From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 457D9C25B74
	for <linux-mm@archiver.kernel.org>; Sun,  2 Jun 2024 17:53:09 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id C4FA36B00B3; Sun,  2 Jun 2024 13:53:08 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id BFF916B00B4; Sun,  2 Jun 2024 13:53:08 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id AC6E86B00B5; Sun,  2 Jun 2024 13:53:08 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 8A71D6B00B3
	for <linux-mm@kvack.org>; Sun,  2 Jun 2024 13:53:08 -0400 (EDT)
Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id F2A3CC03C2
	for <linux-mm@kvack.org>; Sun,  2 Jun 2024 17:53:07 +0000 (UTC)
X-FDA: 82186694814.15.661DD42
Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232])
	by imf05.hostedemail.com (Postfix) with ESMTP id 8CF41100003
	for <linux-mm@kvack.org>; Sun,  2 Jun 2024 17:53:05 +0000 (UTC)
Authentication-Results: imf05.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=xmission.com;
	spf=pass (imf05.hostedemail.com: domain of ebiederm@xmission.com designates 166.70.13.232 as permitted sender) smtp.mailfrom=ebiederm@xmission.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1717350785;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=QoHPYV9csfzDgwuW5xtvpMia1TQ5Jlps+WXjTSdyYxI=;
	b=bduI0smvuc5QyBr3NMfaSMJE2P3xikKYlGJIIe8iF8TEVnyBcSZT0Tgis71N7Pn5ezFMDG
	DZe8BsYFQ/6pZ5RBbMsL5jqX+HIWVQXkTQ/xRM1OdXkaZquEDaLrs5KP6Ai8sGgtx/cPji
	yO4MgyreFCjM6i/CIG0qnSlRGll6wfE=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1717350785; a=rsa-sha256;
	cv=none;
	b=kOMFZWAiQYcWRtt2BoTUl9SC2DKuuRtt71MLKnVg2BiJ5VvB3cQWK+1yuT1X/kgLSDxpQ2
	6gbhpjGfxF7CVEF08kyUj+ERak7GCMSUHp6Qch4HeaffY1KCxHyALh38QWD9eo8xksffQc
	nkvTldir3SNHMEiOCYuB7XOoWSV2Ggc=
ARC-Authentication-Results: i=1;
	imf05.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=xmission.com;
	spf=pass (imf05.hostedemail.com: domain of ebiederm@xmission.com designates 166.70.13.232 as permitted sender) smtp.mailfrom=ebiederm@xmission.com
Received: from in01.mta.xmission.com ([166.70.13.51]:60110)
	by out02.mta.xmission.com with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <ebiederm@xmission.com>)
	id 1sDpOB-00FHij-7D; Sun, 02 Jun 2024 11:53:03 -0600
Received: from ip68-227-168-167.om.om.cox.net ([68.227.168.167]:39904 helo=email.froward.int.ebiederm.org.xmission.com)
	by in01.mta.xmission.com with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.93)
	(envelope-from <ebiederm@xmission.com>)
	id 1sDpOA-003geg-4A; Sun, 02 Jun 2024 11:53:02 -0600
From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Yafang Shao <laoar.shao@gmail.com>,  Linus Torvalds
 <torvalds@linux-foundation.org>,  linux-mm <linux-mm@kvack.org>,
  Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,  linux-trace-kernel
 <linux-trace-kernel@vger.kernel.org>,  audit@vger.kernel.org,  LSM List
 <linux-security-module@vger.kernel.org>,  selinux@vger.kernel.org,  bpf
 <bpf@vger.kernel.org>,  Alexander Viro <viro@zeniv.linux.org.uk>,
  Christian Brauner <brauner@kernel.org>,  Jan Kara <jack@suse.cz>,  Kees
 Cook <keescook@chromium.org>
References: <20240602023754.25443-1-laoar.shao@gmail.com>
	<20240602023754.25443-2-laoar.shao@gmail.com>
	<87ikysdmsi.fsf@email.froward.int.ebiederm.org>
	<CALOAHbAASdjLjfDv5ZH7uj=oChKE6iYnwjKFMu6oabzqfs2QUw@mail.gmail.com>
	<CAADnVQJ_RPg_xTjuO=+3G=4auZkS-t-F2WTs18rU2PbVdJVbdQ@mail.gmail.com>
Date: Sun, 02 Jun 2024 12:52:07 -0500
In-Reply-To: <CAADnVQJ_RPg_xTjuO=+3G=4auZkS-t-F2WTs18rU2PbVdJVbdQ@mail.gmail.com>
	(Alexei Starovoitov's message of "Sun, 2 Jun 2024 09:35:19 -0700")
Message-ID: <874jabdygo.fsf@email.froward.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-XM-SPF: eid=1sDpOA-003geg-4A;;;mid=<874jabdygo.fsf@email.froward.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.168.167;;;frm=ebiederm@xmission.com;;;spf=pass
X-XM-AID: U2FsdGVkX1+Ptg8m9UOQAWOg+UUM4tiPArdjNGCwU1g=
X-SA-Exim-Connect-IP: 68.227.168.167
X-SA-Exim-Mail-From: ebiederm@xmission.com
Subject: Re: [PATCH 1/6] fs/exec: Drop task_lock() inside __get_task_comm()
X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
X-Stat-Signature: raykwbrax6oafm3fhu95yw6obfacwb67
X-Rspamd-Queue-Id: 8CF41100003
X-Rspam-User: 
X-Rspamd-Server: rspam01
X-HE-Tag: 1717350785-297869
X-HE-Meta: U2FsdGVkX1+uAAfYSdoal6pRdXKHz4dF2N+tqv3zJuTqQUYpjX6UTP+Iv6uXrSkrgiikWsR3vdTsACZPeSzGJx9XWiZ46kyzS6upWAEMWkyRaLhPOiX990GJhowNnVzX+esnTcwozfG8VoeakqkN2LcViLtnB8HvoPjKRKT1GlV03roFpW4m0opQPK+/RZ53g8kZ7R00urBR0I57mzrKPqiBI/LUFn3XSyfoT5EY0mBsHUWz+NsCZmbYSwztaSO4KIsU09k/FCcrwW8BeJn43Gw1V/zmfPVk0Lv9qucRlO01m6at4poSzd9M97uQ4DNX7/31dnT4XiOAK+uSs32Ou98YKhLlHGwql9dfO3JdnHIcE4eqAnMXTDUoQFyxUGiJkuajWqjTwEI6oJswxYQUaEXMb/GeBbPBuMAWaQ4uIMiTIpeF+b2meinS2cHGGdEMwvot52B/YXsrI0DRg8dknea+mthzA/eAKehZ/aZ4D+tzNh/YPHFDhK9VNZyzimw46IEN8SwfxXwvdq9Npkwbmrdug4jB7GOrBXtPXbcLmq70+RRfOY3eDzpEgQ8lwVOnT/ud2S0pON5+fdF+RC3xZBlGU8D4/WUbkeJsKiA7M4nayCEIcbkUsM8kc8PphvH8WdYKeaH0Z9V5btQ/w49UO7a7lp4myTo6gmj5al8LBnpal9DDPFXHfyU0XxENgSQUpa+qXfy1KD+q8gEMsYYsqQzWGHEszd3q41RQK37FYEYKxRMoc7k3emWi1Whbgc6h/IB5nSnRv9XSPobGIwiMLCwazCeEeM4g1I+KS/V/GAT6OLpxUM/84LHuU8zNtVsygboaTv4rM58QQUQZ46pz5gj90Apy29M2zhEnlele7IIoXAyG2C2P9m9QbIZ13DG32cQAEZbhWM2oLxt7FYVGs7yYN1g7UjfVxf0dEFbQY3zKF6ixNrYRr004MSqkosZ0rB5sbaO8kpcq2LUh8s1
 BesSmzap
 VrVrufoiCQ5zaTh7HWsfpvnro74IixNEnw3c822qaJjcWcUFtoOgUYp6UwxjLDcKGEk1zws7y70Ob9UEx+ekdYSs0iui3GPjK6JikSRe8Cx2Pot45k1Vk4Q36rsTgc7IKBQtxTcw7cTDHqKMDy09dIrxdIObhZuyrbH5SXgHR3i/Z7RLJ2hNzavwIRw0UAzdzg2Ll+cR+Bu3JNlHSLGU6gxwQf86Xd+YnF9mVbsi7r7X8VxHu0V2gJNz6ThjX8JvtKxPzvqWKqU0ki6tXqdLDFqtnlw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:

