From: Oleg Nesterov <oleg@redhat.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
Clark Williams <williams@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [BUG] signal: sighand unprotected when accessed by /proc
Date: Tue, 3 Jun 2014 19:26:32 +0200 [thread overview]
Message-ID: <20140603172632.GA27956@redhat.com> (raw)
In-Reply-To: <20140603130233.658a6a3c@gandalf.local.home>
On 06/03, Steven Rostedt wrote:
>
> We were able to trigger this bug in -rt, and by review, I'm thinking
> that this could very well be a mainline bug too. I had our QA team add
> a trace patch to the kernel to prove my analysis, and it did.
>
> Here's the patch:
>
> http://rostedt.homelinux.com/private/sighand-trace.patch
>
> Let me try to explain the bug:
>
>
> CPU0 CPU1
> ---- ----
> [ read of /proc/<pid>/stat ]
> get_task_struct();
> [...]
> [ <pid> exits ]
> [ parent does wait on <pid> ]
> wait_task_zombie()
> release_task()
> proc_flush_task()
> /* the above removes new access
> to the /proc system */
> __exit_signal()
> __cleanup_sighand(sighand);
> atomic_dec_and_test(sighand->count);
> do_task_stat()
> lock_task_sighand(task);
> sighand = rcu_dereference(tsk->sighand);
>
> kmem_cache_free(sighand);
>
> if (sighand != NULL)
> spin_lock(sighand->siglock);
>
> ** BOOM! use after free **
Yes, ->sighand can be already freed at this point, but this should be
fine because sighand_cachep is SLAB_DESTROY_BY_RCU.
That is why lock_task_sighand() does rcu_read_lock() and re-checks
sighand == tsk->sighand after it takes ->siglock. It is fine if it was
already freed or even reallocated via kmem_cache_alloc(sighand_cachep).
We only need to ensure that (SLAB_DESTROY_BY_RCU should ensure this)
this memory won't be returned to system, so this peace of memory must
be "struct sighand" with the properly initialized ->siglock until
rcu_read_unlock().
> Seems there is no protection between reading the sighand from proc and
> freeing it. The sighand->count is not updated, and the sighand is not
> freed via rcu.
See above.
> One, the spinlock in -rt is an rtmutex. The list_del_entry() bug is the
> task trying to remove itself from sighand->lock->wait_list. As the lock
> has been freed, the list head of the rtmutex is corrupted.
looks like, SLAB_DESTROY_BY_RCU logic is broken?
Oleg.
next prev parent reply other threads:[~2014-06-03 17:27 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-03 17:02 [BUG] signal: sighand unprotected when accessed by /proc Steven Rostedt
2014-06-03 17:26 ` Oleg Nesterov [this message]
2014-06-03 18:03 ` Linus Torvalds
2014-06-03 20:01 ` Oleg Nesterov
2014-06-03 20:03 ` Oleg Nesterov
2014-06-06 20:33 ` Paul E. McKenney
2014-06-08 13:07 ` safety of *mutex_unlock() (Was: [BUG] signal: sighand unprotected when accessed by /proc) Oleg Nesterov
2014-06-09 16:26 ` Paul E. McKenney
2014-06-09 18:15 ` Oleg Nesterov
2014-06-09 18:29 ` Steven Rostedt
2014-06-09 18:51 ` Linus Torvalds
2014-06-09 19:41 ` Steven Rostedt
2014-06-10 8:53 ` Thomas Gleixner
2014-06-10 16:57 ` Oleg Nesterov
2014-06-10 18:08 ` Thomas Gleixner
2014-06-10 18:13 ` Steven Rostedt
2014-06-10 20:05 ` Thomas Gleixner
2014-06-10 20:13 ` Thomas Gleixner
2014-06-11 15:52 ` Paul E. McKenney
2014-06-11 17:07 ` Oleg Nesterov
2014-06-11 17:17 ` Oleg Nesterov
2014-06-11 17:29 ` Paul E. McKenney
2014-06-11 17:59 ` Oleg Nesterov
2014-06-11 19:56 ` Paul E. McKenney
2014-06-12 17:28 ` Oleg Nesterov
2014-06-12 20:35 ` Paul E. McKenney
2014-06-12 21:40 ` Thomas Gleixner
2014-06-12 22:27 ` Paul E. McKenney
2014-06-12 23:19 ` Paul E. McKenney
2014-06-13 15:08 ` Oleg Nesterov
2014-06-15 5:40 ` Paul E. McKenney
2014-06-17 18:57 ` Paul E. McKenney
2014-06-18 16:43 ` Oleg Nesterov
2014-06-18 16:53 ` Steven Rostedt
2014-06-21 19:54 ` Thomas Gleixner
2014-06-18 17:00 ` Paul E. McKenney
2014-06-13 14:55 ` Oleg Nesterov
2014-06-13 16:10 ` Thomas Gleixner
2014-06-13 16:19 ` Oleg Nesterov
2014-06-13 14:52 ` Oleg Nesterov
2014-06-11 17:27 ` Paul E. McKenney
2014-06-10 17:07 ` Oleg Nesterov
2014-06-10 17:51 ` Thomas Gleixner
2014-06-10 12:56 ` Paul E. McKenney
2014-06-10 14:48 ` Peter Zijlstra
2014-06-10 15:18 ` Paul E. McKenney
2014-06-10 15:35 ` Linus Torvalds
2014-06-10 16:15 ` Paul E. McKenney
2014-06-09 19:04 ` Oleg Nesterov
2014-06-10 8:37 ` Peter Zijlstra
2014-06-10 12:52 ` Paul E. McKenney
2014-06-10 13:01 ` Peter Zijlstra
2014-06-10 14:36 ` Paul E. McKenney
2014-06-10 15:20 ` Paul E. McKenney
2014-06-03 20:05 ` [BUG] signal: sighand unprotected when accessed by /proc Steven Rostedt
2014-06-03 20:09 ` Oleg Nesterov
2014-06-03 20:15 ` Steven Rostedt
2014-06-03 20:25 ` Steven Rostedt
2014-06-03 21:12 ` Thomas Gleixner
2014-06-03 18:05 ` Steven Rostedt
2014-06-03 19:25 ` Oleg Nesterov
2014-06-04 1:16 ` Steven Rostedt
2014-06-04 16:31 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140603172632.GA27956@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=williams@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.