Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3918745pxv; Mon, 28 Jun 2021 16:39:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw51VNba+HCWrmMbH59uR4PlPNsh9zpLrd6vdXq3Z+rOcvR7sSuiAAts6MGVSvoQznikotl X-Received: by 2002:a5e:de49:: with SMTP id e9mr1501892ioq.159.1624923547784; Mon, 28 Jun 2021 16:39:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624923547; cv=none; d=google.com; s=arc-20160816; b=g3o5L9IZWkKvbj0T4tgVZUXp6MBzdyQFoXk8FLZaedwmTlHn3dY44um03U1u6FQHw4 pgALLPjlf4louAeQdrShTmCqfTRISTn7GOIzqBwNPi3i8bl/1ooq1JU1lYYiKzfonHvr uUCr1mL03xI2jvfPLlzzdSUMo05RU0eUmefeGnpuNAP9gdbB4/e2kNb5R/vPDRljjuET QBWXgxPp+/HLht0Bb9ebjJ9QjHzNVq1D779guUou2ObH77Nw46xTpjXm2eEeUVGlH9uk 3pvcSiBIBPTtniW4K2T5Ev+mCRVSRGFp3mVZIyZzQ1MxVbVbzGhiifQ9NbST6hX5WxAS p/7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=2XZJeJAnEeTw6EZhaeLtrIK78gkna+e52JMMHDT7CCg=; b=X6Y48HSdXkETeFY8OlO+fbZmn/PtF5MGW+nk9BmQbcTIFK2yNlAqN48CpwhVMUi9k1 INlnt4oKshtez2WB26h/9LdINgSZbpYppo6mF1RTgyrm8SmFyvfn55rqGZmft0zQ+wDN tOAifeWDV5nYvGWXWmWLQMoO9H64ZbXIRlyXKEI+OtPE9CyNuXNikSHSLuymyxJ5nm7v NfdTgCo462DjBICanJaPCeksGjGKod33F0laXdwh2P1IBIF/I2Hjf/sCXXu0qotcwDZi ON0UfQgGCPiOr+3EqC6rrjKsu6BfBPjS/WUo++hIOl9Ev5wciYycBvoG+0H8aDuvLZD6 7eFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vXUXr4Qm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c6si14436768jab.33.2021.06.28.16.38.56; Mon, 28 Jun 2021 16:39:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vXUXr4Qm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233156AbhF1RR0 (ORCPT + 99 others); Mon, 28 Jun 2021 13:17:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45420 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233136AbhF1RR0 (ORCPT ); Mon, 28 Jun 2021 13:17:26 -0400 Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 418A8C061574 for ; Mon, 28 Jun 2021 10:15:00 -0700 (PDT) Received: by mail-lj1-x22a.google.com with SMTP id u25so11141691ljj.11 for ; Mon, 28 Jun 2021 10:15:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2XZJeJAnEeTw6EZhaeLtrIK78gkna+e52JMMHDT7CCg=; b=vXUXr4QmB8bjJVw5A5IXOs6Bo6viOvMc2F0ojinBt6aXe1DSaxMQwbtfRnJQb+8lYW zcyFZgIJtaGNLaTOhAJJ8JyG4hU3Dd4EVJs3il9GJtDKN9WZZqQPALe2FH+E+iIl863X Em5ZoXz7AkXDHv014gmOyuqVRDCUpKfJKn76opXr3IIGqQ2vTCeVV+c6OVkmR9ipZiTi wPUxWKKKF0t+qKL2L2riNFGIDdEgqH7abrYvPLwsnGxKzWtGCM82TnEj13IwbrX83Qjv BW79d4ELwMWWecaVuLUPoewSfeWAdNbdVCEW55GA4IZ/6mRwnCEwB5tXIwF7FNxQA7Kb /qew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2XZJeJAnEeTw6EZhaeLtrIK78gkna+e52JMMHDT7CCg=; b=VUwSpLLyFQm2sqD0wr2qsy+W/IQvgIQSf3+pBat7XDRwkUhmPB3pkyBNaVGz62gV9b mjOoy0GoAt/EHQFlux4uX42Lt+mdu9h5sOLO2jq1LmeOvjYbc+zsA1eKA8O8HCU3s7pG DssM7a5YhfokgQQfJfIPbzmcCqhCcj8eQzBEpVGwO8tf6/YUWod7Q9JJlQgXe9qdaSaE qwvUmeJWDxbff5bm0zMq3KVpTha2c1Pt/EH5MiaAXb9d80a2R8kSfvm6PkgimWNtPQVg