linux

korg/linux

mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-17 07:54:54 +08:00

History

Yi Yang 25a38fa41a tty: tty_jobctrl: fix pid memleak in disassociate_ctty() [ Upstream commit `11e7f27b79` ] There is a pid leakage: ------------------------------ unreferenced object 0xffff88810c181940 (size 224): comm "sshd", pid 8191, jiffies 4294946950 (age 524.570s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........ backtrace: [<ffffffff814774e6>] kmem_cache_alloc+0x5c6/0x9b0 [<ffffffff81177342>] alloc_pid+0x72/0x570 [<ffffffff81140ac4>] copy_process+0x1374/0x2470 [<ffffffff81141d77>] kernel_clone+0xb7/0x900 [<ffffffff81142645>] __se_sys_clone+0x85/0xb0 [<ffffffff8114269b>] __x64_sys_clone+0x2b/0x30 [<ffffffff83965a72>] do_syscall_64+0x32/0x80 [<ffffffff83a00085>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 It turns out that there is a race condition between disassociate_ctty() and tty_signal_session_leader(), which caused this leakage. The pid memleak is triggered by the following race: task[sshd] task[bash] ----------------------- ----------------------- disassociate_ctty(); spin_lock_irq(&current->sighand->siglock); put_pid(current->signal->tty_old_pgrp); current->signal->tty_old_pgrp = NULL; tty = tty_kref_get(current->signal->tty); spin_unlock_irq(&current->sighand->siglock); tty_vhangup(); tty_lock(tty); ... tty_signal_session_leader(); spin_lock_irq(&p->sighand->siglock); ... if (tty->ctrl.pgrp) //tty->ctrl.pgrp is not NULL p->signal->tty_old_pgrp = get_pid(tty->ctrl.pgrp); //An extra get spin_unlock_irq(&p->sighand->siglock); ... tty_unlock(tty); if (tty) { tty_lock(tty); ... put_pid(tty->ctrl.pgrp); tty->ctrl.pgrp = NULL; //It's too late ... tty_unlock(tty); } The issue is believed to be introduced by commit `c8bcd9c5be` ("tty: Fix ->session locking") who moves the unlock of siglock in disassociate_ctty() above "if (tty)", making a small window allowing tty_signal_session_leader() to kick in. It can be easily reproduced by adding a delay before "if (tty)" and at the entrance of tty_signal_session_leader(). To fix this issue, we move "put_pid(current->signal->tty_old_pgrp)" after "tty->ctrl.pgrp = NULL". Fixes: `c8bcd9c5be` ("tty: Fix ->session locking") Signed-off-by: Yi Yang <yiyang13@huawei.com> Co-developed-by: GUO Zihua <guozihua@huawei.com> Signed-off-by: GUO Zihua <guozihua@huawei.com> Link: https://lore.kernel.org/r/20230831023329.165737-1-yiyang13@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2023-11-20 11:59:25 +01:00
..
hvc	tty: hvc: convert counts to size_t	2023-08-11 21:12:47 +02:00
ipwireless	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
serdev	tty: make counts in tty_port_client_operations hooks size_t	2023-08-11 21:12:44 +02:00
serial	serial: core: Fix runtime PM handling for pending tx	2023-11-08 11:56:24 +01:00
vt	TTY/Serial driver changes for 6.6-rc1	2023-09-01 09:38:00 -07:00
amiserial.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
ehv_bytechan.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
goldfish.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
Kconfig	Merge commit `b320441c04` ("Merge tag 'tty-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty") into tty-next	2023-08-20 14:29:37 +02:00
Makefile	tty: add rpmsg driver	2021-10-21 12:35:35 +02:00
mips_ejtag_fdc.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
moxa.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
mxser.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
n_gsm.c	tty: n_gsm: fix race condition in status line change on dead connections	2023-11-08 11:56:22 +01:00
n_hdlc.c	tty: ldops: unify to u8	2023-08-11 21:12:47 +02:00
n_null.c	tty: ldops: unify to u8	2023-08-11 21:12:47 +02:00
n_tty.c	tty: n_tty: deduplicate copy code in n_tty_receive_buf_real_raw()	2023-08-27 11:46:52 +02:00
nozomi.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
pty.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
rpmsg_tty.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
synclink_gt.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
sysrq.c	TTY/Serial driver changes for 6.6-rc1	2023-09-01 09:38:00 -07:00
tty_audit.c	tty: audit: unify to u8	2023-08-11 21:12:46 +02:00
tty_baudrate.c	tty: Fix comment style in tty_termios_input_baud_rate()	2022-08-30 14:22:34 +02:00
tty_buffer.c	tty: tty_buffer: invert conditions in __tty_buffer_request_room()	2023-08-22 14:58:16 +02:00
tty_io.c	TTY/Serial driver changes for 6.6-rc1	2023-09-01 09:38:00 -07:00
tty_ioctl.c	tty: make tty_change_softcar() more understandable	2023-08-11 21:12:44 +02:00
tty_jobctrl.c	tty: tty_jobctrl: fix pid memleak in disassociate_ctty()	2023-11-20 11:59:25 +01:00
tty_ldisc.c	tty: tty_ldisc: Remove the ret variable	2023-03-09 17:11:18 +01:00
tty_ldsem.c	tty/ldsem: Fix syntax errors in comments	2021-12-21 09:15:49 +01:00
tty_mutex.c	tty: remove TTY_MAGIC	2022-09-22 16:12:34 +02:00
tty_port.c	tty: use u8 for flags	2023-08-11 21:12:45 +02:00
tty.h	tty: audit: unify to u8	2023-08-11 21:12:46 +02:00
ttynull.c	tty: make tty_operations::write()'s count size_t	2023-08-11 21:12:46 +02:00
vcc.c	tty: vcc: convert counts to size_t	2023-08-11 21:12:47 +02:00