From: Oleg Nesterov <oleg@redhat.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
"Mika Penttilä" <mika.penttila@nextfour.com>,
"Aleksa Sarai" <asarai@suse.com>,
"Andy Lutomirski" <luto@amacapital.net>,
"Attila Fazekas" <afazekas@redhat.com>,
"Jann Horn" <jann@thejh.net>, "Kees Cook" <keescook@chromium.org>,
"Michal Hocko" <mhocko@kernel.org>,
"Ulrich Obergfell" <uobergfe@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH V2 1/2] exec: don't wait for zombie threads with cred_guard_mutex held
Date: Wed, 22 Feb 2017 18:41:03 +0100 [thread overview]
Message-ID: <20170222174102.GA19788@redhat.com> (raw)
In-Reply-To: <871surmh34.fsf@xmission.com>
On 02/22, Eric W. Biederman wrote:
>
> Oleg Nesterov <oleg@redhat.com> writes:
>
> >> Reducing the
> >> scope of cred_guard_mutex concerns me. There appear to be some fields
> >> like sighand that we currently expose in proc
> >
> > please see another email, collect_sigign_sigcatch() is called without this
> > mutex.
>
> I agree that it is called without the mutex. It is not clear to me that
> is the correct behavior.
I fail to understand how/why this can be wrong.
> >> Do you know if we can make cred_guard_mutex a per-task lock again?
> >
> > I think we can, but this needs some (afaics simple) changes too.
> >
> > But for what? Note that the problem fixed by this series won't go away
> > if we do this.
>
> I believe it will if the other waiters use mutex_lock_killable.
No. They already use mutex_lock_killable/interruptible. And the test-case
can be killed, it is not the hard-lockup.
> I really don't like the first patch.
Just in case, I don't really like it too. Simply because it makes execve
more complex, we need to wait for sub-threads twice.
> It makes an information leak part
> a required detail of the implementation and as such possibly something
> we can never change.
Again, I simply can't understand how flush_signal_handlers() outside of
cred_guard_mutex can be treated as information leak. Even _if_
collect_sigign_sigcatch() was called with this mutex held.
Or do you mean something else?
> I suspect that a good fix that respects that proc and ptrace_attach need
> to exclude the setuid exec case for semantic reasons would have a similar
> complexity.
I am not sure I understand how we can do this. We need cred_guard_mutex
or something else even if exec is not setuid and does not change the
credentials, an LSM module can nack exec-under-ptrace by any reason.
> I think fixing the deadlock is important.
Yes. People actually hit this bug, it was reported several times.
> Right now it feels like your fix in patch 1 makes things a bit more
> brittle and I don't like that at all.
See above, I am not proud of this change too. I even mentioned on 0/2
that it would be nice to reconsider this change in the long term.
But I do not see another simple and _backportable_ solution for now.
What do you think we can do instead for stable trees?
Oleg.
