sarai <cyphar@cyphar.com>,
        "Dmitry V. Levin" <ldv@altlinux.org>,
        "linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
        "linux-mm@kvack.org" <linux-mm@kvack.org>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "linux-api@vger.kernel.org" <linux-api@vger.kernel.org>
Subject: Re: [PATCH 3/4] proc: io_accounting: Use new infrastructure to fix
 deadlocks in execve
Message-ID: <202003111203.738487D@keescook>
References: <87r1y12yc7.fsf@x220.int.ebiederm.org>
 <87k13t2xpd.fsf@x220.int.ebiederm.org>
 <87d09l2x5n.fsf@x220.int.ebiederm.org>
 <AM6PR03MB5170F0F9DC18F5EA77C9A857E4FE0@AM6PR03MB5170.eurprd03.prod.outlook.com>
 <871rq12vxu.fsf@x220.int.ebiederm.org>
 <AM6PR03MB5170DF45E3245F55B95CCD91E4FE0@AM6PR03MB5170.eurprd03.prod.outlook.com>
 <877dzt1fnf.fsf@x220.int.ebiederm.org>
 <AM6PR03MB51701C6F60699F99C5C67E0BE4FF0@AM6PR03MB5170.eurprd03.prod.outlook.com>
 <875zfcxlwy.fsf@x220.int.ebiederm.org>
 <AM6PR03MB5170BD2476E35068E182EFA4E4FF0@AM6PR03MB5170.eurprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <AM6PR03MB5170BD2476E35068E182EFA4E4FF0@AM6PR03MB5170.eurprd03.prod.outlook.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 10, 2020 at 06:45:47PM +0100, Bernd Edlinger wrote:
> This changes do_io_accounting to use the new exec_update_mutex
> instead of cred_guard_mutex.
> 
> This fixes possible deadlocks when the trace is accessing
> /proc/$pid/io for instance.
> 
> This should be safe, as the credentials are only used for reading.

I'd like to see the rationale described better here for why it should be
safe. I'm still not seeing why this is safe here, as we might check
ptrace_may_access() with one cred and then iterate io accounting with a
different credential...

What am I missing?

-Kees

> 
> Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
> ---
>  fs/proc/base.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 4fdfe4f..529d0c6 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2770,7 +2770,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh
>  	unsigned long flags;
>  	int result;
>  
> -	result = mutex_lock_killable(&task->signal->cred_guard_mutex);
> +	result = mutex_lock_killable(&task->signal->exec_update_mutex);
>  	if (result)
>  		return result;
>  
> @@ -2806,7 +2806,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh
>  	result = 0;
>  
>  out_unlock:
> -	mutex_unlock(&task->signal->cred_guard_mutex);
> +	mutex_unlock(&task->signal->exec_update_mutex);
>  	return result;
>  }
>  
> -- 
> 1.9.1

-- 
Kees Cook