MIME-Version: 1.0
In-Reply-To: <5590115A.3000201@hurleysoftware.com>
References: <1435439824-3975-1-git-send-email-batrick@batbytes.com>
	<1435452689-25390-1-git-send-email-batrick@batbytes.com>
	<5590115A.3000201@hurleysoftware.com>
Date: Sun, 28 Jun 2015 13:20:34 -0400
Message-ID: <CACh33FrCn+pDPNLVnrYVQ5sf92m8hj+oiQJ2U6RM2CtqDBf=OQ@mail.gmail.com>
Subject: Re: [PATCH v2 1/2] tty: add missing rcu_read_lock for task_pgrp
From: Patrick Donnelly <batrick@batbytes.com>
To: Peter Hurley <peter@hurleysoftware.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.cz>, open list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1146
Lines: 26

On Sun, Jun 28, 2015 at 11:23 AM, Peter Hurley <peter@hurleysoftware.com> wrote:
> On 06/27/2015 08:51 PM, Patrick Donnelly wrote:
>> task_pgrp requires an rcu or tasklist lock to be obtained if the returned pid
>> is to be dereferenced, which kill_pgrp does. Obtain an RCU lock for the
>> duration of use.
>
> kill_pgrp() obtains tasklist_lock, so I don't see an unsafe deref.

I see a race between looking up the pgrp via task_pgrp and passing it
to kill_pgrp. The pgrp struct pid may be freed via setpgid/setsid, as
mentioned in the comment for task_pgrp:

 * Without tasklist or rcu lock it is not safe to dereference
 * the result of task_pgrp/task_session even if task == current,
 * we can race with another thread doing sys_setsid/sys_setpgid.

Getting the lock after the lookup is getting the lock too late. I
could be wrong though as I'm no expert on locking in Linux.

-- 
Patrick Donnelly
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/