From: Linus Torvalds <torvalds@linux-foundation.org>
To: Alexey Gladkov <legion@kernel.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux Containers <containers@lists.linux.dev>
Subject: Re: [PATCH] ucounts: Fix UCOUNT_RLIMIT_SIGPENDING counter leak
Date: Fri, 2 Jul 2021 15:13:18 -0700 [thread overview]
Message-ID: <CAHk-=whfoVN6wiP5VHekckvqivRhpB+b1FnwyWEjz1SB2FN6HQ@mail.gmail.com> (raw)
In-Reply-To: <20210702175442.1603082-1-legion@kernel.org>
On Fri, Jul 2, 2021 at 10:55 AM Alexey Gladkov <legion@kernel.org> wrote:
>
> @@ -424,10 +424,10 @@ __sigqueue_alloc(int sig, struct task_struct *t, gfp_t gfp_flags,
> * changes from/to zero.
> */
> rcu_read_lock();
> - ucounts = task_ucounts(t);
> + ucounts = ucounts_new = task_ucounts(t);
> sigpending = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, 1);
> if (sigpending == 1)
> - ucounts = get_ucounts(ucounts);
> + ucounts_new = get_ucounts(ucounts);
> rcu_read_unlock();
I think this is still problematic.
If get_ucounts() fails, we can't just drop the RCU lock and (later)
use "ucounts" that we hold no reference to.
Or am I missing something? I'm not entirely sure about the lifetime of
that RCU protection, and I do note that "task_ucounts()" uses
"task_cred_xxx()", which already does
rcu_read_lock()/rcu_read_unlock() in the actual access.
So I'm thinking the code could/should be written something like this instead:
diff --git a/kernel/signal.c b/kernel/signal.c
index f6371dfa1f89..40781b197227 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -422,22 +422,33 @@ __sigqueue_alloc(int sig, struct task_struct
*t, gfp_t gfp_flags,
* NOTE! A pending signal will hold on to the user refcount,
* and we get/put the refcount only when the sigpending count
* changes from/to zero.
+ *
+ * And if the ucount rlimit overflowed, we do not get to use it at all.
*/
rcu_read_lock();
ucounts = task_ucounts(t);
sigpending = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, 1);
- if (sigpending == 1)
- ucounts = get_ucounts(ucounts);
+ switch (sigpending) {
+ case 1:
+ if (likely(get_ucounts(ucounts)))
+ break;
+
+ dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, 1);
+ fallthrough;
+ case LONG_MAX:
+ rcu_read_unlock();
+ return NULL;
+ }
rcu_read_unlock();
- if (override_rlimit || (sigpending < LONG_MAX && sigpending <=
task_rlimit(t, RLIMIT_SIGPENDING))) {
+ if (override_rlimit || sigpending <= task_rlimit(t,
RLIMIT_SIGPENDING)) {
q = kmem_cache_alloc(sigqueue_cachep, gfp_flags);
} else {
print_dropped_signal(sig);
}
if (unlikely(q == NULL)) {
- if (ucounts && dec_rlimit_ucounts(ucounts,
UCOUNT_RLIMIT_SIGPENDING, 1))
+ if (dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, 1))
put_ucounts(ucounts);
} else {
INIT_LIST_HEAD(&q->list);
(and no, I'm not sure it's a good idea to make that use a "switch()" -
maybe the LONG_MAX case should be a "if (unlikely())" thing after the
rcu_read_ulock() instead?
Hmm?
The alternate thing is to say "No, Linus, you're a nincompoop and
wrong, that RCU protection is a non-issue because we hold a reference
to the task, and task_ucounts() will not change, so the RCU read lock
doesn't do anything".
Although then I would think the rcu_read_lock/rcu_read_unlock here is
entirely pointless.
Linus
next prev parent reply other threads:[~2021-07-02 22:13 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 22:35 [GIT PULL] ucounts: Count rlimits in each user namespace Eric W. Biederman
2021-06-29 3:47 ` Linus Torvalds
2021-06-29 15:04 ` Eric W. Biederman
2021-06-29 15:51 ` Eric W. Biederman
2021-06-29 16:34 ` Linus Torvalds
2021-06-29 16:42 ` Eric W. Biederman
2021-06-29 17:09 ` Eric W. Biederman
2021-07-01 16:41 ` Alexey Gladkov
2021-07-01 20:05 ` Eric W. Biederman
2021-06-29 17:17 ` Alexey Gladkov
2021-06-29 18:07 ` Linus Torvalds
2021-06-29 20:20 ` Alexey Gladkov
2021-06-29 20:33 ` Linus Torvalds
2021-06-29 21:22 ` Alexey Gladkov
2021-07-02 17:54 ` [PATCH] ucounts: Fix UCOUNT_RLIMIT_SIGPENDING counter leak Alexey Gladkov
2021-07-02 22:13 ` Linus Torvalds [this message]
2021-07-07 16:50 ` Alexey Gladkov
2021-07-07 17:23 ` Linus Torvalds
2021-07-08 10:33 ` [PATCH v2] " Alexey Gladkov
2021-07-08 18:44 ` Linus Torvalds
2021-07-08 11:00 ` [PATCH] ucounts: " Alexey Gladkov
2021-06-29 3:50 ` [GIT PULL] ucounts: Count rlimits in each user namespace pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=whfoVN6wiP5VHekckvqivRhpB+b1FnwyWEjz1SB2FN6HQ@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=containers@lists.linux.dev \
--cc=ebiederm@xmission.com \
--cc=legion@kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).