Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)

From: Al Viro
Date: Sat Mar 22 2025 - 14:50:21 EST

Next message: Richard Fitzgerald: "Re: [PATCH] kunit: cs_dsp: Depend on FW_CS_DSP rather then enabling it"
Previous message: Adrian Larumbe: "Re: [PATCH v4 4/6] drm/panfrost: Add support for AARCH64_4K page table format"
In reply to: Oleg Nesterov: "Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)"
Next in thread: Oleg Nesterov: "Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Mar 22, 2025 at 04:55:39PM +0100, Oleg Nesterov wrote:

> No, check_unsafe_execve() is called with cred_guard_mutex held,
> see prepare_bprm_creds()

Point...

> > 3) A calls exec_binprm(), fails (bad binary)
> > 4) A clears ->in_exec
>
> So (2) can only happen after A fails and drops cred_guard_mutex.
>
> And this means that we just need to ensure that ->in_exec is cleared
> before this mutex is dropped, no? Something like below?

Probably should work, but I wonder if it would be cleaner to have
->in_exec replaced with pointer to task_struct responsible. Not
"somebody with that fs_struct for ->fs is trying to do execve(),
has verified that nothing outside of their threads is using this
and had been holding ->signal->cred_guard_mutex ever since then",
but "this is the thread that..."

Next message: Richard Fitzgerald: "Re: [PATCH] kunit: cs_dsp: Depend on FW_CS_DSP rather then enabling it"
Previous message: Adrian Larumbe: "Re: [PATCH v4 4/6] drm/panfrost: Add support for AARCH64_4K page table format"
In reply to: Oleg Nesterov: "Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)"
Next in thread: Oleg Nesterov: "Re: [syzbot] [fs?] [mm?] KCSAN: data-race in bprm_execve / copy_fs (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]