lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20151026073314.GD16521@pengutronix.de>
Date:	Mon, 26 Oct 2015 08:33:14 +0100
From:	Markus Pargmann <mpa@...gutronix.de>
To:	Oleg Nesterov <oleg@...hat.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Tejun Heo <tj@...nel.org>, nbd-general@...ts.sourceforge.net,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] kthread: introduce kthread_get_run() to fix
 __nbd_ioctl()

On Sun, Oct 25, 2015 at 03:27:13PM +0100, Oleg Nesterov wrote:
> It is not safe to use the task_struct returned by kthread_run(threadfn)
> if threadfn() can exit before the "owner" does kthread_stop(), nothing
> protects this task_struct.
> 
> So __nbd_ioctl() looks buggy; a killed nbd_thread_send() can exit, free
> its task_struct, and then kthread_stop() can use the freed/reused memory.
> 
> Add the new trivial helper, kthread_get_run(). Hopefully it will have more
> users, this patch changes __nbd_ioctl() as an example.

Thanks.

Acked-by: Markus Pargmann <mpa@...gutronix.de>

However I am not sure this is important for 4.3 final. This bug is
present since at least 2008 (didn't look further).

Best Regards,

Markus

> 
> Signed-off-by: Oleg Nesterov <oleg@...hat.com>
> ---
>  drivers/block/nbd.c     |    5 +++--
>  include/linux/kthread.h |   12 ++++++++++++
>  2 files changed, 15 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
> index 93b3f99..b85e7a0 100644
> --- a/drivers/block/nbd.c
> +++ b/drivers/block/nbd.c
> @@ -754,8 +754,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
>  		else
>  			blk_queue_flush(nbd->disk->queue, 0);
>  
> -		thread = kthread_run(nbd_thread_send, nbd, "%s",
> -				     nbd_name(nbd));
> +		thread = kthread_get_run(nbd_thread_send, nbd, "%s",
> +					 nbd_name(nbd));
>  		if (IS_ERR(thread)) {
>  			mutex_lock(&nbd->tx_lock);
>  			return PTR_ERR(thread);
> @@ -765,6 +765,7 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
>  		error = nbd_thread_recv(nbd);
>  		nbd_dev_dbg_close(nbd);
>  		kthread_stop(thread);
> +		put_task_struct(thread);
>  
>  		mutex_lock(&nbd->tx_lock);
>  
> diff --git a/include/linux/kthread.h b/include/linux/kthread.h
> index 13d5520..b0465cc 100644
> --- a/include/linux/kthread.h
> +++ b/include/linux/kthread.h
> @@ -37,6 +37,18 @@ struct task_struct *kthread_create_on_cpu(int (*threadfn)(void *data),
>  	__k;								   \
>  })
>  
> +/* Same as kthread_run() but also pin the task_struct */
> +#define kthread_get_run(threadfn, data, namefmt, ...)			   \
> +({									   \
> +	struct task_struct *__k						   \
> +		= kthread_create(threadfn, data, namefmt, ## __VA_ARGS__); \
> +	if (!IS_ERR(__k)) {						   \
> +		get_task_struct(__k);					   \
> +		wake_up_process(__k);					   \
> +	}								   \
> +	__k;								   \
> +})
> +
>  void kthread_bind(struct task_struct *k, unsigned int cpu);
>  void kthread_bind_mask(struct task_struct *k, const struct cpumask *mask);
>  int kthread_stop(struct task_struct *k);
> -- 
> 1.5.5.1
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