[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <878sacyvpv.fsf@x220.int.ebiederm.org>
Date: Sat, 05 Dec 2020 12:05:32 -0600
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Davidlohr Bueso <dave@...olabs.net>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Bernd Edlinger <bernd.edlinger@...mail.de>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>, Will Deacon <will@...nel.org>,
Jann Horn <jannh@...gle.com>,
Vasiliy Kulikov <segoon@...nwall.com>,
Al Viro <viro@...iv.linux.org.uk>,
Oleg Nesterov <oleg@...hat.com>,
Cyrill Gorcunov <gorcunov@...il.com>,
Sargun Dhillon <sargun@...gun.me>,
Christian Brauner <christian.brauner@...ntu.com>,
Arnd Bergmann <arnd@...db.de>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Waiman Long <longman@...hat.com>
Subject: Re: [PATCH 3/3] exec: Transform exec_update_mutex into a rw_semaphore
Davidlohr Bueso <dave@...olabs.net> writes:
> On Fri, 04 Dec 2020, Linus Torvalds wrote:
>
>>On Fri, Dec 4, 2020 at 12:30 PM Bernd Edlinger
>><bernd.edlinger@...mail.de> wrote:
>>>>
>>> > perf_event_open (exec_update_mutex -> ovl_i_mutex)
>>
>>Side note: this one looks like it should be easy to fix.
>>
>>Is there any real reason why exec_update_mutex is actually gotten that
>>early, and held for that long in the perf event code?
>
> afaict just to validate the whole operation early. Per 79c9ce57eb2 the
> mutex will guard the check and the perf_install_in_context vs exec.
>
>>
>>I _think_ we could move the ptrace check to be much later, to _just_ before that
>>
>> * This is the point on no return; we cannot fail hereafter.
>>
>>point in the perf event install chain..
>
> Peter had the idea of doing the ptrace_may_access() check twice: first
> lockless and early, then under exec_update_mutex when it mattered right
> before perf_install_in_context():
>
> https://lore.kernel.org/linux-fsdevel/20200828123720.GZ1362448@hirez.programming.kicks-ass.net/
>
>>
>>I don't think it needs to be moved down even that much, I think it
>>would be sufficient to move it down below the "perf_event_alloc()",
>>but I didn't check very much.
>
> Yeah we could just keep a single ptrace_may_access() check just further
> down until it won't deadlock.
I am trying to understand why the permission check is there.
The ptrace_may_access check came in with the earliest version of the
code I can find. So going down that path hasn't helped.
There are about 65 calls of perf_pmu_register so it definitely makes me
nervous holding a semaphore over perf_event_alloc.
What is truly silly in all of this is perf_uprobe_event_init fails if
!perfmon_capable(). Which means the ptrace_may_access check and
holding exec_update_mutex is completely irrelevant to the function of
create_local_trace_uprobe. Which is strange in and of itself. I would
have thought uprobes would have been the kind of probe that it would
be safe for ordinary users to use.
This is a much deeper rabit hole than I had anticipated when I started
looking and I will have to come back to this after the weekend.
If at all possible I would love to be able to move the grabbing of
exec_update_mutex after perf_event_alloc and the pluggable functions it
calls. It doesn't feel possible to audit that.
On the flip side the task is passed in as hw.target. So it may not be
possible to move the permission check. It is chaos.
Eric
Powered by blists - more mailing lists