From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=cph+=44=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,
	URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1A377C2BB1D
	for <linux-mm@archiver.kernel.org>; Wed, 11 Mar 2020 19:51:21 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 06DCA20737
	for <linux-mm@archiver.kernel.org>; Wed, 11 Mar 2020 19:51:19 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 06DCA20737
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=xmission.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 5A62A6B000A; Wed, 11 Mar 2020 15:51:18 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 57DCA6B000C; Wed, 11 Mar 2020 15:51:18 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 492DE6B000D; Wed, 11 Mar 2020 15:51:18 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0099.hostedemail.com [216.40.44.99])
	by kanga.kvack.org (Postfix) with ESMTP id 325276B000A
	for <linux-mm@kvack.org>; Wed, 11 Mar 2020 15:51:18 -0400 (EDT)
Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id E32F41EF1
	for <linux-mm@kvack.org>; Wed, 11 Mar 2020 19:51:17 +0000 (UTC)
X-FDA: 76584125394.24.burn36_2856a130b0240
X-HE-Tag: burn36_2856a130b0240
X-Filterd-Recvd-Size: 7451
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231])
	by imf49.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Wed, 11 Mar 2020 19:51:17 +0000 (UTC)
Received: from in01.mta.xmission.com ([166.70.13.51])
	by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.90_1)
	(envelope-from <ebiederm@xmission.com>)
	id 1jC7Nn-0003gw-M1; Wed, 11 Mar 2020 13:51:11 -0600
Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=x220.xmission.com)
	by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.87)
	(envelope-from <ebiederm@xmission.com>)
	id 1jC7Nm-0007Ul-Q4; Wed, 11 Mar 2020 13:51:11 -0600
From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: Bernd Edlinger <bernd.edlinger@hotmail.de>,  Christian Brauner
 <christian.brauner@ubuntu.com>,  Jann Horn <jannh@google.com>,  Jonathan
 Corbet <corbet@lwn.net>,  Alexander Viro <viro@zeniv.linux.org.uk>,
  Andrew Morton <akpm@linux-foundation.org>,  Alexey Dobriyan
 <adobriyan@gmail.com>,  Thomas Gleixner <tglx@linutronix.de>,  Oleg
 Nesterov <oleg@redhat.com>,  Frederic Weisbecker <frederic@kernel.org>,
  Andrei Vagin <avagin@gmail.com>,  Ingo Molnar <mingo@kernel.org>,  "Peter
 Zijlstra \(Intel\)" <peterz@infradead.org>,  Yuyang Du <duyuyang@gmail.com>,
  David Hildenbrand <david@redhat.com>,  Sebastian Andrzej Siewior
 <bigeasy@linutronix.de>,  Anshuman Khandual <anshuman.khandual@arm.com>,
  David Howells <dhowells@redhat.com>,  James Morris
 <jamorris@linux.microsoft.com>,  Greg Kroah-Hartman
 <gregkh@linuxfoundation.org>,  Shakeel Butt <shakeelb@google.com>,  Jason
 Gunthorpe <jgg@ziepe.ca>,  Christian Kellner <christian@kellner.me>,
  Andrea Arcangeli <aarcange@redhat.com>,  Aleksa Sarai
 <cyphar@cyphar.com>,  "Dmitry V. Levin" <ldv@altlinux.org>,
  "linux-doc\@vger.kernel.org" <linux-doc@vger.kernel.org>,
  "linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
  "linux-fsdevel\@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
  "linux-mm\@kvack.org" <linux-mm@kvack.org>,  "stable\@vger.kernel.org"
 <stable@vger.kernel.org>,  "linux-api\@vger.kernel.org"
 <linux-api@vger.kernel.org>
References: <87r1y12yc7.fsf@x220.int.ebiederm.org>
	<87k13t2xpd.fsf@x220.int.ebiederm.org>
	<87d09l2x5n.fsf@x220.int.ebiederm.org>
	<AM6PR03MB5170F0F9DC18F5EA77C9A857E4FE0@AM6PR03MB5170.eurprd03.prod.outlook.com>
	<871rq12vxu.fsf@x220.int.ebiederm.org>
	<AM6PR03MB5170DF45E3245F55B95CCD91E4FE0@AM6PR03MB5170.eurprd03.prod.outlook.com>
	<877dzt1fnf.fsf@x220.int.ebiederm.org>
	<AM6PR03MB51701C6F60699F99C5C67E0BE4FF0@AM6PR03MB5170.eurprd03.prod.outlook.com>
	<875zfcxlwy.fsf@x220.int.ebiederm.org>
	<AM6PR03MB5170BD2476E35068E182EFA4E4FF0@AM6PR03MB5170.eurprd03.prod.outlook.com>
	<202003111203.738487D@keescook>
Date: Wed, 11 Mar 2020 14:48:50 -0500
In-Reply-To: <202003111203.738487D@keescook> (Kees Cook's message of "Wed, 11
	Mar 2020 12:08:08 -0700")
Message-ID: <87pndin04d.fsf@x220.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1jC7Nm-0007Ul-Q4;;;mid=<87pndin04d.fsf@x220.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1+d5+rrjcsoE4xtiynlnq3fJUCLMY6zpyU=
X-SA-Exim-Connect-IP: 68.227.160.95
X-SA-Exim-Mail-From: ebiederm@xmission.com
Subject: Re: [PATCH 3/4] proc: io_accounting: Use new infrastructure to fix deadlocks in execve
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Kees Cook <keescook@chromium.org> writes:

> On Tue, Mar 10, 2020 at 06:45:47PM +0100, Bernd Edlinger wrote:
>> This changes do_io_accounting to use the new exec_update_mutex
>> instead of cred_guard_mutex.
>> 
>> This fixes possible deadlocks when the trace is accessing
>> /proc/$pid/io for instance.
>> 
>> This should be safe, as the credentials are only used for reading.
>
> I'd like to see the rationale described better here for why it should be
> safe. I'm still not seeing why this is safe here, as we might check
> ptrace_may_access() with one cred and then iterate io accounting with a
> different credential...
>
> What am I missing?

The rational for non-regression is that exec_update_mutex covers all
of the same tsk->cred changes as cred_guard_mutex.  Therefore we are not
any worse off, and we avoid the deadlock.

As for safety.  Jann's argument that the only interesting credential
change is in exec applies.  All other credential changes that have any
effect on permission checks make the new cred non-dumpable (excepions
apply see the code).

So I think this is a non-regressing change.  A safe change.

I don't think either version of this code is fully correct.

Eric

>> Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
>> ---
>>  fs/proc/base.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>> 
>> diff --git a/fs/proc/base.c b/fs/proc/base.c
>> index 4fdfe4f..529d0c6 100644
>> --- a/fs/proc/base.c
>> +++ b/fs/proc/base.c
>> @@ -2770,7 +2770,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh
>>  	unsigned long flags;
>>  	int result;
>>  
>> -	result = mutex_lock_killable(&task->signal->cred_guard_mutex);
>> +	result = mutex_lock_killable(&task->signal->exec_update_mutex);
>>  	if (result)
>>  		return result;
>>  
>> @@ -2806,7 +2806,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh
>>  	result = 0;
>>  
>>  out_unlock:
>> -	mutex_unlock(&task->signal->cred_guard_mutex);
>> +	mutex_unlock(&task->signal->exec_update_mutex);
>>  	return result;
>>  }
>>  
>> -- 
>> 1.9.1