Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp1496395ybh; Fri, 13 Mar 2020 02:14:19 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvuptSY96l8G0MTCLvC7kDeny4djo+bEjxhQvixI/RWGDkoFUmb1V+c8Q8BS2gBgdcvaXSx X-Received: by 2002:aca:a857:: with SMTP id r84mr6178647oie.65.1584090859756; Fri, 13 Mar 2020 02:14:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584090859; cv=none; d=google.com; s=arc-20160816; b=G59q+arM2PRVeL4uwyN/s4yFy5NI5ov5+So8rnfTbaF9i0nn9wlfUsgljTS923ENE/ 8BTmO8tzRHxzMesdCqTQCL54Q2sUpYxTZIbfoKNGmEShLfMwNeJ0wv8zbdKeS4W/EzCr muixdqY43oTI1HAxZsUU20Ec9qnWd0fjHpjQv6icLP1+KwqvdYoV/4/bUrmwA2pvnaDg 2tOwEMSfD+hf/VSBRLqAQopOqxrD1sp6hEm65o8S5i5cGoVGm1/PyKrIazVi1Gwyo64f 0sA9KMO9WuvfxK0W8qTgSyvWNe8LjdMAY4YpcfQzUfBbjuQb0oFC/pEi42xyQCe0rjt4 yOEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=/e4cxsRYp3/xtzZufvq9A1Jrahke+E12X5sYHlhybPs=; b=APhAY0iDUqPHHitYa0DrIwT3m2B0HV/upOjAq98GmYrrqa8m/KTkRr9T9QlPSVwjvG qWy8GTHpTpx+DQGxegefGBcWq5BmNtekd6QiZ3mGspBFG0SZjliNVE7K2Vty5Tt2SKrJ 6n9G9MEusLDcenzviZqyklcbQSBpGnQ7OeVIK/DHM0mcitaE+T35uc5WJOXJLKs2mEcY /TSs2z01Mf583BIurq1IH4cUh4m3yi0n6SKRnSV3apv7jhHRcQ/PZe6km1zZAe396zOf jr2XCIrztbBnctjHTCOV+KRU6yR/smEauHQVxx7pr91n0S/WgIbF42VpNUxz+NqHcOaC 6UGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w4si4111789oie.124.2020.03.13.02.14.07; Fri, 13 Mar 2020 02:14:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726488AbgCMJNo (ORCPT + 99 others); Fri, 13 Mar 2020 05:13:44 -0400 Received: from relay.sw.ru ([185.231.240.75]:56008 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726230AbgCMJNn (ORCPT ); Fri, 13 Mar 2020 05:13:43 -0400 Received: from dhcp-172-16-24-104.sw.ru ([172.16.24.104]) by relay.sw.ru with esmtp (Exim 4.92.3) (envelope-from ) id 1jCgNL-0005Fb-2f; Fri, 13 Mar 2020 12:13:03 +0300 Subject: Re: [PATCH v2 5/5] exec: Add a exec_update_mutex to replace cred_guard_mutex To: Bernd Edlinger , "Eric W. Biederman" Cc: Christian Brauner , Kees Cook , Jann Horn , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" , "stable@vger.kernel.org" , "linux-api@vger.kernel.org" References: <87v9nlii0b.fsf@x220.int.ebiederm.org> <87a74xi4kz.fsf@x220.int.ebiederm.org> <87r1y8dqqz.fsf@x220.int.ebiederm.org> <87tv32cxmf.fsf_-_@x220.int.ebiederm.org> <87v9ne5y4y.fsf_-_@x220.int.ebiederm.org> <87zhcq4jdj.fsf_-_@x220.int.ebiederm.org> <87d09hn4kt.fsf@x220.int.ebiederm.org> <87lfo5lju6.fsf@x220.int.ebiederm.org> From: Kirill Tkhai Message-ID: <6002ac56-025a-d50f-e89d-1bf42a072323@virtuozzo.com> Date: Fri, 13 Mar 2020 12:13:02 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13.03.2020 04:05, Bernd Edlinger wrote: > On 3/12/20 3:38 PM, Eric W. Biederman wrote: >> Kirill Tkhai writes: >> >>> On 12.03.2020 15:24, Eric W. Biederman wrote: >>>> >>>> I actually need to switch the lock ordering here, and I haven't yet >>>> because my son was sick yesterday. > > All the best wishes to you and your son. I hope he will get well soon. > > And sorry for not missing the issue in the review. The reason turns > out that bprm_mm_init is called after prepare_bprm_creds, but there > are error pathes between those where free_bprm is called up with > cred != NULL and mm == NULL, but the mutex not locked. > > I figured out a possible fix for the problem that was pointed out: > > > From ceb6f65b52b3a7f0280f4f20509a1564a439edf6 Mon Sep 17 00:00:00 2001 > From: Bernd Edlinger > Date: Wed, 11 Mar 2020 15:31:07 +0100 > Subject: [PATCH] Fix issues with exec_update_mutex > > Signed-off-by: Bernd Edlinger > --- > fs/exec.c | 17 ++++++++++------- > 1 file changed, 10 insertions(+), 7 deletions(-) > > diff --git a/fs/exec.c b/fs/exec.c > index ffeebb1..cde4937 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1021,8 +1021,14 @@ static int exec_mmap(struct mm_struct *mm) > old_mm = current->mm; > exec_mm_release(tsk, old_mm); > > - if (old_mm) { > + if (old_mm) > sync_mm_rss(old_mm); > + > + ret = mutex_lock_killable(&tsk->signal->exec_update_mutex); > + if (ret) > + return ret; > + > + if (old_mm) { > /* > * Make sure that if there is a core dump in progress > * for the old mm, we get out and die instead of going > @@ -1032,14 +1038,11 @@ static int exec_mmap(struct mm_struct *mm) > down_read(&old_mm->mmap_sem); > if (unlikely(old_mm->core_state)) { > up_read(&old_mm->mmap_sem); > + mutex_unlock(&tsk->signal->exec_update_mutex); > return -EINTR; > } > } > > - ret = mutex_lock_killable(&tsk->signal->exec_update_mutex); > - if (ret) > - return ret; > - > task_lock(tsk); > active_mm = tsk->active_mm; > membarrier_exec_mmap(mm); > @@ -1444,8 +1447,6 @@ static void free_bprm(struct linux_binprm *bprm) > { > free_arg_pages(bprm); > if (bprm->cred) { > - if (!bprm->mm) > - mutex_unlock(¤t->signal->exec_update_mutex); > mutex_unlock(¤t->signal->cred_guard_mutex); > abort_creds(bprm->cred); > } > @@ -1846,6 +1847,8 @@ static int __do_execve_file(int fd, struct filename *filename, > would_dump(bprm, bprm->file); > > retval = exec_binprm(bprm); > + if (bprm->cred && !bprm->mm) > + mutex_unlock(¤t->signal->exec_update_mutex); Despite this should fix the problem, this looks like a broken puzzle. We can't use bprm->cred as an identifier whether the mutex was locked or not. We can check for bprm->cred in regard to cred_guard_mutex, because of there is strong rule: "cred_guard_mutex is becomes locked together with bprm->cred assignment (see prepare_bprm_creds()), and it becomes unlocked together with bprm->cred zeroing". Take attention on modularity of all this: there is no dependencies between anything else. In regard to newly introduced exec_update_mutex, your fix and source patch way look like an obfuscation. The mutex becomes deadly glued to unrelated bprm->cred and bprm->mm, and this introduces the problems in the future modifications and support of all involved entities. If someone wants to move some functions in relation to each other, there will be a pain, and this person will have to go again the same dependencies and bug way, Eric stepped on in the original patch.