[tip:core/urgent] signal: Fix racy access to __task_cred in kill_pid_info_as_uid()

From: tip-bot for Thomas Gleixner
Date: Thu Dec 10 2009 - 17:10:04 EST

Next message: tip-bot for Thomas Gleixner: "[tip:core/urgent] signals: Fix more rcu assumptions"
Previous message: Chris Friesen: "Re: [PATCH] Documentation/email-clients.txt: clarify Thunderbirdsection"
In reply to: Oleg Nesterov: "Re: [patch 6/9] signal: Fix racy access to __task_cred inkill_pid_info_as_uid()"
Next in thread: Thomas Gleixner: "[patch 7/9] signals: Fix more rcu assumptions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Commit-ID: 14d8c9f3c09e7fd7b9af80904289fe204f5b93c6
Gitweb: http://git.kernel.org/tip/14d8c9f3c09e7fd7b9af80904289fe204f5b93c6
Author: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
AuthorDate: Thu, 10 Dec 2009 00:53:17 +0000
Committer: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
CommitDate: Thu, 10 Dec 2009 23:04:11 +0100

signal: Fix racy access to __task_cred in kill_pid_info_as_uid()

kill_pid_info_as_uid() accesses __task_cred() without being in a RCU
read side critical section. tasklist_lock is not protecting that when
CONFIG_TREE_PREEMPT_RCU=y.

Convert the whole tasklist_lock section to rcu and use
lock_task_sighand to prevent the exit race.

Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
LKML-Reference: <20091210004703.232302055@xxxxxxxxxxxxx>
Acked-by: Oleg Nesterov <oleg@xxxxxxxxxx>
---
kernel/signal.c | 17 ++++++++++-------
1 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/kernel/signal.c b/kernel/signal.c
index 6b982f2..7331656 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1175,11 +1175,12 @@ int kill_pid_info_as_uid(int sig, struct siginfo *info, struct pid *pid,
int ret = -EINVAL;
struct task_struct *p;
const struct cred *pcred;
+ unsigned long flags;

if (!valid_signal(sig))
return ret;

- read_lock(&tasklist_lock);
+ rcu_read_lock();
p = pid_task(pid, PIDTYPE_PID);
if (!p) {
ret = -ESRCH;
@@ -1196,14 +1197,16 @@ int kill_pid_info_as_uid(int sig, struct siginfo *info, struct pid *pid,
ret = security_task_kill(p, info, sig, secid);
if (ret)
goto out_unlock;
- if (sig && p->sighand) {
- unsigned long flags;
- spin_lock_irqsave(&p->sighand->siglock, flags);
- ret = __send_signal(sig, info, p, 1, 0);
- spin_unlock_irqrestore(&p->sighand->siglock, flags);
+
+ if (sig) {
+ if (lock_task_sighand(p, &flags)) {
+ ret = __send_signal(sig, info, p, 1, 0);
+ unlock_task_sighand(p, &flags);
+ } else
+ ret = -ESRCH;
}
out_unlock:
- read_unlock(&tasklist_lock);
+ rcu_read_unlock();
return ret;
}
EXPORT_SYMBOL_GPL(kill_pid_info_as_uid);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: tip-bot for Thomas Gleixner: "[tip:core/urgent] signals: Fix more rcu assumptions"
Previous message: Chris Friesen: "Re: [PATCH] Documentation/email-clients.txt: clarify Thunderbirdsection"
In reply to: Oleg Nesterov: "Re: [patch 6/9] signal: Fix racy access to __task_cred inkill_pid_info_as_uid()"
Next in thread: Thomas Gleixner: "[patch 7/9] signals: Fix more rcu assumptions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]