From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7FDACC369DC for ; Tue, 29 Apr 2025 15:50:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3F6F96B0007; Tue, 29 Apr 2025 11:50:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3A5206B0008; Tue, 29 Apr 2025 11:50:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 26F286B000C; Tue, 29 Apr 2025 11:50:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 0593B6B0007 for ; Tue, 29 Apr 2025 11:50:37 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 34E451A0897 for ; Tue, 29 Apr 2025 15:50:38 +0000 (UTC) X-FDA: 83387518956.21.10FAB00 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf20.hostedemail.com (Postfix) with ESMTP id E12FE1C0015 for ; Tue, 29 Apr 2025 15:50:35 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="QAhAYZ//"; spf=pass (imf20.hostedemail.com: domain of oleg@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=oleg@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1745941836; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=mzyuIC5lN8iw0yHtCMolMLvXO2aa9rMo4MO2VDH7oxk=; b=0XZNXz6lX9Tyabc5iuWkhe4YByHRsWiJXM4hKYVFxDWAQfXfBbNxSO+FzYuqDMP7RxonmY awa4MHpTiyKKGV2aj9bcN2dV7T3F7gXlrpCGaeg9HiTUbStJ4MNaemO/sdqPYZ2Nls7kAL w2lhQvCP6e4z3h5Jxf/JJ+8JCM1FY9Y= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="QAhAYZ//"; spf=pass (imf20.hostedemail.com: domain of oleg@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=oleg@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1745941836; a=rsa-sha256; cv=none; b=EcdVjccHykVlUiX97uWfs/xStb2YCW+1kLOOQN0QZkWF6LXlNaTG11LF+KY+GGzqSOkmuF KRew4hAxiQ7UDAQdplBy9nlvtufpBjkI+3JlWPGJXtzSjERcA3tAtbkUHCyIzJayp6ts3i F3VIsd6EbT02GT8ASMPy2IBdjxq5PSE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1745941835; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=mzyuIC5lN8iw0yHtCMolMLvXO2aa9rMo4MO2VDH7oxk=; b=QAhAYZ//DNCM6Jzti3BSjy+VE67XPH2xiFYFoIc6a7Vz1b5OoH7Fh2G1HagUGmcYCWg85J kdUUoji0oHkqn7v/xTtDlhaLz0QAGRjwRxfDzbY6qKDZnnF9CfLU6FH+uSzbf4NmO6+7sH 5xME738Xk9zS2kN0+9t/JafUo3py0fo= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-517-PK0iwh_NP1SddwatWXB-yg-1; Tue, 29 Apr 2025 11:50:30 -0400 X-MC-Unique: PK0iwh_NP1SddwatWXB-yg-1 X-Mimecast-MFC-AGG-ID: PK0iwh_NP1SddwatWXB-yg_1745941829 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2315D1800878; Tue, 29 Apr 2025 15:50:29 +0000 (UTC) Received: from dhcp-27-174.brq.redhat.com (unknown [10.44.34.224]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP id 6B435195608D; Tue, 29 Apr 2025 15:50:25 +0000 (UTC) Received: by dhcp-27-174.brq.redhat.com (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Tue, 29 Apr 2025 17:49:49 +0200 (CEST) Date: Tue, 29 Apr 2025 17:49:44 +0200 From: Oleg Nesterov To: brauner@kernel.org, kees@kernel.org, viro@zeniv.linux.org.uk Cc: jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, mjguzik@gmail.com, Michal Hocko Subject: Re: [PATCH] exec: fix the racy usage of fs_struct->in_exec Message-ID: <20250429154944.GA18907@redhat.com> References: <67dc67f0.050a0220.25ae54.001f.GAE@google.com> <20250324160003.GA8878@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250324160003.GA8878@redhat.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: E12FE1C0015 X-Stat-Signature: fc5fekeyq66qgibpd9kea37b4uihs4kk X-HE-Tag: 1745941835-917828 X-HE-Meta: U2FsdGVkX1/O303IlohbhdsuvCJaz9Im5UF8D5dtG8CTfn/yVO+SJ7Y+aI2zjLdaHrKD2qIUVMD5/H25T/UmKYdo84tpIopf9wsiX9E5aH4VvBMqdu9h3/OVUPpS/8QJ4iZYpQB2BFJwwoteg1BeCbRm39RKrGN8y+AY21kzxBw6HSnmn2Q8CYRt7NnDXHwDapVbe+Nvmiri5lEMG+KmK90skrgt8E+jFlsJ+AUxEsqQXKYxhJsnaqOoiEh5beSL/vSDcrHwc6wpXc55H0yVN0DEsShzS0jojzU/oRta3HAvq6YozbUZl6LAy5qFJb5jyv1rkBC9kPZyyp1qSaIanci1HMY/cEbDKzPptvhabKKqyGCl0/bR69ixDik0B43qhiVe+D30Xjm0z3qGmwknLrfvtNWGkPtHN2rUqVoarDNnZVxW7Goe/JY9jXU1W13D9U3vnhBeXpcfRy3wtPRkRsJFOGCV95jOFIyZ7C06PNR42Phv9oxHORJd5cVdZw9rzbbLn0GmMW9+1ZPDyopGbGgDyR0Lo2Yq8cdF10nqEZviiyZVtQIsiot+t5ds54FxRvJ7x6YJe/Mawe4RYZVz/ieJrINPLgbC7yk1Fd/mVLhMbaLp6ae0zYTQTqXuDbPYRCtW+BPBFrg/6TWvTtAqs/8FFk+SMcaoisc4xlRmEKLJjsa5kJmDZZ55oOYWqcIdO17sTLt+1oPk24b+vt+eXZAlrw9e73J7cxNJH1M80L3ofvHx6cr51o+CSOeKQacWPXH0JaO97z4lnfp8tYe5tIOLORsXhX6DeLQlSptVkLfey1kyfPMxl838C41Z30F22AJFIlnIx/RwILRRNZR4TOKLYYDmeiVvP/6qH15xjTOToSRPClyu3F7nB6BCgwykVqz+lrYhyr2CmTatI4uArJb1Yy1BMAeDF3k2qeq9jOhYjbyefpHiKO2mDIKm+0/54lIUPPEcv9y/XEb1S21 KXSjLgb+ TheCxIryh7TBqDc/yQ5bwABXrsrQakimJ+cpMH9hJKblqIn54CmUSTj2gAhe3xiac9h/vFDV23f3+FiPuL4V3cg5C/eWa2SE5Ff6t9mrYNg9DEKoHSoxXGFFEySqDejldM711E+ZO44T5z0NJvp4D2kheEfEiFVEmq3T2som8lLYrFUbyhgMer8+V7DpOgSyAIusu5meCX220MB4hAo1T+OMHYAHCCFzIqMUc1knJIXtBJEwGf92yXsu5yE6jjKHV0Kk2BIDl29qKkkzeEoy1/6zbCbsLMUY/lA7MlmeUTQVjk9YvpjndJU53uZKI5ZJRXSTes3baHiRO0SJvstn4xADuiOoY0Y8KQsBuqsbLXekEdZHsrLDaJINGTDnHAjs9z1RSbgbi+rCl9fQ6b+75nqUG3+FVIc6xjLjp X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Damn, I am stupid. On 03/24, Oleg Nesterov wrote: > > check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve() > paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it > fails we have the following race: > > T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex > > T2 sets fs->in_exec = 1 > > T1 clears fs->in_exec When I look at this code again, I think this race was not possible and thus this patch (applied as af7bb0d2ca45) was not needed. Yes, begin_new_exec() can drop cred_guard_mutex on failure, but only after de_thread() succeeds, when we can't race with another sub-thread. I hope this patch didn't make the things worse so we don't need to revert it. Plus I think it makes this (confusing) logic a bit more clear. Just, unless I am confused again, it wasn't really needed. ----------------------------------------------------------------------------- But. I didn't read the original report from syzbot, https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001f.GAE@google.com/#t because I wasn't CC'ed. and then - sorry Kees!!! - I didn't bother to read your first reply carefully. So yes, with or without this patch the "if (fs->in_exec)" check in copy_fs() can obviously hit the 1 -> 0 transition. This is harmless, but should be probably fixed just to avoid another report from KCSAN. I do not want to add another spin_lock(fs->lock). We can change copy_fs() to use data_race(), but I'd prefer the patch below. Yes, it needs the additional comment(s) to explain READ_ONCE(). What do you think? Did I miss somthing again??? Quite possibly... Mateusz, I hope you will cleanup this horror sooner or later ;) Oleg. --- diff --git a/fs/exec.c b/fs/exec.c index 5d1c0d2dc403..42a7f9b43911 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1495,7 +1495,7 @@ static void free_bprm(struct linux_binprm *bprm) free_arg_pages(bprm); if (bprm->cred) { /* in case exec fails before de_thread() succeeds */ - current->fs->in_exec = 0; + WRITE_ONCE(current->fs->in_exec, 0); mutex_unlock(¤t->signal->cred_guard_mutex); abort_creds(bprm->cred); } diff --git a/kernel/fork.c b/kernel/fork.c index 4c2df3816728..381af8c8ece8 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1802,7 +1802,7 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk) /* tsk->fs is already what we want */ spin_lock(&fs->lock); /* "users" and "in_exec" locked for check_unsafe_exec() */ - if (fs->in_exec) { + if (READ_ONCE(fs->in_exec)) { spin_unlock(&fs->lock); return -EAGAIN; }