From: Oleg Nesterov <oleg@redhat.com> To: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andrew Morton <akpm@linux-foundation.org>, Aleksa Sarai <asarai@suse.com>, Andy Lutomirski <luto@amacapital.net>, Attila Fazekas <afazekas@redhat.com>, Jann Horn <jann@thejh.net>, Kees Cook <keescook@chromium.org>, Michal Hocko <mhocko@kernel.org>, Ulrich Obergfell <uobergfe@redhat.com>, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org Subject: Re: [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped. Date: Mon, 3 Apr 2017 20:37:28 +0200 [thread overview] Message-ID: <20170403183728.GB31390@redhat.com> (raw) In-Reply-To: <87inmmbjsq.fsf@xmission.com> Eric, I see another series from you, but I simply failed to force myself to read it carefully. Because at first glance it makes me really sad, I do dislike it even if it is correct. Yes, yes, sure, I can be wrong. Will try tomorrow. On 04/02, Eric W. Biederman wrote: > > Oleg Nesterov <oleg@redhat.com> writes: > > > Anyway, Eric, even if we can and want to do this, why we can't do this on > > top of my fix? > > Because your reduction in scope of cred_guard_mutex is fundamentally > broken and unnecessary. And you never explained why it is wrong, or I failed to understand you. > > I simply fail to understand why you dislike it that much. Yes it is not > > pretty, I said this many times, but it is safe in that it doesn't really > > change the current behaviour. > > No it is not safe. And it promotes wrong thinking which is even more > dangerous. So please explain why it is not safe and why it is dangerous. Just in case, if you mean flush_signal_handlers() outside of cred_guard_mutex, please explain what I have missed in case you still think this is wrong. > I reviewed the code and cred_guard_mutex needs to cover what it covers. I strongly, strongly disagree. Its scope is unnecessary huge, we should narrow it in any case, even if the current code was not bugy. But this is almost offtopic, lets discuss this separately. > > I am much more worried about 2/2 you didn't argue with, this patch _can_ > > break something and this is obviously not good even if PTRACE_EVENT_EXIT > > was always broken. > > I don't know who actually useses PTRACE_O_TRACEEXIT so I don't actually > know what the implications of changing it are. Let's see... And nobody knows ;) This is the problem, even the clear ptrace bugfix can break something, this happened before and we had to revert the obviously- correct patches; the bug was already used as feature. > If delivering a second SIGKILL ... > So userspace can absolutely kill a processes in PTRACE_EVENT_EXIT > before the tracers find it. > > Therefore we are only talking a quality of implementation issue > if we actually stop and wait for the tracer or not. Oh, this is another story, needs another discussion. We really need some changes in this area, we need to distinguish SIGKILL sent from user-space and (say) from group-exit, and we need to decide when should we stop. But at least I think the tracee should never stop if SIGKILL comes from user space. And yes ptrace_stop() is ugly and wrong, just look at the arch_ptrace_stop_needed() check. The problem, again, is that any fix will be user-visible. Oleg.
