Re: [PATCH 3/3] exec: Transform exec_update_mutex into a rw_semaphore

From: Eric W. Biederman
Date: Sat Dec 05 2020 - 14:00:47 EST

Next message: Thomas Gleixner: "Re: [Bug 202453] TRACE irq/18-i801_smb Tainted when enabled threadirqs in kernel commandline."
Previous message: Hui Su: "[PATCH][next] arm64: fix the mm build error in mm/kfence/core.c"
In reply to: Davidlohr Bueso: "Re: [PATCH 3/3] exec: Transform exec_update_mutex into a rw_semaphore"
Next in thread: Peter Zijlstra: "Re: [PATCH 3/3] exec: Transform exec_update_mutex into a rw_semaphore"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Davidlohr Bueso <dave@xxxxxxxxxxxx> writes:

> On Fri, 04 Dec 2020, Linus Torvalds wrote:
>
>>On Fri, Dec 4, 2020 at 12:30 PM Bernd Edlinger
>><bernd.edlinger@xxxxxxxxxx> wrote:
>>>>
>>> > perf_event_open (exec_update_mutex -> ovl_i_mutex)
>>
>>Side note: this one looks like it should be easy to fix.
>>
>>Is there any real reason why exec_update_mutex is actually gotten that
>>early, and held for that long in the perf event code?
>
> afaict just to validate the whole operation early. Per 79c9ce57eb2 the
> mutex will guard the check and the perf_install_in_context vs exec.
>
>>
>>I _think_ we could move the ptrace check to be much later, to _just_ before that
>>
>> * This is the point on no return; we cannot fail hereafter.
>>
>>point in the perf event install chain..
>
> Peter had the idea of doing the ptrace_may_access() check twice: first
> lockless and early, then under exec_update_mutex when it mattered right
> before perf_install_in_context():
>
> https://lore.kernel.org/linux-fsdevel/20200828123720.GZ1362448@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
>
>>
>>I don't think it needs to be moved down even that much, I think it
>>would be sufficient to move it down below the "perf_event_alloc()",
>>but I didn't check very much.
>
> Yeah we could just keep a single ptrace_may_access() check just further
> down until it won't deadlock.

I am trying to understand why the permission check is there.

The ptrace_may_access check came in with the earliest version of the
code I can find. So going down that path hasn't helped.

There are about 65 calls of perf_pmu_register so it definitely makes me
nervous holding a semaphore over perf_event_alloc.

What is truly silly in all of this is perf_uprobe_event_init fails if
!perfmon_capable(). Which means the ptrace_may_access check and
holding exec_update_mutex is completely irrelevant to the function of
create_local_trace_uprobe. Which is strange in and of itself. I would
have thought uprobes would have been the kind of probe that it would
be safe for ordinary users to use.

This is a much deeper rabit hole than I had anticipated when I started
looking and I will have to come back to this after the weekend.

If at all possible I would love to be able to move the grabbing of
exec_update_mutex after perf_event_alloc and the pluggable functions it
calls. It doesn't feel possible to audit that.

On the flip side the task is passed in as hw.target. So it may not be
possible to move the permission check. It is chaos.

Eric

Next message: Thomas Gleixner: "Re: [Bug 202453] TRACE irq/18-i801_smb Tainted when enabled threadirqs in kernel commandline."
Previous message: Hui Su: "[PATCH][next] arm64: fix the mm build error in mm/kfence/core.c"
In reply to: Davidlohr Bueso: "Re: [PATCH 3/3] exec: Transform exec_update_mutex into a rw_semaphore"
Next in thread: Peter Zijlstra: "Re: [PATCH 3/3] exec: Transform exec_update_mutex into a rw_semaphore"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]