From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 113ADC18E5B for ; Wed, 11 Mar 2020 00:17:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C7C8B227BF for ; Wed, 11 Mar 2020 00:17:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727695AbgCKARp (ORCPT ); Tue, 10 Mar 2020 20:17:45 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:40022 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726463AbgCKARp (ORCPT ); Tue, 10 Mar 2020 20:17:45 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jBp3z-0008FJ-R6; Tue, 10 Mar 2020 18:17:31 -0600 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1jBp3y-0000VK-Vy; Tue, 10 Mar 2020 18:17:31 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Jann Horn Cc: Bernd Edlinger , Christian Brauner , Kees Cook , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra \(Intel\)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc\@vger.kernel.org" , "linux-kernel\@vger.kernel.org" , "linux-fsdevel\@vger.kernel.org" , "linux-mm\@kvack.org" , "stable\@vger.kernel.org" , "linux-api\@vger.kernel.org" References: <875zfmloir.fsf@x220.int.ebiederm.org> <87v9nmjulm.fsf@x220.int.ebiederm.org> <202003021531.C77EF10@keescook> <20200303085802.eqn6jbhwxtmz4j2x@wittgenstein> <87v9nlii0b.fsf@x220.int.ebiederm.org> <87a74xi4kz.fsf@x220.int.ebiederm.org> <87r1y8dqqz.fsf@x220.int.ebiederm.org> <87tv32cxmf.fsf_-_@x220.int.ebiederm.org> <87v9ne5y4y.fsf_-_@x220.int.ebiederm.org> <87zhcq4jdj.fsf_-_@x220.int.ebiederm.org> <87wo7roq2c.fsf@x220.int.ebiederm.org> Date: Tue, 10 Mar 2020 19:15:12 -0500 In-Reply-To: (Jann Horn's message of "Wed, 11 Mar 2020 00:21:49 +0100") Message-ID: <87k13roigf.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1jBp3y-0000VK-Vy;;;mid=<87k13roigf.fsf@x220.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX191GcjSpm9Har/C6Rc/ejl26zceokkfPxs= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH v2 5/5] exec: Add a exec_update_mutex to replace cred_guard_mutex X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-doc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-doc@vger.kernel.org Jann Horn writes: > On Tue, Mar 10, 2020 at 10:33 PM Eric W. Biederman > wrote: >> Jann Horn writes: >> > On Sun, Mar 8, 2020 at 10:41 PM Eric W. Biederman wrote: >> >> The cred_guard_mutex is problematic. The cred_guard_mutex is held >> >> over the userspace accesses as the arguments from userspace are read. >> >> The cred_guard_mutex is held of PTRACE_EVENT_EXIT as the the other >> >> threads are killed. The cred_guard_mutex is held over >> >> "put_user(0, tsk->clear_child_tid)" in exit_mm(). >> >> >> >> Any of those can result in deadlock, as the cred_guard_mutex is held >> >> over a possible indefinite userspace waits for userspace. >> >> >> >> Add exec_update_mutex that is only held over exec updating process >> >> with the new contents of exec, so that code that needs not to be >> >> confused by exec changing the mm and the cred in ways that can not >> >> happen during ordinary execution of a process. >> >> >> >> The plan is to switch the users of cred_guard_mutex to >> >> exec_udpate_mutex one by one. This lets us move forward while still >> >> being careful and not introducing any regressions. >> > [...] >> >> @@ -1034,6 +1035,11 @@ static int exec_mmap(struct mm_struct *mm) >> >> return -EINTR; >> >> } >> >> } >> >> + >> >> + ret = mutex_lock_killable(&tsk->signal->exec_update_mutex); >> >> + if (ret) >> >> + return ret; >> > >> > We're already holding the old mmap_sem, and now nest the >> > exec_update_mutex inside it; but then while still holding the >> > exec_update_mutex, we do mmput(), which can e.g. end up in ksm_exit(), >> > which can do down_write(&mm->mmap_sem) from __ksm_exit(). So I think >> > at least lockdep will be unhappy, and I'm not sure whether it's an >> > actual problem or not. >> >> Good point. I should double check the lock ordering here with mmap_sem. >> It doesn't look like mmput takes mmap_sem > > You sure about that? mmput() -> __mmput() -> ksm_exit() -> > __ksm_exit() -> down_write(&mm->mmap_sem) > > Or also: mmput() -> __mmput() -> khugepaged_exit() -> > __khugepaged_exit() -> down_write(&mm->mmap_sem) > > Or is there a reason why those paths can't happen? Clearly I didn't look far enough. I will adjust this so that exec_update_mutex is taken before mmap_sem. Anything else is just asking for trouble. Eric