Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp853600ybh; Wed, 11 Mar 2020 12:09:10 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuhKIs/YhczHLoadGtNQxdvjdbZku/6S2NEwGKUDoXbZeVRe1StFUrZTbauz1wyocIUCmgQ X-Received: by 2002:a9d:7359:: with SMTP id l25mr3568197otk.18.1583953750318; Wed, 11 Mar 2020 12:09:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583953750; cv=none; d=google.com; s=arc-20160816; b=j6BgIx1/PYOyDcJ5YaowquijnZqzw8zn/uDvwIjQyJYlBExubdgwFt2jhCSSSEVNh9 /o7V5QQ/yOlQ2uLxvH7PKSTpF6vw9UbyBbfn3h4/NkXfNBqtYBxK/bbSs7CzXRETI/JJ pYygx4O29+pcoKmInHtZGyjkoY4/Jl1zNMpnxrLSBOHX70P01j94VWnH1gMx15uNldT/ LksrZ4TUSs0yrLpAmxvVUD78H+n8a5wxn9Xmed+k9hDCg1sNonlaO6ooOhBv5Ea6Dkcl 8mdMD9S1MpOhI3zPdzsTolKxJ7vwRlC6/NI5YktMRXv9z163mhmyRex+vdw8Aryfot53 kxVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=DbOSuRE3mJHRT6NEoUnJAt4STBzgkZE2dyC9jqZCCLc=; b=fBerEM5W+A00fALwj2Dtc1O/a04C/EbFgOhArFeDtv/fPO57tnzGKpHC7HZCPuhqyb QuGT+uY0LyXH0JbPWo6yhK112/SiicHFBxaZsXYBsi4YafKHCvCLYPztuPTsvjwQcqoS DCm/AwQp/Cl0vQHQ7AWzIq8c6HW4XqHEW2LicMkmKDmhTvtCVw4IglQeffebzShqRqlY 9UwKilE4piorUa0303j6P9CagMD4wlJloIVRx3rCTu9/Fe5p6eTXl1Ok6BIMeVyMYt1N O5RL9qWxoERkFxANDMNQ683aH5IDtuNmbztSc1O2GJNyLad2ciq3qrD+53Gg2pCflyrj W9pQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ezUxUUOX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s8si1451129oij.275.2020.03.11.12.08.34; Wed, 11 Mar 2020 12:09:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=ezUxUUOX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730925AbgCKTIM (ORCPT + 99 others); Wed, 11 Mar 2020 15:08:12 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:39730 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730926AbgCKTIM (ORCPT ); Wed, 11 Mar 2020 15:08:12 -0400 Received: by mail-pl1-f193.google.com with SMTP id j20so1525506pll.6 for ; Wed, 11 Mar 2020 12:08:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=DbOSuRE3mJHRT6NEoUnJAt4STBzgkZE2dyC9jqZCCLc=; b=ezUxUUOXDCiz09sL7ns9GljqAjBmqhyjSwvJorFlESxa+y3+f/0qlxnha+BOKyFFyf ERAU18z6eUiNgcbSjL1jsVciaLtO3QRYSLsFs8TwKJvof5riGga9gNTN9V0/psEVhU2x V/bi7iIGw3G5TZdWYOJ4NUQjucYxGZhfQRnwo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=DbOSuRE3mJHRT6NEoUnJAt4STBzgkZE2dyC9jqZCCLc=; b=hj0C+/96IMMX3ke+RiYrpQ/6gNzaQT0XB0iU9bHoU+1JqVLzP8wNB/25YeV31c9/lZ t1pfO7hL+ATzSfQcYEyDRYuOh/u/EZrNi6I+RiClx5tQBgibfeTTVzd7AzIDObdMNS4W gevul1PSieN+D2SVBZg3hIm9NXW/GGRy14oP3rxePh4EbP215W2d+qoGRLcZWO/ENZHN OwxgrxtlEuJreM1kKWXl14V5n7k9cdZleifFpM1QMjRptWOJU1WZcfrXYJgfHRV554eA VHO3AA7ntR6HLEpI/bVjz6p+jnPhItGUNJkVV7AqO7EYpAAythYnncHcz1X92S4yU4S8 DULA== X-Gm-Message-State: ANhLgQ2JtEMb8J8hA6PtYY7Tt86xubfq1XKxX4bV3unkwmssyO37IYUy kLiwvedQjF36mfKnKnXGRBo+Dg== X-Received: by 2002:a17:90a:da01:: with SMTP id e1mr225598pjv.100.1583953691168; Wed, 11 Mar 2020 12:08:11 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y207sm1468232pfb.189.2020.03.11.12.08.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Mar 2020 12:08:09 -0700 (PDT) Date: Wed, 11 Mar 2020 12:08:08 -0700 From: Kees Cook To: Bernd Edlinger Cc: "Eric W. Biederman" , Christian Brauner , Jann Horn , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" , "stable@vger.kernel.org" , "linux-api@vger.kernel.org" Subject: Re: [PATCH 3/4] proc: io_accounting: Use new infrastructure to fix deadlocks in execve Message-ID: <202003111203.738487D@keescook> References: <87r1y12yc7.fsf@x220.int.ebiederm.org> <87k13t2xpd.fsf@x220.int.ebiederm.org> <87d09l2x5n.fsf@x220.int.ebiederm.org> <871rq12vxu.fsf@x220.int.ebiederm.org> <877dzt1fnf.fsf@x220.int.ebiederm.org> <875zfcxlwy.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 10, 2020 at 06:45:47PM +0100, Bernd Edlinger wrote: > This changes do_io_accounting to use the new exec_update_mutex > instead of cred_guard_mutex. > > This fixes possible deadlocks when the trace is accessing > /proc/$pid/io for instance. > > This should be safe, as the credentials are only used for reading. I'd like to see the rationale described better here for why it should be safe. I'm still not seeing why this is safe here, as we might check ptrace_may_access() with one cred and then iterate io accounting with a different credential... What am I missing? -Kees > > Signed-off-by: Bernd Edlinger > --- > fs/proc/base.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 4fdfe4f..529d0c6 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2770,7 +2770,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh > unsigned long flags; > int result; > > - result = mutex_lock_killable(&task->signal->cred_guard_mutex); > + result = mutex_lock_killable(&task->signal->exec_update_mutex); > if (result) > return result; > > @@ -2806,7 +2806,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh > result = 0; > > out_unlock: > - mutex_unlock(&task->signal->cred_guard_mutex); > + mutex_unlock(&task->signal->exec_update_mutex); > return result; > } > > -- > 1.9.1 -- Kees Cook