Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2983540imu; Mon, 19 Nov 2018 08:59:10 -0800 (PST) X-Google-Smtp-Source: AJdET5d+cb/Tny6lAz0K+9FFDbqMVZ3XRjL5bRqu3a2/40XwQgdkt2ga3VrEazMCocGEFjo/e8bu X-Received: by 2002:a62:1d14:: with SMTP id d20mr23512635pfd.221.1542646750762; Mon, 19 Nov 2018 08:59:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542646750; cv=none; d=google.com; s=arc-20160816; b=a0NiVevn6SR8AcqBc7nVHJoXuTML4/lxaQSGqppXw7JXWXZiwh/nP7WYAjxDTehV2D BTqqf2PJ4Ua05+SG7Rh1KwnG/nrfnpS+PUBQuwzrYaZA9b9OaywNTSxb3XeJRoKoprCR 2hnnUmnCIfJufvPD1gpV/kawfq81G8eUmoC/Bu4Erbmua5DXUSnX0HFHRwcIouPtbqZu +45m2ao9xgYPjm/LZOhd/LSt0ZV6Kvn2dytWlKFkmBgVVLNrxX23inTC17EQ5AMZ06Ii I/6V/i7o+Llute8rqDdQy4CuOqEAQb2wpnOLcdBjkYfw4FrOn9I9sea2JsmDSqove+2d SEnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=D2qA6E578Y/AjxHjS/VpOR6iNjT6wEHRVFeUJepN91E=; b=ePtwbuyilGmYy18pUiItOIf1yHSTf1oEZSLAR+7vB8YVAsN13vNLQr0aASUrt43V1q 4HBAQYrHqf9adzhvivRp3FnHfjo9z9E3QK7IWHellEsBankSBRdTng30DCde92MgQxw2 QF2dUrZMJ0Yg3VYOCmvJWp0ryK+LSwNaV/lbyJnWLVAaLrU4i9T8XmbpTSFUHgtRe2vT cqD1vgUHS2KFgdswdgkzO9UIK1AakcQRlNT1zRAFrgEC8OA+a6TAYJJAAl55yjtBUOYF Mco7rkjPE8fmwt+sLjVOxJSO9kAZ6bxyCAkvxygvUkWzTobRQezI6HDPzt+wKGRBhnq1 XYDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=o+zRgdVr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f34si30742566pgm.318.2018.11.19.08.58.55; Mon, 19 Nov 2018 08:59:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=o+zRgdVr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404782AbeKTDWe (ORCPT + 99 others); Mon, 19 Nov 2018 22:22:34 -0500 Received: from mail.kernel.org ([198.145.29.99]:34248 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404786AbeKTDWe (ORCPT ); Mon, 19 Nov 2018 22:22:34 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 443ED2148E; Mon, 19 Nov 2018 16:58:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542646697; bh=yy581CAzrUZhRPd93KPyUwkKmNzJjrvlCKXKTL1uC/M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o+zRgdVrtscNLQXwaUDUqQJWkFSZxHpNE2ZrhNvpuAimhwJNRQWTOsid9oECXt4De oHF36mDBakbObhtwdKWpwqxYeT4RwQkThyxoHKDCH4UpF3iZcPpixKS11C76yyGpOq tyEqlTubPldDIGCL0Q+cLT7fIZmmQRUL4TQi2hKg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Frank Haverkamp , Joerg-Stephan Vogt , Michael Jung , Michael Ruettger , Kleber Sacilotto de Souza , Sebastian Ott , "Eberhard S. Amann" , Gabriel Krisman Bertazi , "Guilherme G. Piccoli" , "Eric W. Biederman" Subject: [PATCH 4.4 055/160] signal/GenWQE: Fix sending of SIGKILL Date: Mon, 19 Nov 2018 17:28:14 +0100 Message-Id: <20181119162636.832564850@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181119162630.031306128@linuxfoundation.org> References: <20181119162630.031306128@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric W. Biederman commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream. The genweq_add_file and genwqe_del_file by caching current without using reference counting embed the assumption that a file descriptor will never be passed from one process to another. It even embeds the assumption that the the thread that opened the file will be in existence when the process terminates. Neither of which are guaranteed to be true. Therefore replace caching the task_struct of the opener with pid of the openers thread group id. All the knowledge of the opener is used for is as the target of SIGKILL and a SIGKILL will kill the entire process group. Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary signal argument, update it's ownly caller, and use kill_pid instead of force_sig. The work force_sig does in changing signal handling state is not relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess will be killed just with less work, and less confusion. The work done by force_sig is really only needed for handling syncrhonous exceptions. It will still be possible to cause genwqe_device_remove to wait 8 seconds by passing a file descriptor to another process but the possible user after free is fixed. Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue") Cc: stable@vger.kernel.org Cc: Greg Kroah-Hartman Cc: Frank Haverkamp Cc: Joerg-Stephan Vogt Cc: Michael Jung Cc: Michael Ruettger Cc: Kleber Sacilotto de Souza Cc: Sebastian Ott Cc: Eberhard S. Amann Cc: Gabriel Krisman Bertazi Cc: Guilherme G. Piccoli Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- drivers/misc/genwqe/card_base.h | 2 +- drivers/misc/genwqe/card_dev.c | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) --- a/drivers/misc/genwqe/card_base.h +++ b/drivers/misc/genwqe/card_base.h @@ -404,7 +404,7 @@ struct genwqe_file { struct file *filp; struct fasync_struct *async_queue; - struct task_struct *owner; + struct pid *opener; struct list_head list; /* entry in list of open files */ spinlock_t map_lock; /* lock for dma_mappings */ --- a/drivers/misc/genwqe/card_dev.c +++ b/drivers/misc/genwqe/card_dev.c @@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq { unsigned long flags; - cfile->owner = current; + cfile->opener = get_pid(task_tgid(current)); spin_lock_irqsave(&cd->file_lock, flags); list_add(&cfile->list, &cd->file_list); spin_unlock_irqrestore(&cd->file_lock, flags); @@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe spin_lock_irqsave(&cd->file_lock, flags); list_del(&cfile->list); spin_unlock_irqrestore(&cd->file_lock, flags); + put_pid(cfile->opener); return 0; } @@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen return files; } -static int genwqe_force_sig(struct genwqe_dev *cd, int sig) +static int genwqe_terminate(struct genwqe_dev *cd) { unsigned int files = 0; unsigned long flags; @@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq spin_lock_irqsave(&cd->file_lock, flags); list_for_each_entry(cfile, &cd->file_list, list) { - force_sig(sig, cfile->owner); + kill_pid(cfile->opener, SIGKILL, 1); files++; } spin_unlock_irqrestore(&cd->file_lock, flags); @@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces dev_warn(&pci_dev->dev, "[%s] send SIGKILL and wait ...\n", __func__); - rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */ + rc = genwqe_terminate(cd); if (rc) { /* Give kill_timout more seconds to end processes */ for (i = 0; (i < genwqe_kill_timeout) &&