QdK8SUiJQzODZZzl1CikweWYAklX5nIknAPPvv7MskXD6A6HwxzNS/0v/1Y4RG2oQoIQ Ev1w== X-Gm-Message-State: AOAM5310GK+qVmwSkVW58+QyeFqTO9dlesI3tIIhGNZRf4BWkcJ8b+8+ yIITD5Np5wBVKwbGnYJtqYbcJdNRJoyu7vtZszwFwg== X-Received: by 2002:a2e:918a:: with SMTP id f10mr362098ljg.226.1624900497482; Mon, 28 Jun 2021 10:14:57 -0700 (PDT) MIME-Version: 1.0 References: <20210414055217.543246-1-avagin@gmail.com> <20210414055217.543246-3-avagin@gmail.com> In-Reply-To: From: Jann Horn Date: Mon, 28 Jun 2021 19:14:31 +0200 Message-ID: Subject: Re: [PATCH 2/4] arch/x86: implement the process_vm_exec syscall To: Andy Lutomirski Cc: Andrei Vagin , Linux Kernel Mailing List , Linux API , linux-um@lists.infradead.org, criu@openvz.org, avagin@google.com, Andrew Morton , Anton Ivanov , Christian Brauner , Dmitry Safonov <0x7f454c46@gmail.com>, Ingo Molnar , Jeff Dike , Mike Rapoport , Michael Kerrisk , Oleg Nesterov , "Peter Zijlstra (Intel)" , Richard Weinberger , Thomas Gleixner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 28, 2021 at 6:30 PM Andy Lutomirski wrote: > On Mon, Jun 28, 2021, at 9:13 AM, Jann Horn wrote: > > On Wed, Apr 14, 2021 at 7:59 AM Andrei Vagin wrote: > > > This change introduces the new system call: > > > process_vm_exec(pid_t pid, struct sigcontext *uctx, unsigned long fla= gs, > > > siginfo_t * uinfo, sigset_t *sigmask, size_t sizemask= ) > > > > > > process_vm_exec allows to execute the current process in an address > > > space of another process. > > [...] > > > > I still think that this whole API is fundamentally the wrong approach > > because it tries to shoehorn multiple usecases with different > > requirements into a single API. But that aside: > > > > > +static void swap_mm(struct mm_struct *prev_mm, struct mm_struct *tar= get_mm) > > > +{ > > > + struct task_struct *tsk =3D current; > > > + struct mm_struct *active_mm; > > > + > > > + task_lock(tsk); > > > + /* Hold off tlb flush IPIs while switching mm's */ > > > + local_irq_disable(); > > > + > > > + sync_mm_rss(prev_mm); > > > + > > > + vmacache_flush(tsk); > > > + > > > + active_mm =3D tsk->active_mm; > > > + if (active_mm !=3D target_mm) { > > > + mmgrab(target_mm); > > > + tsk->active_mm =3D target_mm; > > > + } > > > + tsk->mm =3D target_mm; > > > > I'm pretty sure you're not currently allowed to overwrite the ->mm > > pointer of a userspace thread. For example, zap_threads() assumes that > > all threads running under a process have the same ->mm. (And if you're > > fiddling with ->mm stuff, you should probably CC linux-mm@.) > > exec_mmap() does it, so it can=E2=80=99t be entirely impossible. Yeah, true, execve can do it - I guess the thing that makes that special is that it's running after de_thread(), so it's guaranteed to be single-threaded?