From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2518C28B30 for ; Fri, 21 Mar 2025 01:44:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7F107280002; Thu, 20 Mar 2025 21:44:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7A135280001; Thu, 20 Mar 2025 21:44:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 66CDC280002; Thu, 20 Mar 2025 21:44:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 49278280001 for ; Thu, 20 Mar 2025 21:44:28 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 5C2D0121B65 for ; Fri, 21 Mar 2025 01:44:29 +0000 (UTC) X-FDA: 83243863458.25.48061F8 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [62.89.141.173]) by imf25.hostedemail.com (Postfix) with ESMTP id 6618BA0008 for ; Fri, 21 Mar 2025 01:44:27 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=linux.org.uk header.s=zeniv-20220401 header.b=O+HQ7TZD; dmarc=pass (policy=none) header.from=zeniv.linux.org.uk; spf=none (imf25.hostedemail.com: domain of viro@ftp.linux.org.uk has no SPF policy when checking 62.89.141.173) smtp.mailfrom=viro@ftp.linux.org.uk ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1742521467; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=TFHenndtR+JmeEXFkqj6A1CTl6kNgvKqQcIKOIozPfc=; b=YA89QXbwpkR44q/iX/1OLLYKBKWZwELidGt76I5pec8QuY/WqHkvnV5kE2R+ESSSCRAv/+ PgK/sff/T051TAkWp5+cZvArEqKd89tMh6CHgdWHcnnRej5k1t8JreZ2ggDCn0a+cLRboR cruYXeb9ayhecR8M9CgI5G74GZf3PJQ= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=linux.org.uk header.s=zeniv-20220401 header.b=O+HQ7TZD; dmarc=pass (policy=none) header.from=zeniv.linux.org.uk; spf=none (imf25.hostedemail.com: domain of viro@ftp.linux.org.uk has no SPF policy when checking 62.89.141.173) smtp.mailfrom=viro@ftp.linux.org.uk ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1742521467; a=rsa-sha256; cv=none; b=U+Loo7+h0ZaDTWuKyeg8Byh3acHbDBUwOkTlRAE5ss1FrdI+gej2zgEH2hl3Fb7aL9qg0A Lz/MUxhoeXe7DT6kwiPoGwx7deTd0SBFds9GWD8F1j0jv+glyX9U0CW9gEnvMT4Z2ATaoq NhNgIcbzQRELgKD9Otv80oIEbOdbdqI= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=TFHenndtR+JmeEXFkqj6A1CTl6kNgvKqQcIKOIozPfc=; b=O+HQ7TZDda8jv+r4HWcvfNrYIB 8dhaD2c+Iy0+b+lz5dBMM2AZfSJRL2uYdg+a79a56/j7qEG2lWIfct/IffadVyOJwajdrxkyWDMYy ICc8r+0kJYJr4B2YftT2nW7xSgQcgiL7o7AjhurV7DC21dWPQaeQqi0sGv/9CkGN3bpGmSZs0+/+Z uuIDE6FMou5FPCILl+0CKYMXcnl0Pf2ekOEulpENlptt88iWfq3Tp28BTCO9dYNaPD2lNjbCAgzb+ jqKStFyCEIq9sPkqbwu8Hh2qgoiHjOVB93ncEiNRhbtt8R3pZb29MCR47DdCpDxFlCprBA05aHPel 1kzlrRPQ==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.98.1 #2 (Red Hat Linux)) id 1tvRQt-000000078Ju-1scf; Fri, 21 Mar 2025 01:44:23 +0000 Date: Fri, 21 Mar 2025 01:44:23 +0000 From: Al Viro To: Kees Cook Cc: Oleg Nesterov , brauner@kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, syzbot Subject: Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4) Message-ID: <20250321014423.GA2023217@ZenIV> References: <67dc67f0.050a0220.25ae54.001f.GAE@google.com> <202503201225.92C5F5FB1@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202503201225.92C5F5FB1@keescook> X-Rspamd-Server: rspam11 X-Rspamd-Queue-Id: 6618BA0008 X-Stat-Signature: wco9ktf8jfhsw5b6rc85fua5yy3kkmjk X-Rspam-User: X-HE-Tag: 1742521467-917253 X-HE-Meta: U2FsdGVkX18ew2Nik3C5YzW4gm/CrCfuKDIAUiVm1a0jWqgocV4mvPoXxrZ+yUHzRGFUzDw1ymx/J/N8PnyRZkdndx93PC8+k/YgJpFvSUuv9FT9ZSUniWmfMiIdIhOTxbeM5PlZ+CIJ6B3peqVasWnPckgTKGuw9AvyhqIBFE7O0DsdyHnk53GFehL2nY+gtk1tUs3Ap9MvCzVh7hnWRKwVQGbWjX3J3I/0FWIueoXMY45g+ob7K1kfoX32uzA397bfFrkDkNyHfzK0E2Ji5N8PaFFsQ5z4wgLXucMErawAVeIYeOi8QXV0yllfoWbkUdPplc0RYlDSL3bUWTifCB3NOb7DghllsKIYZLIm0idpy6rMmPnSWcr5vQtjIMGyMmoC9oClAVWy4aCYhHRt6IEjsMAMeGyFw5HkYjP6Mod1gqEb4v2rsOtny5FLTm8lRdcM3cdCGSScM/vyqkpQZj3urz6hubP7reRpYGpCQ/BKAetAuImpzXvz4b/L97xeRyp0gKu/C51GGklj9Fwor898NCehSf/++jfAzm2TKAnhEKdOjEz2ZtRRb2XBig0H16GxfbB4EPpLGmaLRyftdOMlbw1LSI0N4m8a9nIMHHlOLw7coP93pn1b0BM7fKiLAmARbAEoGxdUcCGUNbVNXFyK29dikZjIHJr8na0BXDFn5mJ7SK4p0c1biG0T/ORh0G6P5HpNpQfEUm7Or3t28qfMbAlGR0sLGZSJgQbOvYyBChc2zlOQCX1uFkQYiX99RW+F0V/YONrsPe/7lKNzGXnuQ3sNAU6zQCYwjrO6C0arykRdcPR69Vjh/7wDPRT/xpisv9b735upXmVTR+y9iTSPPSkpfFMW9jDw4Jv5YxiyA1Yh7tTyq+godH2LpIJtA5u+rleWa55GuYJ5rZN7MTBBEY2XucHOLKghKa79nHA9f2R0cihBik8P+apUSgkBs0X+edtjLuRnVyHGX9N WCjXmB+o aAXEEolmv2KIcJlj6tmdMZOLTZxX/Vp3q7HfyliXmPz1kfta3wCcbtCSCPJPK5Tceaz6WMiPtlvBDWcoc+iIfY3Q6/GuvbEk8P9fKX+muXjaqCx4rqmsRpQsbOdsMYncSg824uyTlsAIWIRk6fx8DVjTvw3/bw/OWZa/m0aKVQGbx9tYHrQsCQZk6kXynPRxI84SHU0VDJLT8+nFHhYrjPcH0LRH3xRXB/sLHPXAOMwU7uDm0sg+v/3816fV+EU3q+GM0mRxX03u8jU+hSLWYzLkwMA393FnSmwDNRjxWU9TWCk62dfZgJaahw7UFXCoeWbDNAj7gL4GY8Am/KErpN4lJrNDkrMguNlOv4nTyKnklVSo1y1yDfj4WbNVMWcWUm6LHl+HuSkJhwOSzKJND+LYzd10TNOCtRXrBO05vgOhKgRkWI7k90J80kmYyWgtp6tTFCWO/biTqPVHH4w59foYlvDWIxlBL+xN2k7LJObCN8Iec+IwAmI5pzTtCByqz1Hw4FXi87PVLuPW4To9WtPFOpAeKjxtWMriCfzJG080K2nwPbMPS+oYgZnAprAG598Nh2jvOgHsrwdCv+jAR9TL0QUxmQqK7KramT04VBJ0iY5LcIVMNxH0HCw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000207, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Mar 20, 2025 at 01:09:38PM -0700, Kees Cook wrote: > What I can imagine here is two failing execs racing a fork: > > A start execve > B fork with CLONE_FS > C start execve, reach check_unsafe_exec(), set fs->in_exec > A bprm_execve() failure, clear fs->in_exec > B copy_fs() increment fs->users. > C bprm_execve() failure, clear fs->in_exec > > But I don't think this is a "real" flaw, though, since the locking is to > protect a _successful_ execve from a fork (i.e. getting the user count > right). A successful execve will de_thread, and I don't see any wrong > counting of fs->users with regard to thread lifetime. > > Did I miss something in the analysis? Should we perform locking anyway, > or add data race annotations, or something else? Umm... What if C succeeds, ending up with suid sharing ->fs?