Unverified Commit af7bb0d2 authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Christian Brauner
Browse files

exec: fix the racy usage of fs_struct->in_exec 



check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve()
paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it
fails we have the following race:

	T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex

	T2 sets fs->in_exec = 1

	T1 clears fs->in_exec

	T2 continues with fs->in_exec == 0

Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held.

Reported-by: default avatar <syzbot+1c486d0b62032c82a968@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001f.GAE@google.com/


Cc: stable@vger.kernel.org
Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
Link: https://lore.kernel.org/r/20250324160003.GA8878@redhat.com


Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parent 8661bb9c
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment