From: Al Viro <viro@ZenIV.linux.org.uk>
To: Hugh Dickins <hugh@veritas.com>
Cc: Oleg Nesterov <oleg@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Joe Malicki <jmalicki@metacarta.com>,
Michael Itz <mitz@metacarta.com>,
Kenneth Baker <bakerk@metacarta.com>,
Chris Wright <chrisw@sous-sol.org>,
David Howells <dhowells@redhat.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Greg Kroah-Hartman <gregkh@suse.de>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: Q: check_unsafe_exec() races (Was: [PATCH 2/4] fix setuid sometimes doesn't)
Date: Wed, 1 Apr 2009 03:38:49 +0100 [thread overview]
Message-ID: <20090401023849.GW28946@ZenIV.linux.org.uk> (raw)
In-Reply-To: <Pine.LNX.4.64.0904010106310.16500@blonde.anvils>
On Wed, Apr 01, 2009 at 01:28:01AM +0100, Hugh Dickins wrote:
> Minor bisectability issue: the third patch, which introduces
> int unshare_fs_struct(void), needs to return 0 when it succeeds:
> that gets corrected in the fourth patch.
ACK.
> Lockdep objects to how check_unsafe_exec nests write_lock(&p->fs_lock)
> inside lock_task_sighand(p, &flags). It's right: we sometimes take
> sighand->siglock in interrupt, so if such an interrupt occurred just
> after you take fs_lock elsewhere, that could deadlock with this. It
> seems happy with taking fs_lock just outside the lock_task_sighand.
Right you are, check_unsafe_exec() reordered. Will push in a few.
> Otherwise it looks good to me, except I keep worrying about those
> EAGAINs. The more so once I noticed current->cred_exec_mutex is
> already being used to handle a similar issue with ptrace. What
> do you think of this rather smaller patch? which I'd much rather
> send after having slept on it, since it may be embarrassingly and
> obviously wrong, but tomorrow may be too late ...
Eh... I'm not particulary happy with fork() growing heavier and heavier.
Besides, there's a subtle problem avoided by another variant - think what
happens if past the point of no return execve() will unshare fs_struct
(e.g. by explicit unshare() from dynamic linker).
Frankly, -EAGAIN in situation when we have userland race is fine. And
we *do* have a userland race here - execve() will kill -9 those threads
in case of success, so if they'd been doing something useful, they are
about to be suddenly screwed.
So I stand by my variant. Note that if we have *other* tasks sharing
fs_struct, your variant will block their clone() for the duration of
execve() while mine will simply leave them alone (and accept that we
have unsafe sharing).
next prev parent reply other threads:[~2009-04-01 2:39 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-28 23:16 [PATCH 1/4] compat_do_execve should unshare_files Hugh Dickins
2009-03-28 23:20 ` [PATCH 2/4] fix setuid sometimes doesn't Hugh Dickins
2009-03-29 0:53 ` Q: check_unsafe_exec() races (Was: [PATCH 2/4] fix setuid sometimes doesn't) Oleg Nesterov
2009-03-29 4:10 ` Al Viro
2009-03-29 4:14 ` Al Viro
2009-03-29 4:52 ` Oleg Nesterov
2009-03-29 5:55 ` Al Viro
2009-03-29 6:01 ` Al Viro
2009-03-29 21:36 ` Oleg Nesterov
2009-03-29 22:20 ` Al Viro
2009-03-29 23:56 ` Oleg Nesterov
2009-03-30 0:03 ` Oleg Nesterov
2009-03-30 1:08 ` Al Viro
2009-03-30 1:13 ` Al Viro
2009-03-30 1:36 ` Oleg Nesterov
2009-03-30 1:40 ` Oleg Nesterov
2009-03-30 12:31 ` Al Viro
2009-03-30 14:32 ` Hugh Dickins
2009-03-31 6:16 ` Al Viro
2009-04-01 0:28 ` Hugh Dickins
2009-04-01 2:38 ` Al Viro [this message]
2009-04-01 3:03 ` Al Viro
2009-04-01 11:25 ` Hugh Dickins
2009-04-06 15:31 ` Oleg Nesterov
2009-04-19 16:30 ` Hugh Dickins
2009-04-21 16:10 ` Oleg Nesterov
2009-04-21 16:31 ` Linus Torvalds
2009-04-21 17:15 ` Oleg Nesterov
2009-04-21 17:35 ` Linus Torvalds
2009-04-21 19:39 ` Hugh Dickins
2009-04-23 23:01 ` [PATCH 1/2] do_execve() must not clear fs->in_exec if it was set by another thread Oleg Nesterov
2009-04-23 23:18 ` Roland McGrath
2009-04-23 23:31 ` Al Viro
2009-04-24 11:57 ` [PATCH 3/2] check_unsafe_exec: rcu_read_unlock Hugh Dickins
2009-04-24 14:34 ` Oleg Nesterov
2009-04-24 4:20 ` [PATCH 1/2] do_execve() must not clear fs->in_exec if it was set by another thread Hugh Dickins
2009-04-23 23:02 ` [PATCH 2/2] check_unsafe_exec: s/lock_task_sighand/rcu_read_lock/ Oleg Nesterov
2009-04-23 23:18 ` Roland McGrath
2009-04-24 4:29 ` Hugh Dickins
2009-04-01 11:18 ` Q: check_unsafe_exec() races (Was: [PATCH 2/4] fix setuid sometimes doesn't) Hugh Dickins
2009-04-06 15:51 ` Oleg Nesterov
2009-04-19 16:44 ` Hugh Dickins
2009-04-21 16:39 ` Oleg Nesterov
2009-03-30 23:45 ` Serge E. Hallyn
2009-03-31 6:19 ` Al Viro
2009-03-28 23:21 ` [PATCH 3/4] fix setuid sometimes wouldn't Hugh Dickins
2009-03-29 11:19 ` Alexey Dobriyan
2009-03-29 21:48 ` Oleg Nesterov
2009-03-29 22:37 ` Al Viro
2009-03-28 23:23 ` [PATCH 4/4] Annotate struct fs_struct's usage count restriction Hugh Dickins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090401023849.GW28946@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=bakerk@metacarta.com \
--cc=chrisw@sous-sol.org \
--cc=dhowells@redhat.com \
--cc=gregkh@suse.de \
--cc=hugh@veritas.com \
--cc=jmalicki@metacarta.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mitz@metacarta.com \
--cc=oleg@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).