exec: fix the racy usage of fs_struct->in_exec - kernel/linux.git

diff options

author	Oleg Nesterov <oleg@redhat.com>	2025-03-24 19:00:03 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-04-10 15:39:40 +0300
commit	e2d8e7bd3314485e0b3b08380c659b3d1d67ed6a (patch)
tree	f73a6c3d85b3fb9b404949b69a271b1ccdc4d480 /scripts/generate_rust_analyzer.py
parent	747e3eec1d7d124ea90ed3d7b85369df8b4e36d2 (diff)
download	linux-e2d8e7bd3314485e0b3b08380c659b3d1d67ed6a.tar.xz

exec: fix the racy usage of fs_struct->in_exec

commit af7bb0d2ca459f15cb5ca604dab5d9af103643f0 upstream. check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve() paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it fails we have the following race: T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex T2 sets fs->in_exec = 1 T1 clears fs->in_exec T2 continues with fs->in_exec == 0 Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held. Reported-by: syzbot+1c486d0b62032c82a968@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001f.GAE@google.com/ Cc: stable@vger.kernel.org Signed-off-by: Oleg Nesterov <oleg@redhat.com> Link: https://lore.kernel.org/r/20250324160003.GA8878@redhat.com Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'scripts/generate_rust_analyzer.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: