From: ebiederm@xmission.com (Eric W. Biederman)
To: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Bernd Edlinger <bernd.edlinger@hotmail.de>,
Christian Brauner <christian.brauner@ubuntu.com>,
Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Oleg Nesterov <oleg@redhat.com>,
Frederic Weisbecker <frederic@kernel.org>,
Andrei Vagin <avagin@gmail.com>, Ingo Molnar <mingo@kernel.org>,
"Peter Zijlstra \(Intel\)" <peterz@infradead.org>,
Yuyang Du <duyuyang@gmail.com>,
David Hildenbrand <david@redhat.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Anshuman Khandual <anshuman.khandual@arm.com>,
David Howells <dhowells@redhat.com>,
James Morris <jamorris@linux.microsoft.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Shakeel Butt <shakeelb@google.com>,
Jason Gunthorpe <jgg@ziepe.ca>,
Christian Kellner <christian@kellner.me>,
Andrea Arcangeli <aarcange@redhat.com>,
Aleksa Sarai <cyphar@cyphar.com>,
"Dmitry V. Levin" <ldv@altlinux.org>,
"linux-doc\@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-fsdevel\@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-mm\@kvack.org" <linux-mm@kvack.org>,
"stable\@vger.kernel.org" <stable@vger.kernel.org>,
"linux-api\@vger.kernel.org" <linux-api@vger.kernel.org>
Subject: Re: [PATCH v2 5/5] exec: Add a exec_update_mutex to replace cred_guard_mutex
Date: Thu, 12 Mar 2020 09:38:09 -0500 [thread overview]
Message-ID: <87lfo5lju6.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <dbce35c7-c060-cfd8-bde1-98fd9a0747a9@virtuozzo.com> (Kirill Tkhai's message of "Thu, 12 Mar 2020 16:45:37 +0300")
Kirill Tkhai <ktkhai@virtuozzo.com> writes:
> On 12.03.2020 15:24, Eric W. Biederman wrote:
>> Kirill Tkhai <ktkhai@virtuozzo.com> writes:
>>
>>> On 09.03.2020 00:38, Eric W. Biederman wrote:
>>>>
>>>> The cred_guard_mutex is problematic. The cred_guard_mutex is held
>>>> over the userspace accesses as the arguments from userspace are read.
>>>> The cred_guard_mutex is held of PTRACE_EVENT_EXIT as the the other
>>>> threads are killed. The cred_guard_mutex is held over
>>>> "put_user(0, tsk->clear_child_tid)" in exit_mm().
>>>>
>>>> Any of those can result in deadlock, as the cred_guard_mutex is held
>>>> over a possible indefinite userspace waits for userspace.
>>>>
>>>> Add exec_update_mutex that is only held over exec updating process
>>>> with the new contents of exec, so that code that needs not to be
>>>> confused by exec changing the mm and the cred in ways that can not
>>>> happen during ordinary execution of a process.
>>>>
>>>> The plan is to switch the users of cred_guard_mutex to
>>>> exec_udpate_mutex one by one. This lets us move forward while still
>>>> being careful and not introducing any regressions.
>>>>
>>>> Link: https://lore.kernel.org/lkml/20160921152946.GA24210@dhcp22.suse.cz/
>>>> Link: https://lore.kernel.org/lkml/AM6PR03MB5170B06F3A2B75EFB98D071AE4E60@AM6PR03MB5170.eurprd03.prod.outlook.com/
>>>> Link: https://lore.kernel.org/linux-fsdevel/20161102181806.GB1112@redhat.com/
>>>> Link: https://lore.kernel.org/lkml/20160923095031.GA14923@redhat.com/
>>>> Link: https://lore.kernel.org/lkml/20170213141452.GA30203@redhat.com/
>>>> Ref: 45c1a159b85b ("Add PTRACE_O_TRACEVFORKDONE and PTRACE_O_TRACEEXIT facilities.")
>>>> Ref: 456f17cd1a28 ("[PATCH] user-vm-unlock-2.5.31-A2")
>>>> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
>>>> ---
>>>> fs/exec.c | 9 +++++++++
>>>> include/linux/sched/signal.h | 9 ++++++++-
>>>> init/init_task.c | 1 +
>>>> kernel/fork.c | 1 +
>>>> 4 files changed, 19 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/fs/exec.c b/fs/exec.c
>>>> index d820a7272a76..ffeebb1f167b 100644
>>>> --- a/fs/exec.c
>>>> +++ b/fs/exec.c
>>>> @@ -1014,6 +1014,7 @@ static int exec_mmap(struct mm_struct *mm)
>>>> {
>>>> struct task_struct *tsk;
>>>> struct mm_struct *old_mm, *active_mm;
>>>> + int ret;
>>>>
>>>> /* Notify parent that we're no longer interested in the old VM */
>>>> tsk = current;
>>>> @@ -1034,6 +1035,11 @@ static int exec_mmap(struct mm_struct *mm)
>>>> return -EINTR;
>>>> }
>>>> }
>>>> +
>>>> + ret = mutex_lock_killable(&tsk->signal->exec_update_mutex);
>>>> + if (ret)
>>>> + return ret;
>>>
>>> You missed old_mm->mmap_sem unlock. See here:
>>
>> Duh. Thank you.
>>
>> I actually need to switch the lock ordering here, and I haven't yet
>> because my son was sick yesterday.
>
> There is some fundamental problem with your patch, since the below fires in 100% cases
> on current linux-next:
Thank you.
I have just backed this out of linux-next for now because it is clearly
flawed.
You make some good points about the recursion. I will go back to the
drawing board and see what I can work out.
> [ 22.838717] kernel BUG at fs/exec.c:1474!
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 47582cd97f86..0f77f8c94905 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1470,8 +1470,10 @@ static void free_bprm(struct linux_binprm *bprm)
> {
> free_arg_pages(bprm);
> if (bprm->cred) {
> - if (!bprm->mm)
> + if (!bprm->mm) {
> + BUG_ON(!mutex_is_locked(¤t->signal->exec_update_mutex));
> mutex_unlock(¤t->signal->exec_update_mutex);
> + }
> mutex_unlock(¤t->signal->cred_guard_mutex);
> abort_creds(bprm->cred);
> }
> @@ -1521,6 +1523,7 @@ void install_exec_creds(struct linux_binprm *bprm)
> * credentials; any time after this it may be unlocked.
> */
> security_bprm_committed_creds(bprm);
> + BUG_ON(!mutex_is_locked(¤t->signal->exec_update_mutex));
> mutex_unlock(¤t->signal->exec_update_mutex);
> mutex_unlock(¤t->signal->cred_guard_mutex);
> }
>
> ---------------------------------------------------------------------------------------------
>
> First time the mutex is unlocked in:
>
> exec_binprm()->search_binary_handler()->.load_binary->install_exec_creds()
>
> Then exec_binprm()->search_binary_handler()->.load_binary->flush_old_exec() clears mm:
>
> bprm->mm = NULL;
>
> Second time the mutex is unlocked in free_bprm():
>
> if (bprm->cred) {
> if (!bprm->mm)
> mutex_unlock(¤t->signal->exec_update_mutex);
>
> My opinion is we should not relay on side indicators like bprm->mm. Better you may
> introduce struct linux_binprm::exec_update_mutex_is_locked. So the next person dealing
> with this after you won't waste much time on diving into this. Also, if someone decides
> to change the place, where bprm->mm is set into NULL, this person will bump into hell
> of dependences between unrelated components like your newly introduced mutex.
>
> So, I'm strongly for *struct linux_binprm::exec_update_mutex_is_locked*, since this improves
> modularity.
Am I wrong or is that also a problem with cred_guard_mutex?
Eric
next prev parent reply other threads:[~2020-03-12 14:40 UTC|newest]
Thread overview: 203+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-01 11:27 [PATCH] exec: Fix a deadlock in ptrace Bernd Edlinger
2020-03-01 15:13 ` Aleksa Sarai
2020-03-01 15:58 ` Christian Brauner
2020-03-01 17:46 ` Bernd Edlinger
2020-03-01 18:20 ` Christian Brauner
2020-03-01 17:24 ` Bernd Edlinger
2020-03-01 18:21 ` Jann Horn
2020-03-01 18:52 ` Christian Brauner
2020-03-01 19:00 ` Bernd Edlinger
2020-03-01 20:00 ` Jann Horn
2020-03-01 20:34 ` [PATCHv2] " Bernd Edlinger
2020-03-02 6:38 ` Eric W. Biederman
2020-03-02 15:43 ` Bernd Edlinger
2020-03-02 15:57 ` Eric W. Biederman
2020-03-02 16:02 ` Bernd Edlinger
2020-03-02 16:17 ` Eric W. Biederman
2020-03-02 16:43 ` Jann Horn
2020-03-02 17:01 ` Bernd Edlinger
2020-03-02 17:37 ` Jann Horn
2020-03-02 17:42 ` christian
2020-03-02 18:08 ` Jann Horn
2020-03-02 20:10 ` [PATCHv3] " Bernd Edlinger
2020-03-02 20:28 ` Bernd Edlinger
2020-03-02 17:13 ` [PATCHv2] " Bernd Edlinger
2020-03-02 21:49 ` Eric W. Biederman
2020-03-02 22:00 ` Bernd Edlinger
2020-03-02 22:18 ` [PATCHv4] " Bernd Edlinger
2020-03-03 2:26 ` Kees Cook
2020-03-03 4:54 ` Bernd Edlinger
2020-03-03 5:29 ` Kees Cook
2020-03-03 8:08 ` Bernd Edlinger
2020-03-03 8:34 ` Christian Brauner
2020-03-03 8:43 ` Christian Brauner
2020-03-04 15:30 ` Christian Brauner
2020-03-03 8:58 ` Christian Brauner
2020-03-03 10:34 ` Bernd Edlinger
2020-03-03 11:23 ` Bernd Edlinger
2020-03-03 14:20 ` Christian Brauner
2020-03-03 13:02 ` [PATCHv5] " Bernd Edlinger
2020-03-03 15:18 ` Eric W. Biederman
2020-03-03 16:48 ` Bernd Edlinger
2020-03-03 17:01 ` Christian Brauner
2020-03-03 17:20 ` Christian Brauner
2020-03-03 20:08 ` Eric W. Biederman
2020-03-04 14:37 ` Bernd Edlinger
2020-03-04 16:33 ` Eric W. Biederman
2020-03-04 21:49 ` Bernd Edlinger
2020-03-04 21:56 ` [PATCHv6] " Bernd Edlinger
2020-03-05 18:36 ` Bernd Edlinger
2020-03-05 21:14 ` [PATCH 0/2] Infrastructure to allow fixing exec deadlocks Eric W. Biederman
2020-03-05 21:15 ` [PATCH 1/2] exec: Properly mark the point of no return Eric W. Biederman
2020-03-05 22:34 ` Bernd Edlinger
2020-03-06 5:19 ` Eric W. Biederman
2020-03-05 22:56 ` Bernd Edlinger
2020-03-06 5:09 ` Eric W. Biederman
2020-03-06 16:26 ` Bernd Edlinger
2020-03-06 17:16 ` Eric W. Biederman
2020-03-05 21:16 ` [PATCH 2/2] exec: Add a exec_update_mutex to replace cred_guard_mutex Eric W. Biederman
2020-03-05 21:51 ` Bernd Edlinger
2020-03-06 5:17 ` Eric W. Biederman
2020-03-06 11:46 ` Bernd Edlinger
2020-03-06 21:18 ` Eric W. Biederman
2020-03-06 19:16 ` Bernd Edlinger
2020-03-06 21:58 ` Eric W. Biederman
2020-03-06 22:29 ` Eric W. Biederman
2020-03-07 1:03 ` Eric W. Biederman
2020-03-08 12:58 ` [PATCH] exec: make de_thread alloc new signal struct earlier Bernd Edlinger
2020-03-08 18:12 ` Eric W. Biederman
2020-03-05 22:31 ` [PATCH 0/2] Infrastructure to allow fixing exec deadlocks Bernd Edlinger
2020-03-06 5:06 ` Eric W. Biederman
2020-03-08 21:34 ` [PATCH 0/5] " Eric W. Biederman
2020-03-08 21:35 ` [PATCH v2 1/5] exec: Only compute current once in flush_old_exec Eric W. Biederman
2020-03-09 13:56 ` Bernd Edlinger
2020-03-09 17:34 ` Eric W. Biederman
2020-03-09 17:56 ` Bernd Edlinger
2020-03-09 19:27 ` Bernd Edlinger
2020-03-10 20:17 ` Kees Cook
2020-03-10 21:12 ` Christian Brauner
2020-03-08 21:36 ` [PATCH v2 2/5] exec: Factor unshare_sighand out of de_thread and call it separately Eric W. Biederman
2020-03-09 19:28 ` Bernd Edlinger
2020-03-10 20:29 ` Kees Cook
2020-03-10 20:34 ` Bernd Edlinger
2020-03-10 20:57 ` Kees Cook
2020-03-10 21:21 ` Christian Brauner
2020-03-08 21:36 ` [PATCH v2 3/5] exec: Move cleanup of posix timers on exec out of de_thread Eric W. Biederman
2020-03-09 19:30 ` Bernd Edlinger
2020-03-09 19:59 ` Christian Brauner
2020-03-09 20:06 ` Eric W. Biederman
2020-03-09 20:17 ` Christian Brauner
2020-03-09 20:48 ` Eric W. Biederman
2020-03-10 8:55 ` Christian Brauner
2020-03-10 18:52 ` [PATCH] pidfd: Stop taking cred_guard_mutex Eric W. Biederman
2020-03-10 19:15 ` Christian Brauner
2020-03-10 19:16 ` Jann Horn
2020-03-10 19:27 ` Eric W. Biederman
2020-03-10 20:00 ` Jann Horn
2020-03-10 20:10 ` Jann Horn
2020-03-10 20:22 ` Bernd Edlinger
2020-03-11 6:11 ` Bernd Edlinger
2020-03-11 14:56 ` Jann Horn
2020-03-10 20:57 ` Eric W. Biederman
2020-03-10 21:29 ` Christian Brauner
2020-03-11 18:49 ` Kees Cook
2020-03-14 9:12 ` [PATCH] pidfd: Use new infrastructure to fix deadlocks in execve Bernd Edlinger
2020-03-10 20:16 ` [PATCH v2 3/5] exec: Move cleanup of posix timers on exec out of de_thread Kees Cook
2020-03-10 20:31 ` Kees Cook
2020-03-10 20:57 ` Jann Horn
2020-03-10 21:05 ` Eric W. Biederman
2020-03-10 21:22 ` Christian Brauner
2020-03-08 21:38 ` [PATCH v2 4/5] exec: Move exec_mmap right after de_thread in flush_old_exec Eric W. Biederman
2020-03-09 19:34 ` Bernd Edlinger
2020-03-09 19:45 ` Eric W. Biederman
2020-03-09 19:52 ` Bernd Edlinger
2020-03-09 19:58 ` Eric W. Biederman
2020-03-09 20:03 ` Bernd Edlinger
2020-03-09 20:35 ` Eric W. Biederman
2020-03-10 20:44 ` Kees Cook
2020-03-10 21:20 ` Eric W. Biederman
2020-03-10 20:47 ` Kees Cook
2020-03-10 21:09 ` Eric W. Biederman
2020-03-08 21:38 ` [PATCH v2 5/5] exec: Add a exec_update_mutex to replace cred_guard_mutex Eric W. Biederman
2020-03-09 13:45 ` Bernd Edlinger
2020-03-09 17:40 ` Eric W. Biederman
2020-03-09 18:01 ` Bernd Edlinger
2020-03-09 18:10 ` Eric W. Biederman
2020-03-09 18:24 ` Eric W. Biederman
2020-03-09 18:36 ` Eric W. Biederman
2020-03-09 18:47 ` Bernd Edlinger
2020-03-09 19:02 ` Eric W. Biederman
2020-03-09 19:24 ` Bernd Edlinger
2020-03-09 19:35 ` Eric W. Biederman
2020-03-09 19:39 ` Eric W. Biederman
2020-03-10 13:43 ` [PATCH 0/4] Use new infrastructure to fix deadlocks in execve Bernd Edlinger
2020-03-10 15:35 ` Eric W. Biederman
2020-03-10 17:44 ` [PATCH 0/4] Use new infrastructure in more simple cases Bernd Edlinger
2020-03-10 17:45 ` [PATCH 1/4] kernel/kcmp.c: Use new infrastructure to fix deadlocks in execve Bernd Edlinger
2020-03-10 19:01 ` Eric W. Biederman
2020-03-10 19:42 ` Bernd Edlinger
2020-03-10 17:45 ` [PATCH 2/4] proc: " Bernd Edlinger
2020-03-11 18:59 ` Kees Cook
2020-03-11 19:10 ` Kees Cook
2020-03-11 19:38 ` Bernd Edlinger
2020-03-10 17:45 ` [PATCH 3/4] proc: io_accounting: " Bernd Edlinger
2020-03-10 19:06 ` Eric W. Biederman
2020-03-10 20:19 ` Bernd Edlinger
2020-03-10 21:25 ` Eric W. Biederman
2020-03-11 19:08 ` Kees Cook
2020-03-11 19:48 ` Bernd Edlinger
2020-03-11 19:48 ` Eric W. Biederman
2020-03-10 17:45 ` [PATCH 4/4] perf: " Bernd Edlinger