WARNING: multiple messages have this Message-ID (diff)
From: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>, Aleksa Sarai <asarai-IBi9RG/b67k@public.gmane.org>, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>, Attila Fazekas <afazekas-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>, Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>, Michal Hocko <mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>, Ulrich Obergfell <uobergfe-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Subject: Re: [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped. Date: Mon, 3 Apr 2017 20:37:28 +0200 [thread overview] Message-ID: <20170403183728.GB31390@redhat.com> (raw) In-Reply-To: <87inmmbjsq.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> Eric, I see another series from you, but I simply failed to force myself to read it carefully. Because at first glance it makes me really sad, I do dislike it even if it is correct. Yes, yes, sure, I can be wrong. Will try tomorrow. On 04/02, Eric W. Biederman wrote: > > Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> writes: > > > Anyway, Eric, even if we can and want to do this, why we can't do this on > > top of my fix? > > Because your reduction in scope of cred_guard_mutex is fundamentally > broken and unnecessary. And you never explained why it is wrong, or I failed to understand you. > > I simply fail to understand why you dislike it that much. Yes it is not > > pretty, I said this many times, but it is safe in that it doesn't really > > change the current behaviour. > > No it is not safe. And it promotes wrong thinking which is even more > dangerous. So please explain why it is not safe and why it is dangerous. Just in case, if you mean flush_signal_handlers() outside of cred_guard_mutex, please explain what I have missed in case you still think this is wrong. > I reviewed the code and cred_guard_mutex needs to cover what it covers. I strongly, strongly disagree. Its scope is unnecessary huge, we should narrow it in any case, even if the current code was not bugy. But this is almost offtopic, lets discuss this separately. > > I am much more worried about 2/2 you didn't argue with, this patch _can_ > > break something and this is obviously not good even if PTRACE_EVENT_EXIT > > was always broken. > > I don't know who actually useses PTRACE_O_TRACEEXIT so I don't actually > know what the implications of changing it are. Let's see... And nobody knows ;) This is the problem, even the clear ptrace bugfix can break something, this happened before and we had to revert the obviously- correct patches; the bug was already used as feature. > If delivering a second SIGKILL ... > So userspace can absolutely kill a processes in PTRACE_EVENT_EXIT > before the tracers find it. > > Therefore we are only talking a quality of implementation issue > if we actually stop and wait for the tracer or not. Oh, this is another story, needs another discussion. We really need some changes in this area, we need to distinguish SIGKILL sent from user-space and (say) from group-exit, and we need to decide when should we stop. But at least I think the tracee should never stop if SIGKILL comes from user space. And yes ptrace_stop() is ugly and wrong, just look at the arch_ptrace_stop_needed() check. The problem, again, is that any fix will be user-visible. Oleg.
next prev parent reply other threads:[~2017-04-03 18:37 UTC|newest] Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-02-13 14:14 [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov 2017-02-13 14:15 ` [PATCH 1/2] exec: don't wait for zombie threads with cred_guard_mutex held Oleg Nesterov 2017-02-13 16:12 ` kbuild test robot 2017-02-13 16:47 ` Oleg Nesterov 2017-02-13 16:39 ` kbuild test robot 2017-02-13 17:27 ` Mika Penttilä 2017-02-13 18:01 ` Oleg Nesterov 2017-02-13 18:04 ` [PATCH V2 " Oleg Nesterov 2017-02-16 11:42 ` Eric W. Biederman 2017-02-20 15:22 ` Oleg Nesterov 2017-02-20 15:36 ` Oleg Nesterov 2017-02-20 22:30 ` Eric W. Biederman 2017-02-21 17:53 ` Oleg Nesterov 2017-02-21 20:20 ` Eric W. Biederman 2017-02-22 17:41 ` Oleg Nesterov 2017-02-17 4:42 ` Eric W. Biederman 2017-02-20 15:50 ` Oleg Nesterov 2017-02-13 14:15 ` [PATCH 2/2] ptrace: ensure PTRACE_EVENT_EXIT won't stop if the tracee is killed by exec Oleg Nesterov 2017-02-24 16:03 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov 2017-03-03 1:05 ` Eric W. Biederman 2017-03-03 17:33 ` Oleg Nesterov 2017-03-03 18:23 ` Eric W. Biederman 2017-03-03 18:23 ` Eric W. Biederman 2017-03-03 18:59 ` Eric W. Biederman 2017-03-03 18:59 ` Eric W. Biederman 2017-03-03 20:06 ` Eric W. Biederman 2017-03-03 20:06 ` Eric W. Biederman 2017-03-03 20:11 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Eric W. Biederman 2017-03-03 20:11 ` Eric W. Biederman 2017-03-04 17:03 ` Oleg Nesterov 2017-03-30 8:07 ` Eric W. Biederman 2017-04-01 5:11 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Eric W. Biederman 2017-04-01 5:11 ` Eric W. Biederman 2017-04-01 5:14 ` [RFC][PATCH 1/2] sighand: Count each thread group once in sighand_struct Eric W. Biederman 2017-04-01 5:14 ` Eric W. Biederman 2017-04-01 5:16 ` [RFC][PATCH 2/2] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman 2017-04-01 5:16 ` Eric W. Biederman 2017-04-02 15:35 ` Oleg Nesterov 2017-04-02 15:35 ` Oleg Nesterov 2017-04-02 18:53 ` Eric W. Biederman 2017-04-02 18:53 ` Eric W. Biederman 2017-04-03 18:12 ` Oleg Nesterov 2017-04-03 18:12 ` Oleg Nesterov 2017-04-03 21:04 ` Eric W. Biederman 2017-04-05 16:44 ` Oleg Nesterov 2017-04-02 15:38 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Oleg Nesterov 2017-04-02 15:38 ` Oleg Nesterov 2017-04-02 22:50 ` [RFC][PATCH v2 0/5] " Eric W. Biederman 2017-04-02 22:50 ` Eric W. Biederman 2017-04-02 22:51 ` [RFC][PATCH v2 1/5] ptrace: Don't wait in PTRACE_O_TRACEEXIT for exec or coredump Eric W. Biederman 2017-04-02 22:51 ` Eric W. Biederman 2017-04-05 16:19 ` Oleg Nesterov 2017-04-02 22:51 ` [RFC][PATCH v2 2/5] sighand: Count each thread group once in sighand_struct Eric W. Biederman 2017-04-02 22:51 ` Eric W. Biederman 2017-04-02 22:52 ` [RFC][PATCH v2 3/5] clone: Disallown CLONE_THREAD with a shared sighand_struct Eric W. Biederman 2017-04-02 22:52 ` Eric W. Biederman 2017-04-05 16:24 ` Oleg Nesterov 2017-04-05 16:24 ` Oleg Nesterov 2017-04-05 17:34 ` Eric W. Biederman 2017-04-05 18:11 ` Oleg Nesterov 2017-04-02 22:53 ` [RFC][PATCH v2 4/5] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman 2017-04-02 22:53 ` Eric W. Biederman 2017-04-05 16:15 ` Oleg Nesterov 2017-04-02 22:57 ` [RFC][PATCH v2 5/5] signal: Don't allow accessing signal_struct by old threads after exec Eric W. Biederman 2017-04-02 22:57 ` Eric W. Biederman 2017-04-05 16:18 ` Oleg Nesterov 2017-04-05 16:18 ` Oleg Nesterov 2017-04-05 18:16 ` Eric W. Biederman 2017-04-05 18:16 ` Eric W. Biederman 2017-04-06 15:48 ` Oleg Nesterov 2017-04-06 15:48 ` Oleg Nesterov 2017-04-02 16:15 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Oleg Nesterov 2017-04-02 16:15 ` Oleg Nesterov 2017-04-02 21:07 ` Eric W. Biederman 2017-04-02 21:07 ` Eric W. Biederman 2017-04-03 18:37 ` Oleg Nesterov [this message] 2017-04-03 18:37 ` Oleg Nesterov 2017-04-03 22:49 ` Eric W. Biederman 2017-04-03 22:49 ` Eric W. Biederman 2017-04-03 22:49 ` scope of cred_guard_mutex Eric W. Biederman 2017-04-03 22:49 ` Eric W. Biederman 2017-04-05 16:08 ` Oleg Nesterov 2017-04-05 16:11 ` Kees Cook 2017-04-05 17:53 ` Eric W. Biederman 2017-04-05 18:15 ` Oleg Nesterov 2017-04-06 15:55 ` Oleg Nesterov 2017-04-06 15:55 ` Oleg Nesterov 2017-04-07 22:07 ` Kees Cook 2017-04-07 22:07 ` Kees Cook 2017-09-04 3:19 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Robert O'Callahan 2017-09-04 3:19 ` Robert O'Callahan 2017-03-04 16:54 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov 2017-03-04 16:54 ` Oleg Nesterov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20170403183728.GB31390@redhat.com \ --to=oleg@redhat.com \ --cc=afazekas@redhat.com \ --cc=akpm@linux-foundation.org \ --cc=asarai@suse.com \ --cc=ebiederm@xmission.com \ --cc=jann@thejh.net \ --cc=keescook@chromium.org \ --cc=linux-api@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=mhocko@kernel.org \ --cc=uobergfe@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.