Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp162751ybg; Sun, 26 Jul 2020 00:09:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJf5SrU4ejCFDFobU+M+fkchhtHkcYbk0fq85HxTNnOshYJUHGk+qhjTZpi2K0BX77K9ww X-Received: by 2002:a50:e60d:: with SMTP id y13mr15777480edm.225.1595747354674; Sun, 26 Jul 2020 00:09:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595747354; cv=none; d=google.com; s=arc-20160816; b=GPV6yh11qvOG9JN/WCBf/cl9tbMU2opq2/QrJg9fUqx4P4qwo936BgQCY/69IbjNJl iyi9WIoXVGNI1dmSNtnJ3WnmHR2HFfvQNZwisFtSBtIPyXBMZqK1ohqh6GcIPYOrMJ76 7hiV7M1B+K5/HPIThSNp7b2NOpN4DQWWeKiRaN+IWUjRscqFecI8Hz4KfjMHGKP9nRtV cDIpPm/moYlkozlqBQ32IynPCBFn/09XnzR9eUUeByJ3LuMPj9toIzJSGdHimxunjq27 sN4xzMK9a9vqLTca3gQxODROiKjybf+6H8TOPxkaD1MaLF9JB7kqKXS+X/2SYpx9zDlY FloA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=TVCMjfc8yE68ZxU/hdEFUenpXnkF6G6s6u+4lbFBL4Y=; b=hAYuf9XU5/jWcKlgpjlA4Xol+4scwRgb+1sc3Y1VgTZIUbhVoopTToRabA7f+l07Tx 7JY0b7gQfY+iLzJJz3pBoa9UsjtZVmc+mWJFF9N57adGX1WqZQ/fKbmwyTE9NW4Qo0D0 GfhPnW+b6DOVqv7WFCJrgDJgjJXL7t80YTHvh4D/W2Yt/fswgdEo1WjxnmFDOZvXaTZ2 VtmDAFQMSuhUdPOl1H8vKsJx6GmtgAfgQQ7jW45bINPXSqEBbv0iGOnKM4htnKC2f9NK WuFq+eky6WAwA6dTJ5XA9RCTQenrZinS7aOriNDkmRfYPGL+QSc3uQhFCH3wD5RA1IIq R/cQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=GZ+tc5Ko; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m27si3293227eja.699.2020.07.26.00.08.52; Sun, 26 Jul 2020 00:09:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=GZ+tc5Ko; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726244AbgGZHGy (ORCPT + 99 others); Sun, 26 Jul 2020 03:06:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:59720 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725789AbgGZHGy (ORCPT ); Sun, 26 Jul 2020 03:06:54 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1949920663; Sun, 26 Jul 2020 07:06:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595747213; bh=yqMeuAH11AK4xZQOGYBvoNfIg6YKAOUK5pcvK+ySOUU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=GZ+tc5Ko/nEIVET5iSFPN7/QrL0ET0/yd8TZYXCL8QhrqY+EaTu38psk8QFqM448K 2e0fjfBjNKkXARz5YjTsziAyDw4DRKrnq7zqVxdpH43HWO4pIaLj70fUzmlZbcbFif Qk5Z9UTjuQWWmfuVK+QaLap5qPcxFoRd8HR+d5hY= Date: Sun, 26 Jul 2020 09:06:50 +0200 From: Greg Kroah-Hartman To: Xin Xiong Cc: Jiri Slaby , linux-kernel@vger.kernel.org, Xiyu Yang , Xin Tan , yuanxzhang@fudan.edu.cn Subject: Re: [PATCH] tty: fix pid refcount leak in tty_signal_session_leader Message-ID: <20200726070650.GA440555@kroah.com> References: <20200726052804.GA51199@xin-virtual-machine> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200726052804.GA51199@xin-virtual-machine> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 26, 2020 at 01:28:04PM +0800, Xin Xiong wrote: > In the loop, every time when p->signal->leader is true, the function > tty_signal_session_leader() will invoke get_pid() and return a > reference of tty->pgrp with increased refcount to the local variable > tty_pgrp or return NULL if it fails. After finishing the loop, the > function invokes put_pid() for only once, decreasing the refcount that > tty_pgrp keeps. > > Refcount leaks may occur when the scenario that p->signal->leader is > true happens more than once. In this assumption, if the above scenario > happens n times in the loop, the function forgets to decrease the > refcount for n-1 times, which causes refcount leaks. > > Fix the issue by decreasing the current refcount of the local variable > tty_pgrp before assigning new objects to it. > > Signed-off-by: Xiyu Yang > Signed-off-by: Xin Tan > Signed-off-by: Xin Xiong > --- > drivers/tty/tty_jobctrl.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/tty/tty_jobctrl.c b/drivers/tty/tty_jobctrl.c > index f8ed50a16848..9e6bf693ade1 100644 > --- a/drivers/tty/tty_jobctrl.c > +++ b/drivers/tty/tty_jobctrl.c > @@ -212,6 +212,8 @@ int tty_signal_session_leader(struct tty_struct *tty, int exit_session) > __group_send_sig_info(SIGCONT, SEND_SIG_PRIV, p); > put_pid(p->signal->tty_old_pgrp); /* A noop */ > spin_lock(&tty->ctrl_lock); > + if (tty_pgrp) > + put_pid(tty_pgrp); No need to check this before calling it. But, the real question is why is this needed now? Nothing has changed in this area of the kernel for a very long time, so how did things get broken here? How are you triggering this and what is the result when we have that additional reference? thanks, greg k-h