* [PATCH] fix sighand use after free
@ 2014-08-13 15:50 Rik van Riel
2014-08-13 15:58 ` Oleg Nesterov
0 siblings, 1 reply; 5+ messages in thread
From: Rik van Riel @ 2014-08-13 15:50 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, peterz, oleg, paulmck
Subject: fix sighand use after free
__lock_task_sighand carefully takes the rcu_read_lock, gets
tsk->sighand with rcu_dereference, and verifies that the task
is still using the sighand_struct after taking the spinlock.
This works much better if the sighand struct is actually rcu
freed.
Signed-off-by: Rik van Riel <riel@redhat.com>
---
kernel/fork.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 1380d8a..754a7c6 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1017,7 +1017,7 @@ void __cleanup_sighand(struct sighand_struct *sighand)
{
if (atomic_dec_and_test(&sighand->count)) {
signalfd_cleanup(sighand);
- kmem_cache_free(sighand_cachep, sighand);
+ rcu_free(sighand_cachep, sighand);
}
}
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] fix sighand use after free
2014-08-13 15:50 [PATCH] fix sighand use after free Rik van Riel
@ 2014-08-13 15:58 ` Oleg Nesterov
2014-08-13 16:09 ` Rik van Riel
0 siblings, 1 reply; 5+ messages in thread
From: Oleg Nesterov @ 2014-08-13 15:58 UTC (permalink / raw)
To: Rik van Riel; +Cc: linux-kernel, akpm, peterz, paulmck
On 08/13, Rik van Riel wrote:
>
> Subject: fix sighand use after free
>
> __lock_task_sighand carefully takes the rcu_read_lock, gets
> tsk->sighand with rcu_dereference, and verifies that the task
> is still using the sighand_struct after taking the spinlock.
>
> This works much better if the sighand struct is actually rcu
> freed.
I promise, I'll send the doc patch soon ;)
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1017,7 +1017,7 @@ void __cleanup_sighand(struct sighand_struct *sighand)
> {
> if (atomic_dec_and_test(&sighand->count)) {
> signalfd_cleanup(sighand);
> - kmem_cache_free(sighand_cachep, sighand);
> + rcu_free(sighand_cachep, sighand);
Please note that sighand_cachep is SLAB_DESTROY_BY_RCU.
Hmm. and what is rcu_free() ?
Oleg.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] fix sighand use after free
2014-08-13 15:58 ` Oleg Nesterov
@ 2014-08-13 16:09 ` Rik van Riel
2014-08-13 16:19 ` Oleg Nesterov
0 siblings, 1 reply; 5+ messages in thread
From: Rik van Riel @ 2014-08-13 16:09 UTC (permalink / raw)
To: Oleg Nesterov; +Cc: linux-kernel, akpm, peterz, paulmck
On 08/13/2014 11:58 AM, Oleg Nesterov wrote:
> On 08/13, Rik van Riel wrote:
>>
>> Subject: fix sighand use after free
>>
>> __lock_task_sighand carefully takes the rcu_read_lock, gets
>> tsk->sighand with rcu_dereference, and verifies that the task
>> is still using the sighand_struct after taking the spinlock.
>>
>> This works much better if the sighand struct is actually rcu
>> freed.
>
> I promise, I'll send the doc patch soon ;)
>
>> --- a/kernel/fork.c
>> +++ b/kernel/fork.c
>> @@ -1017,7 +1017,7 @@ void __cleanup_sighand(struct sighand_struct *sighand)
>> {
>> if (atomic_dec_and_test(&sighand->count)) {
>> signalfd_cleanup(sighand);
>> - kmem_cache_free(sighand_cachep, sighand);
>> + rcu_free(sighand_cachep, sighand);
>
> Please note that sighand_cachep is SLAB_DESTROY_BY_RCU.
SLAB_DESTROY_BY_RCU means that the slab page is not given
back to the system until after the RCU grace period has
expired.
However, the objects inside the slab can still be reused
immediately!
In the case of the sighand struct, we have this possible race:
thread A thread B thread C
gets task A->sighand
kmem_cache_free sighand
re-alloc sighand
spin_lock sighand
spin_lock_init sighand
spin_unlock sighand
Now task C has a sighand which can never be locked.
> Hmm. and what is rcu_free() ?
Ugh, that should have been kfree_rcu of course, with
appropriate rcu space in the struct.