> On Sat, Jun 1, 2024 at 11:57=E2=80=AFPM Yafang Shao <laoar.shao@gmail.com=
> wrote:
>>
>> On Sun, Jun 2, 2024 at 11:52=E2=80=AFAM Eric W. Biederman <ebiederm@xmis=
sion.com> wrote:
>> >
>> > Yafang Shao <laoar.shao@gmail.com> writes:
>> >
>> > > Quoted from Linus [0]:
>> > >
>> > >   Since user space can randomly change their names anyway, using loc=
king
>> > >   was always wrong for readers (for writers it probably does make se=
nse
>> > >   to have some lock - although practically speaking nobody cares the=
re
>> > >   either, but at least for a writer some kind of race could have
>> > >   long-term mixed results
>> >
>> > Ugh.
>> > Ick.
>> >
>> > This code is buggy.
>> >
>> > I won't argue that Linus is wrong, about removing the
>> > task_lock.
>> >
>> > Unfortunately strscpy_pad does not work properly with the
>> > task_lock removed, and buf_size larger that TASK_COMM_LEN.
>> > There is a race that will allow reading past the end
>> > of tsk->comm, if we read while tsk->common is being
>> > updated.
>>
>> It appears so. Thanks for pointing it out. Additionally, other code,
>> such as the BPF helper bpf_get_current_comm(), also uses strscpy_pad()
>> directly without the task_lock. It seems we should change that as
>> well.
>
> Hmm. What race do you see?
> If lock is removed from __get_task_comm() it probably can be removed from
> __set_task_comm() as well.
> And both are calling strscpy_pad to write and read comm.
> So I don't see how it would read past sizeof(comm),
> because 'buf' passed into __set_task_comm is NUL-terminated.
> So the concurrent read will find it.

The read may race with a write that is changing the location
of '\0'.  Especially if the new value is shorter than
the old value.

If you are performing lockless reads and depending upon a '\0'
terminator without limiting yourself to the size of the buffer
there needs to be a big fat comment as to how in the world
you are guaranteed that a '\0' inside the buffer will always
be found.

Eric