Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp1530277rdd; Thu, 11 Jan 2024 01:48:47 -0800 (PST) X-Google-Smtp-Source: AGHT+IGSj32Bv6zUNM4X8dopsA/3fo9wmaAzWhSuPzEiY1lFOA3mcaMeQfBuzkUf9hkh54utewX/ X-Received: by 2002:a17:902:e809:b0:1d4:b4a8:d3b0 with SMTP id u9-20020a170902e80900b001d4b4a8d3b0mr1102922plg.85.1704966527302; Thu, 11 Jan 2024 01:48:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704966527; cv=none; d=google.com; s=arc-20160816; b=WoKU1nlR721PB3Vb3NgRTw24MklbTnnQtO++7yxOPNWsYqYdylhKixlKRMBntmeO9V OkOahhq3Hocx9AXKrrOV/92tqV+vxzaNYgZWCKssjrK1ztD85m8fAxZ4vUU+bNYjojWW knpKne6hmOS6SjltZ5D27oNcIeYSL371WMlocoxbWKmnKkGhXoykLwu3eBwSG+eJGnUn a4dpnX67XcqpIpd0St2EhyxJ1NVzeQukeP7V3ZnsV2GRmcM2JYbwHOImxmkhFGNXvxJ8 9L4BZeauDYhG6BDcUcnDJgfSHMTZ27rqeaYtLdlLrP1HRwKPcLQfmPnY4KqcLVfEGDAl 9xTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:in-reply-to:content-disposition:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:references :message-id:subject:cc:to:from:date:dkim-signature; bh=2HZhy6w8gpDC4mT19yv0E28LcZ7bJIquaKWzJ4wbSLc=; fh=dr0lwBYSFTge2hAQEK2QACpoijsDFj8eMr7Rd91lUiU=; b=sfN1Rn9jJEjq3nloOCxXSUDWhf/b5Mc1BnqVXERJ4fCfVE8gMpsYsahIPEmsEUeSsv Rpes9aquXj+EK+bfHLNm7T3p3QiRDl6fAvDqk3UFE25tiyNFiMSEDaRdSctVAJPFHJP3 sh706+6P28tZj0jPnWLRsWXf8/WoGDLeCwe7tK1EAWP03A9Y3j+H2MprSmH7QLcyBTQB BLG4FSmocrwjExTjNgeWmHuxGEGZ6Regi3t3VcPLyHRzT/QLpHyeuFkdckikK07pUBkW QWFB8EsCYRdQsWE1+cWa1V8JBsH5zBtBsnmqFpxZB50+MsmFoXwi8MkGSOhwyG1Nn3xa PVAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=r80Gwdip; spf=pass (google.com: domain of linux-kernel+bounces-23332-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-23332-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id e7-20020a170902784700b001d3c3495ea4si398654pln.192.2024.01.11.01.48.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jan 2024 01:48:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-23332-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=r80Gwdip; spf=pass (google.com: domain of linux-kernel+bounces-23332-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-23332-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id D2AFBB27156 for ; Thu, 11 Jan 2024 09:47:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 113C712E5B; Thu, 11 Jan 2024 09:47:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linux.org.uk header.i=@linux.org.uk header.b="r80Gwdip" Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [62.89.141.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 602B612E59 for ; Thu, 11 Jan 2024 09:47:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zeniv.linux.org.uk Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ftp.linux.org.uk DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=2HZhy6w8gpDC4mT19yv0E28LcZ7bJIquaKWzJ4wbSLc=; b=r80GwdipBsSE89YZ5JymRb9hOZ OPiJmNAnH9l6b9p4hd0smTknZaRBfQm6H/yxDy18ajkS9dCADATV65sJ5WupT82g/jIx5QB4nh0b5 CNsd/9GGCdQBiVOoelDWB9OZOKLPSF1cGKwuUqx4GwNWzYEzqYFUmEmdAQXTqnVUFxecSFX+b/hUe KpwPcdXXA6oZmJm36ovZ2WeXUohgaVoUPXZBrJN3RMgEPoXREY9J9iHPDkmy8a/Pb+DEpu25NonWO mVxE66leexPfuaIk77g2Ewr74O3va7MBgGUhwxGillVjmpm6WT1A8Ejq3hEPg//InjDCzxmjZc6lG m+J0mOuQ==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux)) id 1rNreZ-00C7IA-1B; Thu, 11 Jan 2024 09:47:11 +0000 Date: Thu, 11 Jan 2024 09:47:11 +0000 From: Al Viro To: Linus Torvalds Cc: Josh Triplett , Kees Cook , Kees Cook , linux-kernel@vger.kernel.org, Alexey Dobriyan Subject: Re: [GIT PULL] execve updates for v6.8-rc1 Message-ID: <20240111094711.GT1674809@ZenIV> References: <202401081028.0E908F9E0A@keescook> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro On Tue, Jan 09, 2024 at 07:54:30PM -0800, Linus Torvalds wrote: > Al, comments? We *could* just special-case the execve() code not to > use do_filp_open() and avoid this issue that way, but it does feel > like even the regular open() case is pessimal with that whole RCU > situation. Two things, both related to ->atomic_open(): * we pass struct file to ->atomic_open(), so that it either opens the sucker _or_ stores the resulting dentry in it (if ->atomic_open() bails and tells us to use such-and-such dentry, other than the one it had been given). * cleanup logics becomes interesting if we try to keep struct file from pass to pass. Sure, if it had never been touched _or_ if it had only been fed to finish_no_open() (i.e. ->atomic_open() bailout path) - no problem, we can reuse it. But once it has hit do_dentry_open(), the things get fishy. We *must* fput() it if we got to setting FMODE_OPENED - no plausible way around that. But what about the case when we fail e.g. inside ->open()? Currently we undo just enough for fput() to do the right thing without FMODE_OPENED, but e.g. security_file_open() has no undoing for it. Having it called twice on the same struct file might or might not work on all LSMs, but they hadn't been exposed to that until now. We could pass struct file ** to path_openat(), with file = *fp; if (!file) { file = alloc_empty_file(op->open_flag, current_cred()); if (IS_ERR(file)) return file; *fp = file; } in the beginning and have an extra flag that would be set as soon as we hit do_dentry_open(). Then we could make the fput() in path_openat() failure handling conditional upon that flag. Doable, but really not pretty, especially since we'd need to massage the caller as well... Less painful variant is if (error == -ECHILD && (flags & LOOKUP_RCU)) return ERR_PTR(-ECHILD); // keep file for non-rcu pass *fp = NULL; fput(file); ... on the way out; that won't help with -ESTALE side of things, but if we hit *that*, struct file allocation overhead is really noise. PS: apologies for late reply - had been sick since Saturday, just got more or less back to normal.