Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp1512590rwe;
        Thu, 1 Sep 2022 21:40:22 -0700 (PDT)
X-Google-Smtp-Source: AA6agR6XYNvOTyK0T428+RJzhnjMKCWt8ZKIfAcoLnapXtKEnzbQiwAeTWwicVjcjbzpyjjyil/b
X-Received: by 2002:a05:6402:894:b0:447:fe25:15cf with SMTP id e20-20020a056402089400b00447fe2515cfmr25598378edy.404.1662093621891;
        Thu, 01 Sep 2022 21:40:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1662093621; cv=none;
        d=google.com; s=arc-20160816;
        b=zwerCfSHdc0d22Hyzvq5+3Msk0hMuMAWEiRea04dwvY3M789yImX9kGhcFnKhF4EcL
         k4HAoVliUR5e9CVX2bBn3GutVRVYJxjOOZYq4DUVnbrKmBtbkpoXYjNQwWf5EJNlpedD
         uOXUvQu0Xeq+sjKghTGMjDupDxOnZZNlqNopkXT3jsnXu7zaXOOSKIlSZqdRhusSKhtM
         Zq24C4Qoi5DxetqG5OQW6sbgL+IVtwLCPMSPC36d2AEf/3j/OniutFu2lNalRxBTMLXe
         K6xRqTK6QM4MkS7K18Uhxp4uF4L/jJjBO8rSKez79qShUubEzTpbhu2ncOut68josvB6
         ZoZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date
         :dkim-signature;
        bh=WP7qtsk2VxFFx4oAGpcN9imq1FoJrOzfpm0TYEDsW0s=;
        b=AoU3GQyqcjtfCPKdyGdFlBQ8KeDJUsnF7hfggoiaTtML+WDoOgFra3laJY0uZEdnrz
         T34rlOGYnuNBC7TQ1IDMiPG5Eckru392wyVCwjYbWLMc1KXAXLgSL7bWlr+v86spiE+5
         qRt5EqOzWFeHjyHZ+mAl7T/U5uf6XEJmTW5A77yg+lTeQQOnlQ4sHFjDnuRPZiHPJKOo
         N9woapr6KF4WOxgJEux4jlLtD6O2gX4YY0uIGQAezJNBoWxBvdKW+QgkEMAlDuk4/7GS
         AYpjFcItY6Ei5PdzvX5zDj8o7xSy6Rf54bHt1d/qqc5Jb1JfCRiloUgW7gBoxr9GXrfW
         39uw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=CUJGzdgs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id sd7-20020a1709076e0700b0073c1e339952si1085163ejc.339.2022.09.01.21.39.57;
        Thu, 01 Sep 2022 21:40:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=CUJGzdgs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235295AbiIBDln (ORCPT <rfc822;android.linux@gmail.com>
        + 99 others); Thu, 1 Sep 2022 23:41:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59838 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234195AbiIBDlk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Sep 2022 23:41:40 -0400
Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com [IPv6:2607:f8b0:4864:20::549])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB61CB08A8
        for <linux-kernel@vger.kernel.org>; Thu,  1 Sep 2022 20:41:38 -0700 (PDT)
Received: by mail-pg1-x549.google.com with SMTP id v135-20020a63618d000000b00430ac821302so546934pgb.4
        for <linux-kernel@vger.kernel.org>; Thu, 01 Sep 2022 20:41:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date;
        bh=WP7qtsk2VxFFx4oAGpcN9imq1FoJrOzfpm0TYEDsW0s=;
        b=CUJGzdgsMTZFwMZk3dY+QABwa5LsHzL1lmuAHK1qioXTMOKOt35ANguuFxRakqBuZZ
         kynfUZumS2uGS/f+phd0JAgNUaA4BIrfdsWjzO2PkxDCzwfboJEB1y9pk2jxRAh3P7QF
         OmDHym14r50Wcfl0HMwSE6Gcdb785L15Z0gOLeLwJ/zUxvHEbRViTWp3QnQGmYtcZrEB
         2pmzrY5jbLuNK0+oitd9ZDJCMst+/2nDmd2v7pK/ciLRUJSwkHOgVQ11hB2GadCqohM3
         vst1aiN4UFSbPvV4eEhcDp7u1VcnXGwUZ8C0ZE9IeptefCO+dssYHw4APoxZQ0FYZXIJ
         CvMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date;
        bh=WP7qtsk2VxFFx4oAGpcN9imq1FoJrOzfpm0TYEDsW0s=;
        b=YWUpWJkgxQ9wy4NRKACfbWzrMk3o/2jRB8FbcW+DzHhYL7NDgLLQn94sasBMlCt5SV
         Hle/qoybfU/AZK6rJ+ELnhdcVFpUzwjvwXl6F4zNduzqNZK46pVfmKjh/H8qT6u45gZv
         kMos7w6MD0caFK551Az246/xg5m2WKSUX1wq0YcjWEHFs3bMIEnvjZyHHaWC1lrXERWx
         r5MItQbBvSuawYWksuPFBJYMHWi33pV6Qi2qMK9pqu1KOXA4yjAgYYSxovqc771V8RfC
         lWMvArT8cy3slb4CDgm/xs8zYflJMvHihpoBskkqv+ABcAMmlyXSwOlO3+3wrT1RDlUE
         0eTg==
X-Gm-Message-State: ACgBeo3QDbXzvvK9h0D1GpSvdEY+5I7/bxvUdEyamXqyJU74n9nR+Plr
        FU/Wjl+w+A2sZrMuaTlg4l0DF0TRDfZyRIfgqXlezS66OEasO3+G7Gfs8lYTtzmkaOH4erO8zY7
        pw0alGcuFqD2W6uOUjV4zVFl+iNAdDnC91nhFmVUcGVH8OSf6cPXZls10+5h/Hg==
X-Received: from hmarynka.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:925])
 (user=ovt job=sendgmr) by 2002:a05:6a00:4147:b0:52d:fe84:2614 with SMTP id
 bv7-20020a056a00414700b0052dfe842614mr35107661pfb.10.1662090098328; Thu, 01
 Sep 2022 20:41:38 -0700 (PDT)
Date:   Fri,  2 Sep 2022 03:41:35 +0000
Mime-Version: 1.0
X-Mailer: git-send-email 2.37.2.789.g6183377224-goog
Message-ID: <20220902034135.2853973-1-ovt@google.com>
Subject: [PATCH] seccomp: fix refcounter leak if fork/clone is terminated
From:   Oleksandr Tymoshenko <ovt@google.com>
To:     linux-kernel@vger.kernel.org
Cc:     brauner@kernel.org, Oleksandr Tymoshenko <ovt@google.com>,
        stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

release_task, where the seccomp's filter refcounter is released, is not
called for the case when the fork/clone is terminated midway by a
signal. This leaves an extra reference that prevents filter from being
destroyed even after all processes using it exit leading to a BPF JIT
memory leak. Dereference the refcounter in the failure path of the
copy_process function.

Fixes: 3a15fb6ed92c ("seccomp: release filter after task is fully dead")
Cc: Christian Brauner <brauner@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
---
 kernel/fork.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/kernel/fork.c b/kernel/fork.c
index 90c85b17bf69..20f7a3e91354 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1763,6 +1763,21 @@ static void copy_seccomp(struct task_struct *p)
 #endif
 }
 
+static void release_seccomp(struct task_struct *p)
+{
+#ifdef CONFIG_SECCOMP
+	/*
+	 * Must be called with sighand->lock held, which is common to
+	 * all threads in the group. Holding cred_guard_mutex is not
+	 * needed because this new task is not yet running and cannot
+	 * be racing exec.
+	 */
+	assert_spin_locked(&current->sighand->siglock);
+
+	seccomp_filter_release(p);
+#endif
+}
+
 SYSCALL_DEFINE1(set_tid_address, int __user *, tidptr)
 {
 	current->clear_child_tid = tidptr;
@@ -2495,6 +2510,7 @@ static __latent_entropy struct task_struct *copy_process(
 	return p;
 
 bad_fork_cancel_cgroup:
+	release_seccomp(p);
 	sched_core_free(p);
 	spin_unlock(&current->sighand->siglock);
 	write_unlock_irq(&tasklist_lock);
-- 
2.37.2.789.g6183377224-goog