* [PATCH v2 repost] posix-cpu-timers: fix nanosleep task_struct leak
@ 2013-02-15 10:08 Stanislaw Gruszka
2013-02-15 10:54 ` [tip:timers/core] posix-cpu-timers: Fix " tip-bot for Stanislaw Gruszka
0 siblings, 1 reply; 2+ messages in thread
From: Stanislaw Gruszka @ 2013-02-15 10:08 UTC (permalink / raw)
To: Oleg Nesterov, Thomas Gleixner
Cc: LKML, Dave Jones, John Stultz, Tommi Rantala, Andrew Morton
In do_cpu_nanosleep() we do posic_cpu_timer_create(), but forgot
corresponding posix_cpu_timer_del() what lead to task_struct leak.
Reported-and-tested-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: stable@vger.kernel.org
---
v1 -> v2: add comments
This looks like DoS problem fix, since it's possible to eat kernel
memory (very slowly though) by normal user, hence Cc stable.
kernel/posix-cpu-timers.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
index a278cad..942ca27 100644
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
@@ -1401,8 +1401,10 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags,
while (!signal_pending(current)) {
if (timer.it.cpu.expires.sched == 0) {
/*
- * Our timer fired and was reset.
+ * Our timer fired and was reset, below
+ * deletion can not fail.
*/
+ posix_cpu_timer_del(&timer);
spin_unlock_irq(&timer.it_lock);
return 0;
}
@@ -1420,9 +1422,26 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags,
* We were interrupted by a signal.
*/
sample_to_timespec(which_clock, timer.it.cpu.expires, rqtp);
- posix_cpu_timer_set(&timer, 0, &zero_it, it);
+ error = posix_cpu_timer_set(&timer, 0, &zero_it, it);
+ if (!error) {
+ /*
+ * Timer is now unarmed, deletion can not fail.
+ */
+ posix_cpu_timer_del(&timer);
+ }
spin_unlock_irq(&timer.it_lock);
+ while (error == TIMER_RETRY) {
+ /*
+ * We need to handle case when timer was or is in the
+ * middle of firing. In other cases we already freed
+ * resources.
+ */
+ spin_lock_irq(&timer.it_lock);
+ error = posix_cpu_timer_del(&timer);
+ spin_unlock_irq(&timer.it_lock);
+ }
+
if ((it->it_value.tv_sec | it->it_value.tv_nsec) == 0) {
/*
* It actually did fire already.
--
1.7.11.7
^ permalink raw reply related [flat|nested] 2+ messages in thread* [tip:timers/core] posix-cpu-timers: Fix nanosleep task_struct leak
2013-02-15 10:08 [PATCH v2 repost] posix-cpu-timers: fix nanosleep task_struct leak Stanislaw Gruszka
@ 2013-02-15 10:54 ` tip-bot for Stanislaw Gruszka
0 siblings, 0 replies; 2+ messages in thread
From: tip-bot for Stanislaw Gruszka @ 2013-02-15 10:54 UTC (permalink / raw)
To: linux-tip-commits
Cc: linux-kernel, hpa, mingo, davej, john.stultz, tglx, tt.rantala,
oleg, sgruszka
Commit-ID: e6c42c295e071dd74a66b5a9fcf4f44049888ed8
Gitweb: http://git.kernel.org/tip/e6c42c295e071dd74a66b5a9fcf4f44049888ed8
Author: Stanislaw Gruszka <sgruszka@redhat.com>
AuthorDate: Fri, 15 Feb 2013 11:08:11 +0100
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 15 Feb 2013 11:41:56 +0100
posix-cpu-timers: Fix nanosleep task_struct leak
The trinity fuzzer triggered a task_struct reference leak via
clock_nanosleep with CPU_TIMERs. do_cpu_nanosleep() calls
posic_cpu_timer_create(), but misses a corresponding
posix_cpu_timer_del() which leads to the task_struct reference leak.
Reported-and-tested-by: Tommi Rantala <tt.rantala@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Dave Jones <davej@redhat.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20130215100810.GF4392@redhat.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
kernel/posix-cpu-timers.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
index a278cad..942ca27 100644
--- a/kernel/posix-cpu-timers.c
+++ b/kernel/posix-cpu-timers.c
@@ -1401,8 +1401,10 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags,
while (!signal_pending(current)) {
if (timer.it.cpu.expires.sched == 0) {
/*
- * Our timer fired and was reset.
+ * Our timer fired and was reset, below
+ * deletion can not fail.
*/
+ posix_cpu_timer_del(&timer);
spin_unlock_irq(&timer.it_lock);
return 0;
}
@@ -1420,9 +1422,26 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags,
* We were interrupted by a signal.
*/
sample_to_timespec(which_clock, timer.it.cpu.expires, rqtp);
- posix_cpu_timer_set(&timer, 0, &zero_it, it);
+ error = posix_cpu_timer_set(&timer, 0, &zero_it, it);
+ if (!error) {
+ /*
+ * Timer is now unarmed, deletion can not fail.
+ */
+ posix_cpu_timer_del(&timer);
+ }
spin_unlock_irq(&timer.it_lock);
+ while (error == TIMER_RETRY) {
+ /*
+ * We need to handle case when timer was or is in the
+ * middle of firing. In other cases we already freed
+ * resources.
+ */
+ spin_lock_irq(&timer.it_lock);
+ error = posix_cpu_timer_del(&timer);
+ spin_unlock_irq(&timer.it_lock);
+ }
+
if ((it->it_value.tv_sec | it->it_value.tv_nsec) == 0) {
/*
* It actually did fire already.
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-02-15 10:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-15 10:08 [PATCH v2 repost] posix-cpu-timers: fix nanosleep task_struct leak Stanislaw Gruszka
2013-02-15 10:54 ` [tip:timers/core] posix-cpu-timers: Fix " tip-bot for Stanislaw Gruszka
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.