Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1889024pxv; Fri, 2 Jul 2021 15:14:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxT2pXswwxbKlY4i8xUmM50uu02x9ThSrSx7R9ZeYQF6FnxS9ekDG2Bn7h9mtuoinzH7M/3 X-Received: by 2002:a17:907:968d:: with SMTP id hd13mr1906333ejc.203.1625264094776; Fri, 02 Jul 2021 15:14:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625264094; cv=none; d=google.com; s=arc-20160816; b=Ikk5JlzTWKbMZcPrZvcSC3vsfofZLUUATDUlIEXiT7pRKnfzGw3onrqQ96CPtH7+US SrBPiteGfdwnmwe6nijotAj4Hp7lHqFiw2IZ/8xTnc+Dg9SAJ/KIJCK0lYUo9lFQBlXO rQtAe9A9Bjpg9qHRKm1+nKOvo8HQ3mYSajpd4G3nvMZvwlLx1yutwoixVmiZlUvEGcVZ Qk7SIRB1sCPnpBJnY4Cd9E8hHpw0o5P38bO+WAslj6cSBMKDi8ypxzp4fHIu0UoQSlWb 4jH2dTGKC/U7jYiYP/baWP4vkd1SC6zPkswUXLoOFc/IrSsw4qh/qYlOi37wQhx0mlfE D/Tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=KEZ8WS1/P9JTGSLCcSvWjs/G9krL0GBd8QeReo+j1Zk=; b=F1NutUaK1xSr6H85fnYGXBVNpCGWFKeYlU3hyOzyGrBMygyWdN9laTI2XY7835uzSy RFL8IlzX0qYpH/l22Tde8vbtBbyHiTS1sSeWa3qiRjXAw+o40Zy0yst/SgrFEdqirFak 3rmSs7zz/tVAw08byRa2j6KktN4NXHlo8B+vTLz3ezVlNdqXJkg0DLaT7lSA3iTLpl6A FhwyBHdM9vrv8L4rLDIc0/DuFUhHlJ2WJfBMZUvit1U1/ha0jFRMSuEjmMbkrCPhjBQJ F0ozDRgx5N1EubsgWBzrN+9XuS2P6gcLhCfQVvyntNlj4mzrHQ87gZI1s3frQNRyS2Ep Vqow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=YkSDML8E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n5si3907821edv.524.2021.07.02.15.14.31; Fri, 02 Jul 2021 15:14:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=YkSDML8E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232977AbhGBWQL (ORCPT + 99 others); Fri, 2 Jul 2021 18:16:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230141AbhGBWQK (ORCPT ); Fri, 2 Jul 2021 18:16:10 -0400 Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED550C061762 for ; Fri, 2 Jul 2021 15:13:37 -0700 (PDT) Received: by mail-lf1-x12b.google.com with SMTP id bu19so20644848lfb.9 for ; Fri, 02 Jul 2021 15:13:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KEZ8WS1/P9JTGSLCcSvWjs/G9krL0GBd8QeReo+j1Zk=; b=YkSDML8ETWqihRMIfeWD243ylc4Mo9Vok9hpERJMs7D+ji6L3jYQF7ApYt6d+LLDqB ra0TiWI801rOypgULgkh1CBvXidO8s4y3oUpaTdcuKcABrAIXMtEFcZjQoL8qH8pj/08 rmqGADSlByI2KqZHR/WV8Gk1t96DAB95DYmrM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KEZ8WS1/P9JTGSLCcSvWjs/G9krL0GBd8QeReo+j1Zk=; b=pcG3ahwSoqUsd67ypxKYcEyhPRG3dDQYpN03PXZvriPOxc6Zpe9rVhAjrCxA9dbdW2 LD3hWJc653j17YB62+vjm1ajYL4JuW8GlKPlkFC337oHu3g0oWH4dmwCKmYIdMHV6RD1 daRD5b7e4NRTQ9I/2tt+PX0u/0mSHvDDCFGlHlhrYTG+YL2iCiEClp0cezF7vAcn42mK 0VyiRNa4YjeM2K4GZ5Do7EC0F2gmI8pkgFAPZAmqO20z7ZaVqymynNuO8AHaYfYE79E4 opLcENIp7bePdKYW/znsoWbvaHO1CkUKq1ZmzcRI3Y2RqRnwAeJciYwG+2Q3gxL/WbEJ VCAA== X-Gm-Message-State: AOAM531GeL8YYZfFyYfQRyf9iJ+XlUyVfwqsb1y+E+otLSMcxxpcd7I1 IjQt041G9FZRXARM8fxf+z2aObXv6GmAAYSmkHM= X-Received: by 2002:ac2:4ac6:: with SMTP id m6mr1247869lfp.189.1625264016057; Fri, 02 Jul 2021 15:13:36 -0700 (PDT) Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com. [209.85.208.175]) by smtp.gmail.com with ESMTPSA id a2sm511988ljp.117.2021.07.02.15.13.35 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 02 Jul 2021 15:13:35 -0700 (PDT) Received: by mail-lj1-f175.google.com with SMTP id u25so15249123ljj.11 for ; Fri, 02 Jul 2021 15:13:35 -0700 (PDT) X-Received: by 2002:a2e:9c58:: with SMTP id t24mr1182109ljj.411.1625264014789; Fri, 02 Jul 2021 15:13:34 -0700 (PDT) MIME-Version: 1.0 References: <20210702175442.1603082-1-legion@kernel.org> In-Reply-To: <20210702175442.1603082-1-legion@kernel.org> From: Linus Torvalds Date: Fri, 2 Jul 2021 15:13:18 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] ucounts: Fix UCOUNT_RLIMIT_SIGPENDING counter leak To: Alexey Gladkov Cc: "Eric W. Biederman" , Linux Kernel Mailing List , Linux Containers Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 2, 2021 at 10:55 AM Alexey Gladkov wrote: > > @@ -424,10 +424,10 @@ __sigqueue_alloc(int sig, struct task_struct *t, gfp_t gfp_flags, > * changes from/to zero. > */ > rcu_read_lock(); > - ucounts = task_ucounts(t); > + ucounts = ucounts_new = task_ucounts(t); > sigpending = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, 1); > if (sigpending == 1) > - ucounts = get_ucounts(ucounts); > + ucounts_new = get_ucounts(ucounts); > rcu_read_unlock(); I think this is still problematic. If get_ucounts() fails, we can't just drop the RCU lock and (later) use "ucounts" that we hold no reference to. Or am I missing something? I'm not entirely sure about the lifetime of that RCU protection, and I do note that "task_ucounts()" uses "task_cred_xxx()", which already does rcu_read_lock()/rcu_read_unlock() in the actual access. So I'm thinking the code could/should be written something like this instead: diff --git a/kernel/signal.c b/kernel/signal.c index f6371dfa1f89..40781b197227 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -422,22 +422,33 @@ __sigqueue_alloc(int sig, struct task_struct *t, gfp_t gfp_flags, * NOTE! A pending signal will hold on to the user refcount, * and we get/put the refcount only when the sigpending count * changes from/to zero. + * + * And if the ucount rlimit overflowed, we do not get to use it at all. */ rcu_read_lock(); ucounts = task_ucounts(t); sigpending = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, 1); - if (sigpending == 1) - ucounts = get_ucounts(ucounts); + switch (sigpending) { + case 1: + if (likely(get_ucounts(ucounts))) + break; + + dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, 1); + fallthrough; + case LONG_MAX: + rcu_read_unlock(); + return NULL; + } rcu_read_unlock(); - if (override_rlimit || (sigpending < LONG_MAX && sigpending <= task_rlimit(t, RLIMIT_SIGPENDING))) { + if (override_rlimit || sigpending <= task_rlimit(t, RLIMIT_SIGPENDING)) { q = kmem_cache_alloc(sigqueue_cachep, gfp_flags); } else { print_dropped_signal(sig); } if (unlikely(q == NULL)) { - if (ucounts && dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, 1)) + if (dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING, 1)) put_ucounts(ucounts); } else { INIT_LIST_HEAD(&q->list); (and no, I'm not sure it's a good idea to make that use a "switch()" - maybe the LONG_MAX case should be a "if (unlikely())" thing after the rcu_read_ulock() instead? Hmm? The alternate thing is to say "No, Linus, you're a nincompoop and wrong, that RCU protection is a non-issue because we hold a reference to the task, and task_ucounts() will not change, so the RCU read lock doesn't do anything". Although then I would think the rcu_read_lock/rcu_read_unlock here is entirely pointless. Linus