Re: + fs-binfmts-better-handling-of-binfmt-loops.patch added to -mm tree

[Oleg Nesterov]

> From: Zach Levis <z...@linux.vnet.ibm.com>
> Subject: fs/binfmts: better handling of binfmt loops
>
> With these changes, when a binfmt loop is encountered, the ELOOP will
> propagate back to the 0 depth.  At this point the argv and argc values
> will be reset to what they were originally and an attempt is made to
> continue with the following binfmt handlers.

I must admit, I do not really understand why do we want to recover
after pr_err(). Perhaps the changelog could say a bit more.

> --- a/fs/exec.c~fs-binfmts-better-handling-of-binfmt-loops
> +++ a/fs/exec.c
> @@ -1403,13 +1403,40 @@ int search_binary_handler(struct linux_b
>                       if (!try_module_get(fmt->module))
>                               continue;
>                       read_unlock(&binfmt_lock);
> +                     bprm->previous_binfmts[1] = bprm->previous_binfmts[0];
> +                     bprm->previous_binfmts[0] = fmt;
> +
>                       bprm->recursion_depth = depth + 1;
>                       retval = fn(bprm);
>                       bprm->recursion_depth = depth;
> +                     if (retval == -ELOOP && depth == 0) { /* cur, previous 
> */
> +                             pr_err("Too much recursion with binfmts (0:%s, 
> -1:%s) in file %s, skipping (base %s).\n",
> +                                             bprm->previous_binfmts[0]->name,
> +                                             bprm->previous_binfmts[1]->name,
> +                                             bprm->filename,
> +                                             fmt->name);
> +
> +                             /* Put argv back in its place */
> +                             while (bprm->argc > 0) {
> +                                     retval = remove_arg_zero(bprm);
> +                                     if (retval)
> +                                             return retval;
> +                             }

But why do we need this?

Afaics we only need to restore bprm->p to the old value before the
1st do_execve_common()->copy_strings(argv) and nothing else, no ?
free_bprm()->free_arg_pages() will do the necessary cleanup in any
case.

> +
> +                             copy_strings(bprm->argc_orig, *((struct 
> user_arg_ptr *) bprm->argv_orig), bprm);

Perhaps it would be more clean to add "struct user_arg_ptr;"
into binfmts.h and avoid the typecast.

And I do not think we should ignore the possible error from
copy_strings(). Even if we know that it succeeded before, another
thread can, say, unmap this memory in between.

> +                             bprm->argc = bprm->argc_orig;

Or we can simply do count() again. compared to copy_strings() this
is cheap.

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/