Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp872070imm; Wed, 4 Jul 2018 07:25:19 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfLFb1w/uzgIZDXOPFXCRr6B2uqgbvHp8Qcg8sgVm8S4VW9un0GVdKGaYBtHqoQlNlxYrUk X-Received: by 2002:a17:902:28a6:: with SMTP id f35-v6mr2351522plb.110.1530714319150; Wed, 04 Jul 2018 07:25:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530714319; cv=none; d=google.com; s=arc-20160816; b=Lpv80lDagOqxLgWNadMmcsu4SgneFcYCZvGAK/3uttHbix0OwS0Pzx7ER6Cn6G17ev iPUUVut0oCSN0CdrC31iCmEjRNNliThvbGyv9NQKHi3sPQHQ2EdvM607wO9pWwvB/hf1 i5hAjnWG41JYakM9Ny65eTuFFANw+hlFGGqo5MrOFRPU0k/fDjgkryzsCs70pjEE4YtV vkXhc+mKMlo3ejCsLUfbuII2VQsYXif801eiPadhjkQ3TAUlEQ15Feq2z2hogjt2hWHR SxDgNxQMBuR61/UfIcuI8y8XLfHvHWixCepHJfYu5TQ3Qe/w3PnO5XXScphKoXip+447 jYZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=4vu3tZ7Rs4Yp4mMk4hWrnz2Wz3xeoW7uR8UMAaU0muQ=; b=P+hYxWVl7A5frEylg+ZsZ0p2kmh30HIGtVk8bKyX1mbJ5GvIDVQ9Qyj++VwqvU+E40 P2meF+U66m34MPmvIUMACaKAxsFD26VYyoIP+5mIU9GOBhbaK3uKx7BYCAwH7OEK7wmB 4l0MZb/IfQ5AFHjnVm0O6bWr2Krvhab2cJRQ8piZy0DfwT35lVr3YGrhED9oHt8S0oeD 2S1Q0PixsdJqX1KgOoYjhuwk+u55MVHzvyp4HXWMyBMxHRG6r0MECvS6x1vyqjg+T6/U o0qLO7igYlvvCdvDXF7zeeKUMMOfsu8CEVTqJRib3jELm+bg+TNUenKaBQsHg6SUHXYg 2u6g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 16-v6si2244361pgr.325.2018.07.04.07.25.04; Wed, 04 Jul 2018 07:25:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752645AbeGDOY3 (ORCPT + 99 others); Wed, 4 Jul 2018 10:24:29 -0400 Received: from seldsegrel01.sonyericsson.com ([37.139.156.29]:14456 "EHLO SELDSEGREL01.sonyericsson.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751075AbeGDOY2 (ORCPT ); Wed, 4 Jul 2018 10:24:28 -0400 X-Greylist: delayed 602 seconds by postgrey-1.27 at vger.kernel.org; Wed, 04 Jul 2018 10:24:28 EDT From: Snild Dolkow To: Ingo Molnar , Jens Axboe , Steven Rostedt , Tejun Heo , CC: Peter Enderborg , Yoshitaka Seto , Oleksiy Avramchenko , Snild Dolkow Subject: [PATCH] kthread, tracing: Don't expose half-written comm when creating kthreads Date: Wed, 4 Jul 2018 16:10:53 +0200 Message-ID: <20180704141053.131811-1-snild@sony.com> X-Mailer: git-send-email 2.15.1 MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There was a window for racing when task->comm was being written. The vsnprintf function writes 16 bytes, then counts the rest, then null terminates. In the meantime, other threads could see the non-terminated comm value. In our case, it got into the trace system's saved cmdlines and could cause stack corruption when strcpy'd out of there. The workaround in e09e28671 (use strlcpy in __trace_find_cmdline) was likely needed because of this bug. Solved by vsnprintf:ing to a local buffer, then using set_task_comm(). Signed-off-by: Snild Dolkow --- kernel/kthread.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/kthread.c b/kernel/kthread.c index 481951bf091d..28874afbf747 100644 --- a/kernel/kthread.c +++ b/kernel/kthread.c @@ -319,8 +319,10 @@ struct task_struct *__kthread_create_on_node(int (*threadfn)(void *data), task = create->result; if (!IS_ERR(task)) { static const struct sched_param param = { .sched_priority = 0 }; + char name[TASK_COMM_LEN]; - vsnprintf(task->comm, sizeof(task->comm), namefmt, args); + vsnprintf(name, sizeof(name), namefmt, args); + set_task_comm(task, name); /* * root may have changed our (kthreadd's) priority or CPU mask. * The kernel thread should not inherit these properties. -- 2.15.1