From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE4A3C36008 for ; Sun, 23 Mar 2025 20:57:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 02133280002; Sun, 23 Mar 2025 16:57:27 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F126C280001; Sun, 23 Mar 2025 16:57:26 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DDAB1280002; Sun, 23 Mar 2025 16:57:26 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id C0936280001 for ; Sun, 23 Mar 2025 16:57:26 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 2295DC0739 for ; Sun, 23 Mar 2025 20:57:28 +0000 (UTC) X-FDA: 83254026576.25.70CC3D4 Received: from tor.source.kernel.org (tor.source.kernel.org [172.105.4.254]) by imf15.hostedemail.com (Postfix) with ESMTP id 87BFBA0005 for ; Sun, 23 Mar 2025 20:57:26 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=rlV7EjwB; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf15.hostedemail.com: domain of brauner@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=brauner@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1742763446; a=rsa-sha256; cv=none; b=zSQo6DPaTC82GUa2uAHUaBsZQnDkehc4Qm2OSp7w0WkLGl4xRYYc/hvJhrvxDUuOwXxo4m lqqXkkrnPOW+PCCS4vASvBD8JEMGHhh1ClNblcKRVBpmwzgNWuxGT1wyrTCB5c35R+Zhuu mxxvR4yV2UR6+ys3HMKVZHBDYCb057M= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=rlV7EjwB; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf15.hostedemail.com: domain of brauner@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=brauner@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1742763446; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=cJ/Um66mKJCqbksuIktgrccVzyDb6qmGrTBLxkqwugQ=; b=iZZaEDCIDvOduk3rTmsofN9+EdPbOYHVMJh+zEscFraqYRR84qkh/vU4Pwy4Alieb3ztvX LCGPZW+WwW524RFPmIRyK5E15EQDa7vCjZRHA0foqVtlSAlDVUxc/aCCde8tAZZ3sXsYLa DR5aLF8/xCG+GR5m1nD9nib1TCF1y18= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id E700D61127; Sun, 23 Mar 2025 20:57:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6DD5EC4CEE2; Sun, 23 Mar 2025 20:57:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1742763445; bh=Ev4tSesxO91BpPfkFPCZ9nFl2zIVQfSRk1iXPRbGrk4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=rlV7EjwBKKUpVqqY81Jdzx/BLuN+HSH3HFPkoJbJ/b3TEGabUg49QUOXOdp9wVz9h hdHAJGl1026w3fAjAKFnohMe7K6tbdWrIjtMNOQCP4btG79dkcZODFqwri6HDrtLSR +mSe6Z8ApNBw8stpzev3TuuCbj0+mOTnNWnHgNaeoyfpoLDExbYct7Y/dp2Bi21a4I /nyodGh8MR/x52VPoAACsUFO7XAbXMQ7YY6P/tI9TutSXSi3kn5NM111k2RBDS4zR4 PsBbMNsEJeKD56EXCncyYguBhi13hvDBzfKdNc456lAWSgfD1Ht4uXH1ZiUEVtWbjD KmuXIvCkkVlAQ== Date: Sun, 23 Mar 2025 21:57:23 +0100 From: Christian Brauner To: Oleg Nesterov Cc: Al Viro , Kees Cook , jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, syzbot Subject: Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4) Message-ID: <20250323-haftverschonung-rochen-22c230317a23@brauner> References: <67dc67f0.050a0220.25ae54.001f.GAE@google.com> <202503201225.92C5F5FB1@keescook> <20250321-abdecken-infomaterial-2f373f8e3b3c@brauner> <20250322010008.GG2023217@ZenIV> <20250322155538.GA16736@redhat.com> <20250322185007.GI2023217@ZenIV> <20250323181419.GA14883@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20250323181419.GA14883@redhat.com> X-Rspamd-Queue-Id: 87BFBA0005 X-Stat-Signature: hi3n8epdt5r6ama5cgae4tqmxyuwo18c X-Rspam-User: X-Rspamd-Server: rspam06 X-HE-Tag: 1742763446-397505 X-HE-Meta: U2FsdGVkX1/JFUWvC04P/kM36en37Jx6voE3q6ejn35FBhRqfZz/N/73DeJV5fyM8AGJMD7qoEPXXyPM2gz6TJetxnQFVMgqzPP4dKIICBOm2Q626q8I94MC7+Pg2gipwjUW1JYbIo0WfmcD+SGSbc3eE/Y91nkVaBfr/eowCBcRSAU+jg9+oA+8Zlm7Y5swCAO7/E2vGXHix8A8PivmnVCaM8ptlXaZVJ5uDaVDpe/CBdblmUo5bRAy60DaiYuc0uZVbeFrKeA57/dEtPQLgkKbNf/DB8/02ZOYd1BhH05GRvdIoAXhP8A9nmqekxmQu2jA1qtHPM5YAXs/F/s7WFWiaDjuVHiNaUZvTGghiKWRUz2N4hOs0FNrdXUj/81kEyAtOMBZgdgoltwOdS2p3zcEzgodNhsLqK1ieP8hjk8V0IBRgH9DMK+vNGeLmLH7NYBBtYuZ7f8wEQYfiGFpNSkbK+ciCskDfT1IXRQ31oIMEjTr7PsSKnn3RhQtwRXwuaww3TGRxHPdbokJfkRuRu4ivVXcrbRudV3KAGj9HbBkcRkYVXZ72+GPmACgsJ9kuMzKwfs4xRKTmB/lhkOVRCHkz/O4rM1jeFx0/pB/9akIxIzURGbZwwKp1CemOTaNz05cJ6kvnvBDzUun5wzTN+kcnfJ94wNhhO9Aq1U3xNi44n1cOqqC+PO1nKLcmZUrzy2q+n4qNalac7BoS2RoiVbSMcXZsZjEBkeuyRXBWzpnaY5vR7OOyXhfdOx4+5B1PNS7QkL9h+dFwNzPO9EZFRtkFHAN193f//579wKYFFVP2VsJ6+4uEb36wgIi94XSUF5Lask20ebXti3fGBSE1cYp4uexpT4dVbDsvYHK8OS6MlDpZcuaHY7qV2xS3qXeLdqmZyFsYZE7J31pW5R1eF6k3ZHSMe5GXSo1QXvbh0Jq6GCupeSu0hCiymHwgaJhOvoxZnprlaHhOHl1Ifp 9077kX16 /dQuGM21gE7q+8rs/IgetjQFXdgpar91if9ItFgyfCn2tk4Y2clm3c67y0OckkBbqwx1+lqqnyXUC+SL0302poGptigVClfZ5Wo7u2jq3gHFeuMCpD00ocoMwl6peaF3RfKazWmjzQUBk1uR04RT+3LQ8ohHCfDyaKJudjoBExFGuMIlDVj6ISbG+trThRezIRc5BqChZJ8gDI5HZd7JHl1p1LhAZqj6bFESHiPcWFq9PwGf2xh+FV3t0C83sg/D1Tjt3r3/y9ujwnIzS4wm3tvLfCQEo3ez475gXZnCXsv8Dktyc3AeLXlOSGqB70y8wxFTERgrElhcZ+PANyqAXVhagtxijc1ftmJt7EzJUlqTL2vfJZCeeaqXnMUaLsyvKCJcqqjShJEDZLqdsog3BqR2jI97zqPeyybpQvQPt8tjTS96QXx6rrh9pRpmJjjAjEHv40aYGGEnrhhctyhHGmJVltfdTwe3fkvUeYkvxt5tMd2k= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sun, Mar 23, 2025 at 07:14:21PM +0100, Oleg Nesterov wrote: > On 03/22, Al Viro wrote: > > > > On Sat, Mar 22, 2025 at 04:55:39PM +0100, Oleg Nesterov wrote: > > > > > And this means that we just need to ensure that ->in_exec is cleared > > > before this mutex is dropped, no? Something like below? > > > > Probably should work, but I wonder if it would be cleaner to have > > ->in_exec replaced with pointer to task_struct responsible. Not > > "somebody with that fs_struct for ->fs is trying to do execve(), > > has verified that nothing outside of their threads is using this > > and had been holding ->signal->cred_guard_mutex ever since then", > > but "this is the thread that..." > > perhaps... or something else to make this "not immediately obvious" > fs->in_exec more clear. Well, it would certainly help to document that cred_guard_mutex serializes concurrent exec. This is kind of important information given that begin_new_exec() and finalize_exec() are only called from ->load_binary() and are thus always located in the individual binfmt_*.c files. That makes this pretty implicit information. Let alone that the unlocking is all based on bprm->cred being set or unset. Otherwise the patch looks good to me. > > But I guess we need something simple for -stable, so will you agree > with this fix for now? Apart from changelog/comments. > > retval = de_thread(me); > + current->fs->in_exec = 0; > if (retval) > current->fs->in_exec = 0; > > is correct but looks confusing. See "V2" below, it clears fs->in_exec > after the "if (retval)" check. > > syzbot says: > > Unfortunately, I don't have any reproducer for this issue yet. > > so I guess "#syz test: " is pointless right now... > > Oleg. > --- > > diff --git a/fs/exec.c b/fs/exec.c > index 506cd411f4ac..02e8824fc9cd 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1236,6 +1236,7 @@ int begin_new_exec(struct linux_binprm * bprm) > if (retval) > goto out; > > + current->fs->in_exec = 0; > /* > * Cancel any io_uring activity across execve > */ > @@ -1497,6 +1498,8 @@ static void free_bprm(struct linux_binprm *bprm) > } > free_arg_pages(bprm); > if (bprm->cred) { > + // for the case exec fails before de_thread() > + current->fs->in_exec = 0; > mutex_unlock(¤t->signal->cred_guard_mutex); > abort_creds(bprm->cred); > } > @@ -1862,7 +1865,6 @@ static int bprm_execve(struct linux_binprm *bprm) > > sched_mm_cid_after_execve(current); > /* execve succeeded */ > - current->fs->in_exec = 0; > current->in_execve = 0; > rseq_execve(current); > user_events_execve(current); > @@ -1881,7 +1883,6 @@ static int bprm_execve(struct linux_binprm *bprm) > force_fatal_sig(SIGSEGV); > > sched_mm_cid_after_execve(current); > - current->fs->in_exec = 0; > current->in_execve = 0; > > return retval; >