Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1701019imm; Thu, 16 Aug 2018 00:45:32 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwKVqIxz0H6CGO+0dfXhjB2BGykuqNc0Rdh0SWurWx38Ni9Szg0gxHll0IzFbkSV1gUEMF1 X-Received: by 2002:a62:1a8f:: with SMTP id a137-v6mr31197247pfa.190.1534405532923; Thu, 16 Aug 2018 00:45:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534405532; cv=none; d=google.com; s=arc-20160816; b=SVnViJknZsjBLuDTif0YzSKGccXV00urwV7E4o/RQ9rtXoGzJ5pmJn2jnvJlvsBeeT zRrgrR4i32UdKC6R8IxGq8HbCtE7CH/bs7sLKfMbvONdrffdEJ+ntN14A9Z6yWeIgrGp TinsHalnk1962IuE9E+szNVRUV+GSArczLBS31RDJ1Qb5tQ8J/rJVPPc4bXKzUpLQSH5 Vs1LFuqgeGJ7uELDGCw3KIx8Sy5aCcxCZEq0PZcJc/YdkwbDGcpZc5mFJ1VEKQC3IVik WAHcyj8swqvQdwRk528HuHNJjVpxITfPToLSpGz475Jwajjgo+IudmnEy6Y7WrJJTIDV 39Ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from :arc-authentication-results; bh=89S3raTeEmTgQ5AAUKRxaAs83l+cjU50QFWG4pnR/gw=; b=b3on3P/n4tNTVebqMYbV9EEI3/QvV+pYiVC/1z2Z21ynedXqQCWGv5mLnl4ZowIA/W rOyH2hqZEEp3Sku8SkdFNQYjZa2ZBq8tHPeCZPRFgX0g7jS7ufGrBeKWHizWb+p4x8iL +/KwNzbN9cP4WNc6qo74Y4ZOV/Wg5VmZKkrGVwwFGYygY3Ez8n8WSgirYo494WePy2Oc r4eM4abnygKkdlF9RCSijVIKzpoYp0fykQ8NX7UCqvIh0I3XguVvLc5wbn9UOamhrBiZ AidT257HaJypezwv+yYAtqH5mcBbHQNlft/hinZ4sCA5JsxHVg1vkQ9Ltl5lIrX2lGcJ buWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g16-v6si21821147pgv.78.2018.08.16.00.45.18; Thu, 16 Aug 2018 00:45:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387789AbeHPG7p (ORCPT + 99 others); Thu, 16 Aug 2018 02:59:45 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:51899 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726072AbeHPG7p (ORCPT ); Thu, 16 Aug 2018 02:59:45 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fq9W9-0000Bi-S9; Wed, 15 Aug 2018 22:04:13 -0600 Received: from [97.119.167.31] (helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fq9W8-0007qt-Ni; Wed, 15 Aug 2018 22:04:13 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Linus Torvalds Cc: Oleg Nesterov , Andrew Morton , linux-kernel@vger.kernel.org, Wen Yang , majiang , "J. Bruce Fields" , syzkaller-bugs@googlegroups.com References: <87efft5ncd.fsf_-_@xmission.com> <20180724032419.20231-7-ebiederm@xmission.com> Date: Wed, 15 Aug 2018 23:04:07 -0500 In-Reply-To: <20180724032419.20231-7-ebiederm@xmission.com> (Eric W. Biederman's message of "Mon, 23 Jul 2018 22:24:06 -0500") Message-ID: <87k1orgdoo.fsf_-_@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1fq9W8-0007qt-Ni;;;mid=<87k1orgdoo.fsf_-_@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=97.119.167.31;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19TnmHwQUgw4yG/xm+8Y/6VKDs2RH+VveM= X-SA-Exim-Connect-IP: 97.119.167.31 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on sa02.xmission.com X-Spam-Level: X-Spam-Status: No, score=0.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,XMSubLong autolearn=disabled version=3.4.0 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4995] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa02 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Linus Torvalds X-Spam-Relay-Country: X-Spam-Timing: total 557 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.4 (0.6%), b_tie_ro: 2.4 (0.4%), parse: 1.22 (0.2%), extract_message_metadata: 29 (5.3%), get_uri_detail_list: 2.6 (0.5%), tests_pri_-1000: 13 (2.3%), tests_pri_-950: 2.1 (0.4%), tests_pri_-900: 1.77 (0.3%), tests_pri_-400: 30 (5.4%), check_bayes: 28 (5.0%), b_tokenize: 11 (1.9%), b_tok_get_all: 7 (1.3%), b_comp_prob: 4.0 (0.7%), b_tok_touch_all: 2.7 (0.5%), b_finish: 0.82 (0.1%), tests_pri_0: 458 (82.3%), check_dkim_signature: 0.94 (0.2%), check_dkim_adsp: 4.6 (0.8%), tests_pri_500: 13 (2.4%), rewrite_mail: 0.00 (0.0%) Subject: [PATCH] signal: Don't send signals to tasks that don't exist X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Recently syzbot reported crashes in send_sigio_to_task and send_sigurg_to_task in linux-next. Despite finding a reproducer syzbot apparently did not bisected this or otherwise track down the offending commit in linux-next. I happened to see this report and examined the code because I had recently changed these functions as part of making PIDTYPE_TGID a real pid type so that fork would does not need to restart when receiving a signal. By examination I see that I spotted a bug in the code that could explain the reported crashes. When I took Oleg's suggestion and optimized send_sigurg and send_sigio to only send to a single task when type is PIDTYPE_PID or PIDTYPE_TGID I failed to handle pids that no longer point to tasks. The macro do_each_pid_task simply iterates for zero iterations. With pid_task an explicit NULL test is needed. Update the code to include the missing NULL test. Fixes: 019191342fec ("signal: Use PIDTYPE_TGID to clearly store where file signals will be sent") Reported-by: syzkaller-bugs@googlegroups.com Signed-off-by: "Eric W. Biederman" --- fs/fcntl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/fcntl.c b/fs/fcntl.c index a04accf6847f..4137d96534a6 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -791,7 +791,8 @@ void send_sigio(struct fown_struct *fown, int fd, int band) if (type <= PIDTYPE_TGID) { rcu_read_lock(); p = pid_task(pid, PIDTYPE_PID); - send_sigio_to_task(p, fown, fd, band, type); + if (p) + send_sigio_to_task(p, fown, fd, band, type); rcu_read_unlock(); } else { read_lock(&tasklist_lock); @@ -830,7 +831,8 @@ int send_sigurg(struct fown_struct *fown) if (type <= PIDTYPE_TGID) { rcu_read_lock(); p = pid_task(pid, PIDTYPE_PID); - send_sigurg_to_task(p, fown, type); + if (p) + send_sigurg_to_task(p, fown, type); rcu_read_unlock(); } else { read_lock(&tasklist_lock); -- 2.17.1