Now I wonder why my test compile succeeded...
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] fix sighand use after free
2014-08-13 16:09 ` Rik van Riel
@ 2014-08-13 16:19 ` Oleg Nesterov
2014-08-13 16:43 ` Rik van Riel
0 siblings, 1 reply; 5+ messages in thread
From: Oleg Nesterov @ 2014-08-13 16:19 UTC (permalink / raw)
To: Rik van Riel; +Cc: linux-kernel, akpm, peterz, paulmck
On 08/13, Rik van Riel wrote:
>
> On 08/13/2014 11:58 AM, Oleg Nesterov wrote:
> > On 08/13, Rik van Riel wrote:
> >>
> >> @@ -1017,7 +1017,7 @@ void __cleanup_sighand(struct sighand_struct *sighand)
> >> {
> >> if (atomic_dec_and_test(&sighand->count)) {
> >> signalfd_cleanup(sighand);
> >> - kmem_cache_free(sighand_cachep, sighand);
> >> + rcu_free(sighand_cachep, sighand);
> >
> > Please note that sighand_cachep is SLAB_DESTROY_BY_RCU.
>
> SLAB_DESTROY_BY_RCU means that the slab page is not given
> back to the system until after the RCU grace period has
> expired.
>
> However, the objects inside the slab can still be reused
> immediately!
Yes. This is fine. This memory won't be returned to system before rcu
gp pass, and this memory is still "struct sighand_struct" with the
properly initialized ->siglock (note the sighand_ctor()).
> In the case of the sighand struct, we have this possible race:
>
> thread A thread B thread C
>
> gets task A->sighand
> kmem_cache_free sighand
> re-alloc sighand
> spin_lock sighand
> spin_lock_init sighand
^^^^^^^^^^^^^^^^^^^^^^
see below,
> spin_unlock sighand
>
> Now task C has a sighand which can never be locked.
No, please see above. And that is why lock_task_sighand() (which in
turn needs the comment and cleanup, I already have a patch) re-checks
task-sighand with ->siglock.
> > Hmm. and what is rcu_free() ?
>
> Ugh, that should have been kfree_rcu of course, with
> appropriate rcu space in the struct.
kfree_rcu() can't work in this case, __rcu_reclaim() does kfree() but
we need kmem_cache_free().
Oleg.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] fix sighand use after free
2014-08-13 16:19 ` Oleg Nesterov
@ 2014-08-13 16:43 ` Rik van Riel
0 siblings, 0 replies; 5+ messages in thread
From: Rik van Riel @ 2014-08-13 16:43 UTC (permalink / raw)
To: Oleg Nesterov; +Cc: linux-kernel, akpm, peterz, paulmck
On 08/13/2014 12:19 PM, Oleg Nesterov wrote:
> On 08/13, Rik van Riel wrote:
>>
>> On 08/13/2014 11:58 AM, Oleg Nesterov wrote:
>>> On 08/13, Rik van Riel wrote:
>>>>
>>>> @@ -1017,7 +1017,7 @@ void __cleanup_sighand(struct sighand_struct *sighand)
>>>> {
>>>> if (atomic_dec_and_test(&sighand->count)) {
>>>> signalfd_cleanup(sighand);
>>>> - kmem_cache_free(sighand_cachep, sighand);
>>>> + rcu_free(sighand_cachep, sighand);
>>>
>>> Please note that sighand_cachep is SLAB_DESTROY_BY_RCU.
>>
>> SLAB_DESTROY_BY_RCU means that the slab page is not given
>> back to the system until after the RCU grace period has
>> expired.
>>
>> However, the objects inside the slab can still be reused
>> immediately!
>
> Yes. This is fine. This memory won't be returned to system before rcu
> gp pass, and this memory is still "struct sighand_struct" with the
> properly initialized ->siglock (note the sighand_ctor()).
Fair enough, you are right.
The sighand_ctor does prevent any issues.
The slub code also prevents slubs with constructor
functions from ever getting merged, so this is all
taken care of.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-08-13 16:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-13 15:50 [PATCH] fix sighand use after free Rik van Riel
2014-08-13 15:58 ` Oleg Nesterov
2014-08-13 16:09 ` Rik van Riel
2014-08-13 16:19 ` Oleg Nesterov
2014-08-13 16:43 ` Rik van Riel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.