From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB4FEC3F2CD for ; Sun, 1 Mar 2020 18:53:27 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 71283246B6 for ; Sun, 1 Mar 2020 18:53:27 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 71283246B6 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ubuntu.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id D373B6B0005; Sun, 1 Mar 2020 13:53:26 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id CE70A6B0006; Sun, 1 Mar 2020 13:53:26 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BFCB06B0007; Sun, 1 Mar 2020 13:53:26 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0172.hostedemail.com [216.40.44.172]) by kanga.kvack.org (Postfix) with ESMTP id A91F16B0005 for ; Sun, 1 Mar 2020 13:53:26 -0500 (EST) Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 6F9C0252A0 for ; Sun, 1 Mar 2020 18:53:26 +0000 (UTC) X-FDA: 76547691612.07.rings03_7548aaf912d27 X-HE-Tag: rings03_7548aaf912d27 X-Filterd-Recvd-Size: 4163 Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by imf21.hostedemail.com (Postfix) with ESMTP for ; Sun, 1 Mar 2020 18:53:25 +0000 (UTC) Received: from ip5f5bf7ec.dynamic.kabel-deutschland.de ([95.91.247.236] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j8Thm-0000Kp-An; Sun, 01 Mar 2020 18:52:46 +0000 Date: Sun, 1 Mar 2020 19:52:44 +0100 From: Christian Brauner To: Jann Horn Cc: Bernd Edlinger , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , "Eric W. Biederman" , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Kees Cook , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" Subject: Re: [PATCH] exec: Fix a deadlock in ptrace Message-ID: <20200301185244.zkofjus6xtgkx4s3@wittgenstein> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sun, Mar 01, 2020 at 07:21:03PM +0100, Jann Horn wrote: > On Sun, Mar 1, 2020 at 12:27 PM Bernd Edlinger > wrote: > > The proposed solution is to have a second mutex that is > > used in mm_access, so it is allowed to continue while the > > dying threads are not yet terminated. > > Just for context: When I proposed something similar back in 2016, > https://lore.kernel.org/linux-fsdevel/20161102181806.GB1112@redhat.com/ > was the resulting discussion thread. At least back then, I looked > through the various existing users of cred_guard_mutex, and the only > places that couldn't be converted to the new second mutex were > PTRACE_ATTACH and SECCOMP_FILTER_FLAG_TSYNC. > > > The ideal solution would IMO be something like this: Decide what the > new task's credentials should be *before* reaching de_thread(), > install them into a second cred* on the task (together with the new > dumpability), drop the cred_guard_mutex, and let ptrace_may_access() > check against both. After that, some further restructuring might even Hm, so essentially a private ptrace_access_cred member in task_struct? That would presumably also involve altering various LSM hooks to look at ptrace_access_cred. (Minor side-note, de_thread() takes a struct task_struct argument but only ever is passed current.) > allow the cred_guard_mutex to not be held across all of the VFS > operations that happen early on in execve, which may block > indefinitely. But that would be pretty complicated, so I think your > proposed solution makes sense for now, given that nobody has managed > to implement anything better in the last few years. Reading through the old threads and how often this issue came up, I tend to agree.