Re: [PATCH] exec: fix the racy usage of fs_struct->in_exec
From: Mateusz Guzik
Date: Tue Mar 25 2025 - 07:02:17 EST
On Tue, Mar 25, 2025 at 11:10 AM Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
>
> On 03/24, Mateusz Guzik wrote:
> >
> > On Mon, Mar 24, 2025 at 7:28 PM Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
> > >
> > > So to me it would be better to have the trivial fix for stable,
> > > exactly because it is trivially backportable. Then cleanup/simplify
> > > this logic on top of it.
> >
> > So I got myself a crap testcase with a CLONE_FS'ed task which can
> > execve and sanity-checked that suid is indeed not honored as expected.
>
> So you mean my patch can't fix the problem?
No, I think the patch works.
I am saying the current scheme is avoidably hard to reason about.
>
> > Anyhow, the plan would be to serialize on the bit, synchronized with
> > the current spin lock. copy_fs would call a helper to wait for it to
> > clear, would still bump ->users under the spin lock.
> >
> > This would decouple the handling from cred_mutex and avoid weirdness
> > like clearing the ->in_exec flag when we never set it.
>
> I don't really understand the idea, but as I said I won't argue with
> another solution.
>
I'll try to ship later today so that there will be something concrete
to comment on.
--
Mateusz Guzik <mjguzik gmail.com>