git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Oleg Nesterov <oleg@redhat.com>
	Mon, 24 Mar 2025 16:00:03 +0000 (17:00 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 10 Apr 2025 12:39:40 +0000 (14:39 +0200)
commit	e2d8e7bd3314485e0b3b08380c659b3d1d67ed6a
tree	f73a6c3d85b3fb9b404949b69a271b1ccdc4d480	tree
parent	747e3eec1d7d124ea90ed3d7b85369df8b4e36d2	commit \| diff

exec: fix the racy usage of fs_struct->in_exec

commit af7bb0d2ca459f15cb5ca604dab5d9af103643f0 upstream.

check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve()
paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it
fails we have the following race:

T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex

T2 sets fs->in_exec = 1

T1 clears fs->in_exec

T2 continues with fs->in_exec == 0

Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held.

Reported-by: syzbot+1c486d0b62032c82a968@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001f.GAE@google.com/
Cc: stable@vger.kernel.org
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Link: https://lore.kernel.org/r/20250324160003.GA8878@redhat.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>