| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Jan 2018 13:05:19 +0300
From: Kirill Tkhai <ktkhai@...tuozzo.com>
To: Oleg Nesterov <oleg@...hat.com>
Cc: linux-kernel@...r.kernel.org, gregkh@...uxfoundation.org,
jslaby@...e.com, viro@...iv.linux.org.uk, keescook@...omium.org,
serge@...lyn.com, james.l.morris@...cle.com, luto@...nel.org,
john.johansen@...onical.com, mingo@...nel.org,
akpm@...ux-foundation.org, mhocko@...e.com, peterz@...radead.org
Subject: Re: [PATCH 3/4] tty: Iterate only thread group leaders in __do_SAK()
On 12.01.2018 11:42, Kirill Tkhai wrote:
> On 11.01.2018 21:34, Oleg Nesterov wrote:
>> On 01/11, Kirill Tkhai wrote:
>>>
>>> Since threads can't have additional fd in comparison
>>> to thread group leader
>> ...
>>> as they definitely have the same
>>> files struct, as thread group leader.
>>
>> Hmm. Why? Iirc CLONE_THREAD doesn't require CLONE_FILES?
>
> Oh, it's really so. Surprise. Thanks for pointing that.
> I'll try to find a way, how we can iterate threads fds using rcu.
>
>> Also. The group leader can exit, in this case its ->files == NULL
>> but other threads can be alive.
>
> Sure, thanks, Oleg.
How about this patch instead of the whole set? I left thread iterations
and added sighand locking for visability.
It looks like the only way, that already iterated tasks reopen tty fd again,
is when they obtain it from unix scm or from foreign /proc/[pid]/fd/[fd]
like it was before the patch. What do you think about this?
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index dc60aeea87d8..ab86aabfebc7 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2706,6 +2706,7 @@ void __do_SAK(struct tty_struct *tty)
#else
struct task_struct *g, *p;
struct pid *session;
+ unsigned long flags;
int i;
if (!tty)
@@ -2723,25 +2724,51 @@ void __do_SAK(struct tty_struct *tty)
task_pid_nr(p), p->comm);
send_sig(SIGKILL, p, 1);
} while_each_pid_task(session, PIDTYPE_SID, p);
+ read_unlock(&tasklist_lock);
+ tty_lock(tty);
+ rcu_read_lock();
/* Now kill any processes that happen to have the tty open */
- do_each_thread(g, p) {
- if (p->signal->tty == tty) {
- tty_notice(tty, "SAK: killed process %d (%s): by controlling tty\n",
- task_pid_nr(p), p->comm);
- send_sig(SIGKILL, p, 1);
- continue;
+ for_each_process(g) {
+ for_each_thread(g, p) {
+ task_lock(p);
+ i = iterate_fd(p->files, 0, this_tty, tty);
+ if (i != 0) {
+ tty_notice(tty, "SAK: killed process %d (%s): by fd#%d\n",
+ task_pid_nr(p), p->comm, i - 1);
+ force_sig(SIGKILL, p);
+ }
+ task_unlock(p);
+
+ /*
+ * p->signal is always valid for task_struct obtained
+ * from the task list under rcu_read_lock().
+ */
+ if (!i && p->signal->tty == tty) {
+ tty_notice(tty, "SAK: killed process %d (%s): by controlling tty\n",
+ task_pid_nr(p), p->comm);
+ send_sig(SIGKILL, p, 1);
+ }
+
+ if (READ_ONCE(p->thread_node.next) == &g->signal->thread_head) {
+ /* Take and drop the lock to see newly forked threads */
+ if (lock_task_sighand(p, &flags))
+ unlock_task_sighand(p, &flags);
+ else {
+ read_lock(&tasklist_lock);
+ read_unlock(&tasklist_lock);
+ }
+ }
}
- task_lock(p);
- i = iterate_fd(p->files, 0, this_tty, tty);
- if (i != 0) {
- tty_notice(tty, "SAK: killed process %d (%s): by fd#%d\n",
- task_pid_nr(p), p->comm, i - 1);
- force_sig(SIGKILL, p);
+
+ if (unlikely(next_task(p) == &init_task)) {
+ /* Take and drop the lock to see newly forked tasks */
+ read_lock(&tasklist_lock);
+ read_unlock(&tasklist_lock);
}
- task_unlock(p);
- } while_each_thread(g, p);
- read_unlock(&tasklist_lock);
+ }
+ rcu_read_unlock();
+ tty_unlock(tty);
#endif
}
Powered by blists - more mailing lists