From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=vrBG=ND=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BDD55C4338F
	for <linux-mm@archiver.kernel.org>; Thu, 12 Aug 2021 16:59:09 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 2632C610A3
	for <linux-mm@archiver.kernel.org>; Thu, 12 Aug 2021 16:59:09 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 2632C610A3
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 5D2A88D0003; Thu, 12 Aug 2021 12:59:08 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 55A958D0001; Thu, 12 Aug 2021 12:59:08 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3FBDB8D0003; Thu, 12 Aug 2021 12:59:08 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0245.hostedemail.com [216.40.44.245])
	by kanga.kvack.org (Postfix) with ESMTP id 238FF8D0001
	for <linux-mm@kvack.org>; Thu, 12 Aug 2021 12:59:08 -0400 (EDT)
Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id CF2881802BC6F
	for <linux-mm@kvack.org>; Thu, 12 Aug 2021 16:59:07 +0000 (UTC)
X-FDA: 78467038734.07.AE66ED9
Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51])
	by imf03.hostedemail.com (Postfix) with ESMTP id 88CBC3006672
	for <linux-mm@kvack.org>; Thu, 12 Aug 2021 16:59:07 +0000 (UTC)
Received: by mail-ed1-f51.google.com with SMTP id x14so10670914edr.12
        for <linux-mm@kvack.org>; Thu, 12 Aug 2021 09:59:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=nMdbm1Duu6T2o7Pmii6aGZ5IPzKeI0bawgd87K5hISA=;
        b=XKB75bis9tKuNhHX3eDTMKeSxlvftJ15dFdW/PqjC89Ur4xgXcznCXav012keKDr9q
         uVwQApi3YeYfIStj4+gOxYXeF8i11qPieLQ1yiCkx373DM+kh0ueZlzSltpcrquT6StP
         3ucAz74g4LfHvAL2yjncpx8WOYjTgEkJKVJzQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=nMdbm1Duu6T2o7Pmii6aGZ5IPzKeI0bawgd87K5hISA=;
        b=NxIWPw6qknKUn1yfeq1AdGeCPBZQteeKJgnww0FfdlyTY6jTfiHvcrbpKF6CxxythC
         g5dk5SRypF88bc83Zr7+KdGnHMquKc9jhH78kmJYX6P1nJIBCmrDh9i/0Q8RZjDsKGsg
         V7C51AdPhV4//1S8W5gan71gqA6e0TA3BXRJS5p/nigA+tdd/XZmO+agh8ARQUAUJx+J
         vPNi0x2ad9HlBt6m7ssvnM01JK96oSnCPCBfeTMuU4yTjNa1eGUpLd84PYQJN3evCaed
         M4vn0KAhRvHXMd2N8IA/4TIL+dtgUEFqXsfTICvgbB//ejAbSLr/IvYXAWIpdjlJLSP6
         aMRg==
X-Gm-Message-State: AOAM532B+tq9JQtudBdAoDOdNz0eX55jpLyRwl8GeSU4MGXcMwyZCepv
	uqqRdRucBFfmokw6rGSPclSrBB8wk/wA+K+AHN8=
X-Google-Smtp-Source: ABdhPJzRHZIrrXKeGO1iGQVv40D4BnUS6FEzVQKFAYizSBEAJe2FwapOIEUZM3xqbo7Ly865bzlOnA==
X-Received: by 2002:a05:6402:214d:: with SMTP id bq13mr6559151edb.263.1628787546052;
        Thu, 12 Aug 2021 09:59:06 -0700 (PDT)
Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com. [209.85.218.54])
        by smtp.gmail.com with ESMTPSA id a22sm1051290ejk.35.2021.08.12.09.59.05
        for <linux-mm@kvack.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 12 Aug 2021 09:59:05 -0700 (PDT)
Received: by mail-ej1-f54.google.com with SMTP id z20so12889962ejf.5
        for <linux-mm@kvack.org>; Thu, 12 Aug 2021 09:59:05 -0700 (PDT)
X-Received: by 2002:a05:6512:1290:: with SMTP id u16mr3010715lfs.487.1628787137615;
 Thu, 12 Aug 2021 09:52:17 -0700 (PDT)
MIME-Version: 1.0
References: <20210812084348.6521-1-david@redhat.com> <20210812084348.6521-4-david@redhat.com>
In-Reply-To: <20210812084348.6521-4-david@redhat.com>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 12 Aug 2021 06:51:59 -1000
X-Gmail-Original-Message-ID: <CAHk-=wjWgFbEaE9T0smQu8WKkhrcNZZrghBUQ9441OdMsDg1-w@mail.gmail.com>
Message-ID: <CAHk-=wjWgFbEaE9T0smQu8WKkhrcNZZrghBUQ9441OdMsDg1-w@mail.gmail.com>
Subject: Re: [PATCH v1 3/7] kernel/fork: always deny write access to current
 MM exe_file
To: David Hildenbrand <david@redhat.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, Andrew Morton <akpm@linux-foundation.org>, 
	Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>, 
	"H. Peter Anvin" <hpa@zytor.com>, Alexander Viro <viro@zeniv.linux.org.uk>, 
	Alexey Dobriyan <adobriyan@gmail.com>, Steven Rostedt <rostedt@goodmis.org>, 
	Peter Zijlstra <peterz@infradead.org>, Arnaldo Carvalho de Melo <acme@kernel.org>, 
	Mark Rutland <mark.rutland@arm.com>, 
	Alexander Shishkin <alexander.shishkin@linux.intel.com>, Jiri Olsa <jolsa@redhat.com>, 
