Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2995228imu; Mon, 19 Nov 2018 09:07:32 -0800 (PST) X-Google-Smtp-Source: AJdET5e9peEFeKB/O5Z08ny5pIx+0Mvz3KHZpWvXXygJxaBcAPVHG3xZF74CT11ZiqkPv1cRPgX4 X-Received: by 2002:a63:5357:: with SMTP id t23-v6mr21214722pgl.40.1542647252514; Mon, 19 Nov 2018 09:07:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542647252; cv=none; d=google.com; s=arc-20160816; b=NbhU9SXyhdETdknyiTg/TkQNhIfeyggsJcBxpsbPAJjadGybw0sCN6Ma+5RYjnlI6r Yitb1qSTlJ7t7CtgPjJJmrvG9t6BaAO81jVoz3yHIs79gd4SLWA4otGjTXq/aKY0be7e wqOrTmgvpJyLq4QV8WCUvS7bYIGOCcV0PQrw1M8Okrj6280ettthAXazGYzPu8d5CvPS c+eqXSuBslDzcfC/eS3d5L50tsVu98nSlkx0lszumRTdada+aU7vF/aBANxkqlvZZxF/ xAmbteY73cVSjcMqR8w15G3WxSN4m2ErZSrEgz6JO2aHOLfqajnQDHHIEb3ZRkOUQJk/ Kc1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aAcal7ZbNL4y2fd6QCvvoMabPeuuPm9bPL8r+XHUc5g=; b=oQeia4b6Ra2+A5J0pZNOH8Y48M437zOlhpyTSNe0KgX8Hi1aeGCwKC3q9/G92L9G5q joNdg051uF3BHE5A0gl13lkGi88yBcHp0OaGKhSHMyN02gZ6ctYnWA586Iu/X6HsyjqM DR4lyljI5wBzqhNa3+0/iQDcmvRDN6cJzEGjpg8c2cEg8ZQj6d2KQ9oK1MWGuD0i58HX rlbODy1v3/4bQMys6IN2R0+Tp4U5w2KQvk/pCd964ReBJyeb87kHLeh8JJ8aQwEozlXB RhkplecSvtS5R1NMhh0fxyctp/loFHQKjXDru8Gd9QLLlZl35I+KYQ/u8CZk5m8aEXgL FYsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=en6AvTkk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z15si1061386pgi.304.2018.11.19.09.07.16; Mon, 19 Nov 2018 09:07:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=en6AvTkk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406964AbeKTDaL (ORCPT + 99 others); Mon, 19 Nov 2018 22:30:11 -0500 Received: from mail.kernel.org ([198.145.29.99]:45082 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2406208AbeKTDaK (ORCPT ); Mon, 19 Nov 2018 22:30:10 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 26526214D9; Mon, 19 Nov 2018 17:05:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542647152; bh=itGIQI4wCUejqlVwPR+l27f5xG55z8wfYRLpYM8rOrQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=en6AvTkkNJTMd4V4v/tPH/MjYCpteMvq4bMmf5Lcrf1PNZ/K6XZ2UPE+/r+EXYsiR TYC/6h8QH++1ZBBRN6oJlOae9hwPbTOt5w8rydUn9+QETTRtJzy/avtEf7x73OBy88 hFSj9EqcBEcBmP5+hb9LSXugZ2ZRRQtYW3v4i6Bw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Frank Haverkamp , Joerg-Stephan Vogt , Michael Jung , Michael Ruettger , Kleber Sacilotto de Souza , Sebastian Ott , "Eberhard S. Amann" , Gabriel Krisman Bertazi , "Guilherme G. Piccoli" , "Eric W. Biederman" Subject: [PATCH 3.18 32/90] signal/GenWQE: Fix sending of SIGKILL Date: Mon, 19 Nov 2018 17:29:14 +0100 Message-Id: <20181119162626.068424727@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181119162620.585061184@linuxfoundation.org> References: <20181119162620.585061184@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric W. Biederman commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream. The genweq_add_file and genwqe_del_file by caching current without using reference counting embed the assumption that a file descriptor will never be passed from one process to another. It even embeds the assumption that the the thread that opened the file will be in existence when the process terminates. Neither of which are guaranteed to be true. Therefore replace caching the task_struct of the opener with pid of the openers thread group id. All the knowledge of the opener is used for is as the target of SIGKILL and a SIGKILL will kill the entire process group. Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary signal argument, update it's ownly caller, and use kill_pid instead of force_sig. The work force_sig does in changing signal handling state is not relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess will be killed just with less work, and less confusion. The work done by force_sig is really only needed for handling syncrhonous exceptions. It will still be possible to cause genwqe_device_remove to wait 8 seconds by passing a file descriptor to another process but the possible user after free is fixed. Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue") Cc: stable@vger.kernel.org Cc: Greg Kroah-Hartman Cc: Frank Haverkamp Cc: Joerg-Stephan Vogt Cc: Michael Jung Cc: Michael Ruettger Cc: Kleber Sacilotto de Souza Cc: Sebastian Ott Cc: Eberhard S. Amann Cc: Gabriel Krisman Bertazi Cc: Guilherme G. Piccoli Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman --- drivers/misc/genwqe/card_base.h | 2 +- drivers/misc/genwqe/card_dev.c | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) --- a/drivers/misc/genwqe/card_base.h +++ b/drivers/misc/genwqe/card_base.h @@ -405,7 +405,7 @@ struct genwqe_file { struct file *filp; struct fasync_struct *async_queue; - struct task_struct *owner; + struct pid *opener; struct list_head list; /* entry in list of open files */ spinlock_t map_lock; /* lock for dma_mappings */ --- a/drivers/misc/genwqe/card_dev.c +++ b/drivers/misc/genwqe/card_dev.c @@ -52,7 +52,7 @@ static void genwqe_add_file(struct genwq { unsigned long flags; - cfile->owner = current; + cfile->opener = get_pid(task_tgid(current)); spin_lock_irqsave(&cd->file_lock, flags); list_add(&cfile->list, &cd->file_list); spin_unlock_irqrestore(&cd->file_lock, flags); @@ -65,6 +65,7 @@ static int genwqe_del_file(struct genwqe spin_lock_irqsave(&cd->file_lock, flags); list_del(&cfile->list); spin_unlock_irqrestore(&cd->file_lock, flags); + put_pid(cfile->opener); return 0; } @@ -275,7 +276,7 @@ static int genwqe_kill_fasync(struct gen return files; } -static int genwqe_force_sig(struct genwqe_dev *cd, int sig) +static int genwqe_terminate(struct genwqe_dev *cd) { unsigned int files = 0; unsigned long flags; @@ -283,7 +284,7 @@ static int genwqe_force_sig(struct genwq spin_lock_irqsave(&cd->file_lock, flags); list_for_each_entry(cfile, &cd->file_list, list) { - force_sig(sig, cfile->owner); + kill_pid(cfile->opener, SIGKILL, 1); files++; } spin_unlock_irqrestore(&cd->file_lock, flags); @@ -1356,7 +1357,7 @@ static int genwqe_inform_and_stop_proces dev_warn(&pci_dev->dev, "[%s] send SIGKILL and wait ...\n", __func__); - rc = genwqe_force_sig(cd, SIGKILL); /* force terminate */ + rc = genwqe_terminate(cd); if (rc) { /* Give kill_timout more seconds to end processes */ for (i = 0; (i < genwqe_kill_timeout) &&