tty: release_one_tty() forgets to put pids
in [Kernel]
|
Prev: [PATCH 04/14] Allow CONFIG_MIGRATION to be set without CONFIG_NUMA or memory hot-remove
Next: [GIT PULL] tracing: updates
From: Oleg Nesterov on 2 Apr 2010 12:30 On 04/02, Oleg Nesterov wrote: > > release_one_tty(tty) can be called when tty still has a reference > to pgrp/session. In this case we leak the pid. > > The patch needs the ack from someone who understand tty magic. > > Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> I am sorry, I forgot it needs Reported-by: Catalin Marinas <catalin.marinas(a)arm.com> Reported-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> > --- > > drivers/char/tty_io.c | 2 ++ > 1 file changed, 2 insertions(+) > > --- TTT/drivers/char/tty_io.c~TTY_PID_LEAK 2010-03-17 16:00:59.000000000 +0100 > +++ TTT/drivers/char/tty_io.c 2010-04-02 17:23:07.000000000 +0200 > @@ -1423,6 +1423,8 @@ static void release_one_tty(struct work_ > list_del_init(&tty->tty_files); > file_list_unlock(); > > + put_pid(tty->pgrp); > + put_pid(tty->session); > free_tty_struct(tty); > } > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Linus Torvalds on 2 Apr 2010 14:00 On Fri, 2 Apr 2010, Oleg Nesterov wrote: > > release_one_tty(tty) can be called when tty still has a reference > to pgrp/session. In this case we leak the pid. Hmm. Maybe we should have cleared this in tty_release() already. We already do some of the session clearing there (but we clear the session in the _tasks_ associated with the tty, not the tty session pointer). But: > The patch needs the ack from someone who understand tty magic. I think the patch is simpler than worrying about the much more complex release logic. So I think I actually prefer this patch over something that tries to be clever in tty_release. We might even push it into "free_tty_struct()", although I think that the only non-release_one_tty() callers of that are the ones that allocated the tty but due to some failure never connected it to anything. So on the whole I think you picked the right spot. So I'll ACK it. But maybe Alan sees some problem/issue I didn't see. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Eric W. Biederman on 2 Apr 2010 14:30 Linus Torvalds <torvalds(a)linux-foundation.org> writes: > On Fri, 2 Apr 2010, Oleg Nesterov wrote: >> >> release_one_tty(tty) can be called when tty still has a reference >> to pgrp/session. In this case we leak the pid. > > Hmm. Maybe we should have cleared this in tty_release() already. We > already do some of the session clearing there (but we clear the session in > the _tasks_ associated with the tty, not the tty session pointer). > > But: > >> The patch needs the ack from someone who understand tty magic. > > I think the patch is simpler than worrying about the much more complex > release logic. So I think I actually prefer this patch over something that > tries to be clever in tty_release. > > We might even push it into "free_tty_struct()", although I think that the > only non-release_one_tty() callers of that are the ones that allocated the > tty but due to some failure never connected it to anything. So on the > whole I think you picked the right spot. > > So I'll ACK it. But maybe Alan sees some problem/issue I didn't see. I agree. However we made it to release_one_tty with pids we need to free them, before we free the tty structure itself. My general paranoia would suggest setting the pids to NULL. So that we don't have the chance of a use after free. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Oleg Nesterov on 2 Apr 2010 14:50 On 04/02, Linus Torvalds wrote: > > On Fri, 2 Apr 2010, Oleg Nesterov wrote: > > > > release_one_tty(tty) can be called when tty still has a reference > > to pgrp/session. In this case we leak the pid. > > Hmm. Maybe we should have cleared this in tty_release() already. We > already do some of the session clearing there (but we clear the session in > the _tasks_ associated with the tty, not the tty session pointer). Yes, probably we can free them earlier. But I am very nervous about this change, I tried to defer put_pid() as much as possible, in case something else uses ->prgp/session before free_tty_struct(). Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Oleg Nesterov on 2 Apr 2010 15:00
On 04/02, Eric W. Biederman wrote: > > My general paranoia would suggest setting the pids to NULL. So that > we don't have the chance of a use after free. In this case, I don't think this is needed. We are doing free_tty_struct()->kfree(tty) right after put_pid()s, nobody can use these pointers or we have another bug. Most probably this patch is correct (but perhaps it is not the best fix). Every time tty does put_pid() it should also clear the pointer. But I am not sure I grepped enough. Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |