Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3431611imu; Sun, 11 Nov 2018 14:58:39 -0800 (PST) X-Google-Smtp-Source: AJdET5djy6VCB0q4zsZ/ajSiyBPWvs4du1H3BMSJdVYkrANmZMLE2TjTMDsvQhJsMfzqAljimL5a X-Received: by 2002:a17:902:2f43:: with SMTP id s61-v6mr17705784plb.169.1541977119580; Sun, 11 Nov 2018 14:58:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541977119; cv=none; d=google.com; s=arc-20160816; b=zimzvUMj8u0vXM9bs9Bfw6bjvIvm+uadK9kRLYF+J+6oHFztDszQswwAAF8Vsjt4KZ JZhsPxqrbKd8nshOi7gxnLkEJrz/ERnEYFxDGSIbnCvhdb+syHDVk/SG0cGYcGTfJuUq Xv0zBNmqyHZipwCRc4lvfrnSbzrPrdW0Y2pSoxQnUcb99uR/JHf3e65GMEfUDi63+HGe JNJdO96rjxtHkqc6dhiPJGFu389kxPaP2xEnvr801e2j84sigUEhdXz9grrTXpLz66LS FGakurnQrc1JaCm/i4Rw+kwga7PJfkQFY/JsvMAI+1TxicMkofA+cGbUAsFa2739rz5e CG4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=SpwB/66YOYprBEl7PlAu6tMYw8FnFvwXT3uqA7DZ0bc=; b=rYs1Vabf0N9fGgEqLBrbnm+E7KoVanWUdOHRUwoTCZva0zBHXUNgCz/0rLpG40Xeab w3EBBkPAnWT5CsVSHY9NdEK36Z74+G53rm6qi7cxyTG1VbNj1gp7MyW0QXg93B6A4xyJ dkQroudTw8DKNTmf9QxjQXAic/zl7sdGlkjhQLMmlcyhUfF2ay9+CSTbIqgxlyQBfznZ Xfv0n1Sxf6m7PiAs9LwtxRAppsiiulX6v2c5+XG4Mb7iHAIwQfsvDVaY++OZujio2Qkn WDc9TamYV4pYjs1u5JmmH8Uyj7wt2nKZyG7p3Ir/5E0V8M/bePaWMgcbM2nEx3L4ime1 b7tw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=X9hrJml9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d84-v6si17507646pfm.40.2018.11.11.14.58.24; Sun, 11 Nov 2018 14:58:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=X9hrJml9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390977AbeKLIqz (ORCPT + 99 others); Mon, 12 Nov 2018 03:46:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:54576 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390827AbeKLIWu (ORCPT ); Mon, 12 Nov 2018 03:22:50 -0500 Received: from localhost (unknown [206.108.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4F6DA21707; Sun, 11 Nov 2018 22:32:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541975573; bh=WhLqCyvdAq0yMaAwwOAiL3CEtvYQxymWxNMU0pdYSo8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=X9hrJml9htP0W7KbjkeLxPABXEQ7kNu4CdQzInmxEMioT8Us9OSRDLtfo2ncS+iBD vpHujfT+BaMpbOZpCpLZSIJPRvoevszYpI2P2od7qofVzwpWbO0h/MiQFXZoAlo6zJ gNkh/uTBEdqEUc/VyMSOqy6iGHtaX5gsPOgNuxBA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Frank Haverkamp , Joerg-Stephan Vogt , Michael Jung , Michael Ruettger , Kleber Sacilotto de Souza , Sebastian Ott , "Eberhard S. Amann" , Gabriel Krisman Bertazi , "Guilherme G. Piccoli" , "Eric W. Biederman" Subject: [PATCH 4.14 149/222] signal/GenWQE: Fix sending of SIGKILL Date: Sun, 11 Nov 2018 14:24:06 -0800 Message-Id: <20181111221700.733404598@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181111221647.665769131@linuxfoundation.org> References: <20181111221647.665769131@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric W. Biederman commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream. The genweq_add_file and genwqe_del_file by caching current without using reference counting embed the assumption that a file descriptor will never be passed from one process to another. It even embeds the assumption that the the thread that opened the file will be in existence when the process terminates. Neither of which are guaranteed to be true. Therefore replace caching the task_struct of the opener with pid of the openers thread group id. All the knowledge of the opener is used for is as the target of SIGKILL and a SIGKILL will kill the entire process group. Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary signal argument, update it's ownly caller, and use kill_pid instead of force_sig. The work force_sig does in changing signal handling state is not relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess will be killed just with less work, and less confusion. The work done by force_sig is really only needed for handling syncrhonous exceptions. It will still be possible to cause genwqe_device_remove to wait 8 seconds by passing a file descriptor to another process but the possible user after free is fixed. Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue") Cc: stable@vger.kernel.org Cc: Greg Kroah-Hartman Cc: Frank Haverkamp Cc: Joerg-Stephan Vogt Cc: Michael Jung Cc: Michael Ruettger Cc: Kleber Sacilotto de Souza Cc: Sebastian Ott Cc: Eberhard S. Amann Cc: Gabriel Krisman Bertazi Cc: Guilherme G. Piccoli Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- drivers/misc/genwqe/card_base.h | 2 +- drivers/misc/genwqe/card_dev.c | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) --- a/drivers/misc/genwqe/card_base.h +++ b/drivers/misc/genwqe/card_base.h @@ -403,7 +403,7 @@ struct genwqe_file { struct file *filp; struct fasync_struct *async_queue; - struct task_struct *owner; + struct pid *opener; struct list_head list; /* entry in list of open files */ spinlock_t map_lock; /* lock for dma_mappings */ --- a/drivers/misc/genwqe/card_dev.c +++ b/drivers/misc/genwqe/card_dev.c @@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq { unsigned long flags; - cfile->owner = current; + cfile->opener = get_pid(task_tgid(current)); spin_lock_irqsave(&cd->file_lock, flags); list_add(&cfile->list, &cd->file_list); spin_unlock_irqrestore(&cd->file_lock, flags); @@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe spin_lock_irqsave(&cd->file_lock, flags); list_del(&cfile->list); spin_unlock_irqrestore(&cd->file_lock, flags); + put_pid(cfile->opener); return 0; } @@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen return files; } -static int genwqe_force_sig(struct genwqe_dev *cd, int sig) +static int genwqe_terminate(struct genwqe_dev *cd) { unsigned int files = 0; unsigned long flags; @@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq spin_lock_irqsave(&cd->file_lock, flags); list_for_each_entry(cfile, &cd->file_list, list) { - force_sig(sig, cfile->owner); + kill_pid(cfile->opener, SIGKILL, 1); files++; } spin_unlock_irqrestore(&cd->file_lock, flags); @@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces dev_warn(&pci_dev->dev, "[%s] send SIGKILL and wait ...\n", __func__); - rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */ + rc = genwqe_terminate(cd); if (rc) { /* Give kill_timout more seconds to end processes */ for (i = 0; (i < genwqe_kill_timeout) &&