On Sat, Mar 22, 2025 at 04:55:39PM +0100, Oleg Nesterov wrote: > No, check_unsafe_execve() is called with cred_guard_mutex held, > see prepare_bprm_creds() Point... > > 3) A calls exec_binprm(), fails (bad binary) > > 4) A clears ->in_exec > > So (2) can only happen after A fails and drops cred_guard_mutex. > > And this means that we just need to ensure that ->in_exec is cleared > before this mutex is dropped, no? Something like below? Probably should work, but I wonder if it would be cleaner to have ->in_exec replaced with pointer to task_struct responsible. Not "somebody with that fs_struct for ->fs is trying to do execve(), has verified that nothing outside of their threads is using this and had been holding ->signal->cred_guard_mutex ever since then", but "this is the thread that..."