	Namhyung Kim <namhyung@kernel.org>, Petr Mladek <pmladek@suse.com>, 
	Sergey Senozhatsky <sergey.senozhatsky@gmail.com>, 
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>, 
	Rasmus Villemoes <linux@rasmusvillemoes.dk>, Kees Cook <keescook@chromium.org>, 
	"Eric W. Biederman" <ebiederm@xmission.com>, Greg Ungerer <gerg@linux-m68k.org>, 
	Geert Uytterhoeven <geert@linux-m68k.org>, Mike Rapoport <rppt@kernel.org>, Vlastimil Babka <vbabka@suse.cz>, 
	Vincenzo Frascino <vincenzo.frascino@arm.com>, Chinwen Chang <chinwen.chang@mediatek.com>, 
	Michel Lespinasse <walken@google.com>, Catalin Marinas <catalin.marinas@arm.com>, 
	"Matthew Wilcox (Oracle)" <willy@infradead.org>, Huang Ying <ying.huang@intel.com>, Jann Horn <jannh@google.com>, 
	Feng Tang <feng.tang@intel.com>, Kevin Brodsky <Kevin.Brodsky@arm.com>, 
	Michael Ellerman <mpe@ellerman.id.au>, Shawn Anastasio <shawn@anastas.io>, 
	Steven Price <steven.price@arm.com>, Nicholas Piggin <npiggin@gmail.com>, 
	Christian Brauner <christian.brauner@ubuntu.com>, Jens Axboe <axboe@kernel.dk>, 
	Gabriel Krisman Bertazi <krisman@collabora.com>, Peter Xu <peterx@redhat.com>, 
	Suren Baghdasaryan <surenb@google.com>, Shakeel Butt <shakeelb@google.com>, Marco Elver <elver@google.com>, 
	Daniel Jordan <daniel.m.jordan@oracle.com>, Nicolas Viennot <Nicolas.Viennot@twosigma.com>, 
	Thomas Cedeno <thomascedeno@google.com>, Collin Fijalkovich <cfijalkovich@google.com>, 
	Michal Hocko <mhocko@suse.com>, Miklos Szeredi <miklos@szeredi.hu>, 
	Chengguang Xu <cgxu519@mykernel.net>, 
	=?UTF-8?Q?Christian_K=C3=B6nig?= <ckoenig.leichtzumerken@gmail.com>, 
	linux-unionfs@vger.kernel.org, Linux API <linux-api@vger.kernel.org>, 
	"the arch/x86 maintainers" <x86@kernel.org>, linux-fsdevel <linux-fsdevel@vger.kernel.org>, 
	Linux-MM <linux-mm@kvack.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: 88CBC3006672
X-Stat-Signature: nx164nc759jpjsa98ikon4rk5dhnjqq7
Authentication-Results: imf03.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=google header.b=XKB75bis;
	dmarc=none;
	spf=pass (imf03.hostedemail.com: domain of torvalds@linuxfoundation.org designates 209.85.208.51 as permitted sender) smtp.mailfrom=torvalds@linuxfoundation.org
X-HE-Tag: 1628787547-885383
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Aug 11, 2021 at 10:45 PM David Hildenbrand <david@redhat.com> wrote:
>
>         /* No ordering required: file already has been exposed. */
> -       RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));
> +       exe_file = get_mm_exe_file(oldmm);
> +       RCU_INIT_POINTER(mm->exe_file, exe_file);
> +       if (exe_file)
> +               deny_write_access(exe_file);

Can we make a helper function for this, since it's done in two different places?

> -       if (new_exe_file)
> +       if (new_exe_file) {
>                 get_file(new_exe_file);
> +               /*
> +                * exec code is required to deny_write_access() successfully,
> +                * so this cannot fail
> +                */
> +               deny_write_access(new_exe_file);
> +       }
>         rcu_assign_pointer(mm->exe_file, new_exe_file);

And the above looks positively wrong. The comment is also nonsensical,
in that it basically says "we thought this cannot fail, so we'll just
rely on it".

If it truly cannot fail, then the comment should give the reason, not
the "we depend on this not failing".

And honestly, I don't see why it couldn't fail. And if it *does* fail,
we cannot then RCU-assign the exe_file pointer with this, because
you'll get a counter imbalance when you do the allow_write_access()
later.

Anyway, do_open_execat() does do deny_write_access() with proper error
checking. I think that is the existing reference that you depend on -
so that it doesn't fail. So the comment could possibly say that the
only caller has done this, but can we not just use the reference
deny_write_access() directly, and not do a new one here?

IOW, maybe there's an extraneous 'allow_write_access()' somewhere that
should be dropped when we do the whole binprm dance in execve()?

             Linus