next prev parent reply other threads:[~2017-02-22 18:08 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-13 14:14 [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
2017-02-13 14:15 ` [PATCH 1/2] exec: don't wait for zombie threads with cred_guard_mutex held Oleg Nesterov
2017-02-13 16:12 ` kbuild test robot
2017-02-13 16:47 ` Oleg Nesterov
2017-02-13 16:39 ` kbuild test robot
2017-02-13 17:27 ` Mika Penttilä
2017-02-13 18:01 ` Oleg Nesterov
2017-02-13 18:04 ` [PATCH V2 " Oleg Nesterov
2017-02-16 11:42 ` Eric W. Biederman
2017-02-20 15:22 ` Oleg Nesterov
2017-02-20 15:36 ` Oleg Nesterov
2017-02-20 22:30 ` Eric W. Biederman
2017-02-21 17:53 ` Oleg Nesterov
2017-02-21 20:20 ` Eric W. Biederman
2017-02-22 17:41 ` Oleg Nesterov [this message]
2017-02-17 4:42 ` Eric W. Biederman
2017-02-20 15:50 ` Oleg Nesterov
2017-02-13 14:15 ` [PATCH 2/2] ptrace: ensure PTRACE_EVENT_EXIT won't stop if the tracee is killed by exec Oleg Nesterov
2017-02-24 16:03 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
2017-03-03 1:05 ` Eric W. Biederman
2017-03-03 17:33 ` Oleg Nesterov
2017-03-03 18:23 ` Eric W. Biederman
2017-03-03 18:59 ` Eric W. Biederman
2017-03-03 20:06 ` Eric W. Biederman
2017-03-03 20:11 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Eric W. Biederman
2017-03-04 17:03 ` Oleg Nesterov
2017-03-30 8:07 ` Eric W. Biederman
2017-04-01 5:11 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Eric W. Biederman
2017-04-01 5:14 ` [RFC][PATCH 1/2] sighand: Count each thread group once in sighand_struct Eric W. Biederman
2017-04-01 5:16 ` [RFC][PATCH 2/2] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman
2017-04-02 15:35 ` Oleg Nesterov
2017-04-02 18:53 ` Eric W. Biederman
2017-04-03 18:12 ` Oleg Nesterov
2017-04-03 21:04 ` Eric W. Biederman
2017-04-05 16:44 ` Oleg Nesterov
2017-04-02 15:38 ` [RFC][PATCH 0/2] exec: Fixing ptrace'd mulit-threaded hang Oleg Nesterov
2017-04-02 22:50 ` [RFC][PATCH v2 0/5] " Eric W. Biederman
2017-04-02 22:51 ` [RFC][PATCH v2 1/5] ptrace: Don't wait in PTRACE_O_TRACEEXIT for exec or coredump Eric W. Biederman
2017-04-05 16:19 ` Oleg Nesterov
2017-04-02 22:51 ` [RFC][PATCH v2 2/5] sighand: Count each thread group once in sighand_struct Eric W. Biederman
2017-04-02 22:52 ` [RFC][PATCH v2 3/5] clone: Disallown CLONE_THREAD with a shared sighand_struct Eric W. Biederman
2017-04-05 16:24 ` Oleg Nesterov
2017-04-05 17:34 ` Eric W. Biederman
2017-04-05 18:11 ` Oleg Nesterov
2017-04-02 22:53 ` [RFC][PATCH v2 4/5] exec: If possible don't wait for ptraced threads to be reaped Eric W. Biederman
2017-04-05 16:15 ` Oleg Nesterov
2017-04-02 22:57 ` [RFC][PATCH v2 5/5] signal: Don't allow accessing signal_struct by old threads after exec Eric W. Biederman
2017-04-05 16:18 ` Oleg Nesterov
2017-04-05 18:16 ` Eric W. Biederman
2017-04-06 15:48 ` Oleg Nesterov
2017-04-02 16:15 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Oleg Nesterov
2017-04-02 21:07 ` Eric W. Biederman
2017-04-03 18:37 ` Oleg Nesterov
2017-04-03 22:49 ` Eric W. Biederman
2017-04-03 22:49 ` scope of cred_guard_mutex Eric W. Biederman
2017-04-05 16:08 ` Oleg Nesterov
2017-04-05 16:11 ` Kees Cook
2017-04-05 17:53 ` Eric W. Biederman
2017-04-05 18:15 ` Oleg Nesterov
2017-04-06 15:55 ` Oleg Nesterov
2017-04-07 22:07 ` Kees Cook
2017-09-04 3:19 ` [RFC][PATCH] exec: Don't wait for ptraced threads to be reaped Robert O'Callahan
2017-03-04 16:54 ` [PATCH 0/2] fix the traced mt-exec deadlock Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170222174102.GA19788@redhat.com \
--to=oleg@redhat.com \
--cc=afazekas@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=asarai@suse.com \
--cc=ebiederm@xmission.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mhocko@kernel.org \
--cc=mika.penttila@nextfour.com \
--cc=uobergfe@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).