2020-03-10 13:43 ` [PATCH 1/4] exec: Fix a deadlock in ptrace Bernd Edlinger
2020-03-10 15:13 ` Eric W. Biederman
2020-03-10 15:17 ` Bernd Edlinger
2020-03-10 21:00 ` Kees Cook
2020-03-10 13:44 ` [PATCH 2/4] selftests/ptrace: add test cases for dead-locks Bernd Edlinger
2020-03-10 21:36 ` Kees Cook
2020-03-10 22:41 ` Dmitry V. Levin
2020-03-10 13:44 ` [PATCH 3/4] mm: docs: Fix a comment in process_vm_rw_core Bernd Edlinger
2020-03-11 18:53 ` Kees Cook
2020-03-10 13:44 ` [PATCH 4/4] kernel: doc: remove outdated comment cred.c Bernd Edlinger
2020-03-11 18:54 ` Kees Cook
2020-03-09 19:33 ` [PATCH v2 5/5] exec: Add a exec_update_mutex to replace cred_guard_mutex Dmitry V. Levin
2020-03-09 19:42 ` Eric W. Biederman
2020-03-10 20:55 ` Kees Cook
2020-03-10 21:02 ` Eric W. Biederman
2020-03-10 21:21 ` Jann Horn
2020-03-10 21:30 ` Eric W. Biederman
2020-03-10 23:21 ` Jann Horn
2020-03-11 0:15 ` Eric W. Biederman
2020-03-11 6:33 ` Bernd Edlinger
2020-03-11 16:29 ` Eric W. Biederman
2020-03-11 13:18 ` Qian Cai
2020-03-12 10:27 ` Kirill Tkhai
2020-03-12 12:24 ` Eric W. Biederman
2020-03-12 13:45 ` Kirill Tkhai
2020-03-12 14:38 ` Eric W. Biederman [this message]
2020-03-12 15:23 ` Kirill Tkhai
2020-03-13 1:05 ` Bernd Edlinger
2020-03-13 9:13 ` Kirill Tkhai
2020-03-14 9:11 ` [PATCH v3 " Bernd Edlinger
2020-03-17 8:56 ` Kirill Tkhai
2020-03-17 21:53 ` Bernd Edlinger
2020-03-18 12:22 ` Kirill Tkhai
2020-03-18 20:06 ` Bernd Edlinger
2020-03-19 7:13 ` Kirill Tkhai
2020-03-19 7:19 ` Bernd Edlinger
2020-03-19 9:11 ` [PATCH v4 3/5] " Bernd Edlinger
2020-03-19 9:13 ` Bernd Edlinger
2020-03-19 9:19 ` Greg Kroah-Hartman
2020-03-19 9:20 ` Bernd Edlinger
2020-03-21 22:53 ` Bernd Edlinger
2020-03-14 9:12 ` [PATCH 0/2] exec: Fix dead-lock in de_thread with ptrace_attach Bernd Edlinger
2020-03-14 9:12 ` [PATCH 1/2] " Bernd Edlinger
2020-03-14 9:13 ` [PATCH 2/2] doc: Update documentation of ->exec_*_mutex Bernd Edlinger
2020-03-14 9:57 ` [PATCH v2 5/5] exec: Add a exec_update_mutex to replace cred_guard_mutex Bernd Edlinger
2020-03-14 10:02 ` Bernd Edlinger
2020-03-17 8:58 ` Kirill Tkhai
2020-03-09 13:58 ` [PATCH 0/5] Infrastructure to allow fixing exec deadlocks Bernd Edlinger
2020-03-03 16:50 ` [PATCHv5] exec: Fix a deadlock in ptrace Christian Brauner
2020-03-02 12:28 ` [PATCHv2] " Oleg Nesterov
2020-03-02 15:56 ` Bernd Edlinger
2020-03-02 7:47 ` [PATCH] " Christian Brauner
2020-03-02 7:48 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87lfo5lju6.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=aarcange@redhat.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=anshuman.khandual@arm.com \
--cc=avagin@gmail.com \
--cc=bernd.edlinger@hotmail.de \
--cc=bigeasy@linutronix.de \
--cc=christian.brauner@ubuntu.com \
--cc=christian@kellner.me \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=david@redhat.com \
--cc=dhowells@redhat.com \
--cc=duyuyang@gmail.com \
--cc=frederic@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jamorris@linux.microsoft.com \
--cc=jannh@google.com \
--cc=jgg@ziepe.ca \
--cc=keescook@chromium.org \
--cc=ktkhai@virtuozzo.com \
--cc=ldv@altlinux.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=shakeelb@google.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).