Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1679263pxb; Wed, 9 Feb 2022 02:00:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJy4V2irXH5eWLn7OiPUX8dKA+u5XsZIo6sFd7NSYG7onFcQK6yMR4Oc+h/g5syTJ8w/KbID X-Received: by 2002:a63:1666:: with SMTP id 38mr1229443pgw.499.1644400847682; Wed, 09 Feb 2022 02:00:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644400847; cv=none; d=google.com; s=arc-20160816; b=NrrgvPy8Dp5PZprhVuNmX+npfY4uaXWEvwjgfh/ItKtHUWzWUOemHU5YC1tEQ2y26M j8vIxDmZrvAtN490Ob6bsZBKmE4PRCKM34wt8X/GkXmMJ4cTlh2B2tU961nxjDEvDOgE S1tHwuseRTOUAVXc5bQlGJTTyUnDsdWW28uM/qojs5We3dexATzmMwSnzU9QMlS+SIrV R2/jROB0GZHbw73HCIrzambXoZ1S8Bowz47foxHKvUEWFj9rsvQpSHt9O8250PKqoDy6 Ie5j17NVSM37dvyhyklPOapWkhOWvCLpOy2I8PmGTJvBl4ZEbZaZo5A7pmnydwxME9oj 8wHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=jORGeJAoRFvEAcHzNR+kF8HdW1fLBBDFg8drTiMNq+c=; b=weme//krsM3P59TWIYvzafUhFqNMCLcKB6oqzhGWDKpryEsfalo9knbeK8qT5Sf7Wp WyUMZS9o4k4gf+fjJCAZCKPwqQfaTBP+YjrV8A70mte+eLuFpgAbTuerUhcXT62i/GlR 1sq0L4vF+sguqObQZFuKarg6xF6R3dQhFeNLW2skYTmPn5a1uq9mXXXwAbzLpMhnluG6 XiBUF/jdFtqup3zF50QfHrils6nuO6cL4mhzGz2+Pb3CeWBh+79INpuWhJ8yH/+1VMl4 +yw8Kg2ubNFvyG7vdhGXk+wqOFYX+Gm+2FRr/MsOWvmXGqYct+NQ0f4IjAbktmlZ87Ct xL1Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d69si16176129pgc.244.2022.02.09.02.00.33; Wed, 09 Feb 2022 02:00:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1387839AbiBHW24 (ORCPT + 99 others); Tue, 8 Feb 2022 17:28:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1387257AbiBHWRH (ORCPT ); Tue, 8 Feb 2022 17:17:07 -0500 Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5BF6CC0612B8 for ; Tue, 8 Feb 2022 14:17:06 -0800 (PST) Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1nHYnA-000TfY-U2; Tue, 08 Feb 2022 22:16:57 +0000 Date: Tue, 8 Feb 2022 22:16:56 +0000 From: Al Viro To: "Eric W. Biederman" Cc: Waiman Long , Christian Brauner , Andrew Morton , Jens Axboe , Alexey Gladkov , David Hildenbrand , Jann Horn , linux-kernel@vger.kernel.org Subject: Re: [PATCH] copy_process(): Move fd_install() out of sighand->siglock critical section Message-ID: References: <20220208163912.1084752-1-longman@redhat.com> <874k59f2ad.fsf@email.froward.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <874k59f2ad.fsf@email.froward.int.ebiederm.org> Sender: Al Viro X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 08, 2022 at 03:59:06PM -0600, Eric W. Biederman wrote: > The fd is being installed in the fdtable of the parent process, > and the siglock and tasklist_lock are held to protect the child. > > > Further fd_install is exposing the fd to userspace where it can be used > by the process_madvise and the process_mrelease system calls, from > anything that shares the fdtable of the parent thread. Which means it > needs to be guaranteed that kernel_clone will call wake_up_process > before it is safe to call fd_install. You mean "no calling fd_install() until after we are past the last possible failure exit, by which point we know that wake_up_process() will eventually be called", hopefully? If so (as I assumed all along), anything downstream of if (fatal_signal_pending(current)) { retval = -EINTR; goto bad_fork_cancel_cgroup; } should be fine...