From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F0E5C2BB1D for ; Fri, 13 Mar 2020 09:13:43 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 0C6252073E for ; Fri, 13 Mar 2020 09:13:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0C6252073E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=virtuozzo.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id AFA256B0005; Fri, 13 Mar 2020 05:13:42 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AAAA96B0006; Fri, 13 Mar 2020 05:13:42 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 972EE6B0007; Fri, 13 Mar 2020 05:13:42 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0171.hostedemail.com [216.40.44.171]) by kanga.kvack.org (Postfix) with ESMTP id 7EF616B0005 for ; Fri, 13 Mar 2020 05:13:42 -0400 (EDT) Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 3A7DC8248D7C for ; Fri, 13 Mar 2020 09:13:42 +0000 (UTC) X-FDA: 76589776284.12.store52_779a02beb321e X-HE-Tag: store52_779a02beb321e X-Filterd-Recvd-Size: 7081 Received: from relay.sw.ru (relay.sw.ru [185.231.240.75]) by imf40.hostedemail.com (Postfix) with ESMTP for ; Fri, 13 Mar 2020 09:13:41 +0000 (UTC) Received: from dhcp-172-16-24-104.sw.ru ([172.16.24.104]) by relay.sw.ru with esmtp (Exim 4.92.3) (envelope-from ) id 1jCgNL-0005Fb-2f; Fri, 13 Mar 2020 12:13:03 +0300 Subject: Re: [PATCH v2 5/5] exec: Add a exec_update_mutex to replace cred_guard_mutex To: Bernd Edlinger , "Eric W. Biederman" Cc: Christian Brauner , Kees Cook , Jann Horn , Jonathan Corbet , Alexander Viro , Andrew Morton , Alexey Dobriyan , Thomas Gleixner , Oleg Nesterov , Frederic Weisbecker , Andrei Vagin , Ingo Molnar , "Peter Zijlstra (Intel)" , Yuyang Du , David Hildenbrand , Sebastian Andrzej Siewior , Anshuman Khandual , David Howells , James Morris , Greg Kroah-Hartman , Shakeel Butt , Jason Gunthorpe , Christian Kellner , Andrea Arcangeli , Aleksa Sarai , "Dmitry V. Levin" , "linux-doc@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "linux-mm@kvack.org" , "stable@vger.kernel.org" , "linux-api@vger.kernel.org" References: <87v9nlii0b.fsf@x220.int.ebiederm.org> <87a74xi4kz.fsf@x220.int.ebiederm.org> <87r1y8dqqz.fsf@x220.int.ebiederm.org> <87tv32cxmf.fsf_-_@x220.int.ebiederm.org> <87v9ne5y4y.fsf_-_@x220.int.ebiederm.org> <87zhcq4jdj.fsf_-_@x220.int.ebiederm.org> <87d09hn4kt.fsf@x220.int.ebiederm.org> <87lfo5lju6.fsf@x220.int.ebiederm.org> From: Kirill Tkhai Message-ID: <6002ac56-025a-d50f-e89d-1bf42a072323@virtuozzo.com> Date: Fri, 13 Mar 2020 12:13:02 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 13.03.2020 04:05, Bernd Edlinger wrote: > On 3/12/20 3:38 PM, Eric W. Biederman wrote: >> Kirill Tkhai writes: >> >>> On 12.03.2020 15:24, Eric W. Biederman wrote: >>>> >>>> I actually need to switch the lock ordering here, and I haven't yet >>>> because my son was sick yesterday. > > All the best wishes to you and your son. I hope he will get well soon. > > And sorry for not missing the issue in the review. The reason turns > out that bprm_mm_init is called after prepare_bprm_creds, but there > are error pathes between those where free_bprm is called up with > cred != NULL and mm == NULL, but the mutex not locked. > > I figured out a possible fix for the problem that was pointed out: > > > From ceb6f65b52b3a7f0280f4f20509a1564a439edf6 Mon Sep 17 00:00:00 2001 > From: Bernd Edlinger > Date: Wed, 11 Mar 2020 15:31:07 +0100 > Subject: [PATCH] Fix issues with exec_update_mutex > > Signed-off-by: Bernd Edlinger > --- > fs/exec.c | 17 ++++++++++------- > 1 file changed, 10 insertions(+), 7 deletions(-) > > diff --git a/fs/exec.c b/fs/exec.c > index ffeebb1..cde4937 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1021,8 +1021,14 @@ static int exec_mmap(struct mm_struct *mm) > old_mm = current->mm; > exec_mm_release(tsk, old_mm); > > - if (old_mm) { > + if (old_mm) > sync_mm_rss(old_mm); > + > + ret = mutex_lock_killable(&tsk->signal->exec_update_mutex); > + if (ret) > + return ret; > + > + if (old_mm) { > /* > * Make sure that if there is a core dump in progress > * for the old mm, we get out and die instead of going > @@ -1032,14 +1038,11 @@ static int exec_mmap(struct mm_struct *mm) > down_read(&old_mm->mmap_sem); > if (unlikely(old_mm->core_state)) { > up_read(&old_mm->mmap_sem); > + mutex_unlock(&tsk->signal->exec_update_mutex); > return -EINTR; > } > } > > - ret = mutex_lock_killable(&tsk->signal->exec_update_mutex); > - if (ret) > - return ret; > - > task_lock(tsk); > active_mm = tsk->active_mm; > membarrier_exec_mmap(mm); > @@ -1444,8 +1447,6 @@ static void free_bprm(struct linux_binprm *bprm) > { > free_arg_pages(bprm); > if (bprm->cred) { > - if (!bprm->mm) > - mutex_unlock(¤t->signal->exec_update_mutex); > mutex_unlock(¤t->signal->cred_guard_mutex); > abort_creds(bprm->cred); > } > @@ -1846,6 +1847,8 @@ static int __do_execve_file(int fd, struct filename *filename, > would_dump(bprm, bprm->file); > > retval = exec_binprm(bprm); > + if (bprm->cred && !bprm->mm) > + mutex_unlock(¤t->signal->exec_update_mutex); Despite this should fix the problem, this looks like a broken puzzle. We can't use bprm->cred as an identifier whether the mutex was locked or not. We can check for bprm->cred in regard to cred_guard_mutex, because of there is strong rule: "cred_guard_mutex is becomes locked together with bprm->cred assignment (see prepare_bprm_creds()), and it becomes unlocked together with bprm->cred zeroing". Take attention on modularity of all this: there is no dependencies between anything else. In regard to newly introduced exec_update_mutex, your fix and source patch way look like an obfuscation. The mutex becomes deadly glued to unrelated bprm->cred and bprm->mm, and this introduces the problems in the future modifications and support of all involved entities. If someone wants to move some functions in relation to each other, there will be a pain, and this person will have to go again the same dependencies and bug way, Eric stepped on in the original patch.