From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754043AbdAFCmd (ORCPT ); Thu, 5 Jan 2017 21:42:33 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:57218 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751384AbdAFCmZ (ORCPT ); Thu, 5 Jan 2017 21:42:25 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Zhou Chengming Cc: , , , , , , , , , , References: <1483666352-42761-1-git-send-email-zhouchengming1@huawei.com> Date: Fri, 06 Jan 2017 15:38:25 +1300 In-Reply-To: <1483666352-42761-1-git-send-email-zhouchengming1@huawei.com> (Zhou Chengming's message of "Fri, 6 Jan 2017 09:32:32 +0800") Message-ID: <87lguodiam.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1cPKTz-0003kk-Fw;;;mid=<87lguodiam.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=101.100.131.98;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+L7m9MHR6pAovfMPEa/ho43X6MKv46xFg= X-SA-Exim-Connect-IP: 101.100.131.98 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.2 LotsOfNums_01 BODY: Lots of long strings of numbers * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;Zhou Chengming X-Spam-Relay-Country: X-Spam-Timing: total 1694 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.9 (0.2%), b_tie_ro: 2.8 (0.2%), parse: 1.10 (0.1%), extract_message_metadata: 17 (1.0%), get_uri_detail_list: 3.1 (0.2%), tests_pri_-1000: 6 (0.3%), tests_pri_-950: 1.15 (0.1%), tests_pri_-900: 0.97 (0.1%), tests_pri_-400: 29 (1.7%), check_bayes: 28 (1.7%), b_tokenize: 10 (0.6%), b_tok_get_all: 10 (0.6%), b_comp_prob: 2.6 (0.2%), b_tok_touch_all: 4.1 (0.2%), b_finish: 0.69 (0.0%), tests_pri_0: 310 (18.3%), check_dkim_signature: 0.77 (0.0%), check_dkim_adsp: 3.4 (0.2%), tests_pri_500: 1322 (78.0%), poll_dns_idle: 1314 (77.6%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v2] Drop reference added by grab_header X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Zhou Chengming writes: > Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference > added by grab_header when return from !dir_emit_dots path. > It can cause any path called unregister_sysctl_table will > wait forever. Applied. Thank you. I fixed up the subject line to be more specific: "sysctl: Drop reference added by grab_header in proc_sys_readdir" And added the tags: Fixes: f0c3b5093add ("[readdir] convert procfs") Cc: stable@vger.kernel.org So that everywhere that is affected by this reference leak can get found and fixed. Eric > The calltrace of CVE-2016-9191: > > [ 5535.960522] Call Trace: > [ 5535.963265] [] schedule+0x3f/0xa0 > [ 5535.968817] [] schedule_timeout+0x3db/0x6f0 > [ 5535.975346] [] ? wait_for_completion+0x45/0x130 > [ 5535.982256] [] wait_for_completion+0xc3/0x130 > [ 5535.988972] [] ? wake_up_q+0x80/0x80 > [ 5535.994804] [] drop_sysctl_table+0xc4/0xe0 > [ 5536.001227] [] drop_sysctl_table+0x77/0xe0 > [ 5536.007648] [] unregister_sysctl_table+0x4d/0xa0 > [ 5536.014654] [] unregister_sysctl_table+0x7f/0xa0 > [ 5536.021657] [] unregister_sched_domain_sysctl+0x15/0x40 > [ 5536.029344] [] partition_sched_domains+0x44/0x450 > [ 5536.036447] [] ? __mutex_unlock_slowpath+0x111/0x1f0 > [ 5536.043844] [] rebuild_sched_domains_locked+0x64/0xb0 > [ 5536.051336] [] update_flag+0x11d/0x210 > [ 5536.057373] [] ? mutex_lock_nested+0x2df/0x450 > [ 5536.064186] [] ? cpuset_css_offline+0x1b/0x60 > [ 5536.070899] [] ? trace_hardirqs_on+0xd/0x10 > [ 5536.077420] [] ? mutex_lock_nested+0x2df/0x450 > [ 5536.084234] [] ? css_killed_work_fn+0x25/0x220 > [ 5536.091049] [] cpuset_css_offline+0x35/0x60 > [ 5536.097571] [] css_killed_work_fn+0x5c/0x220 > [ 5536.104207] [] process_one_work+0x1df/0x710 > [ 5536.110736] [] ? process_one_work+0x160/0x710 > [ 5536.117461] [] worker_thread+0x12b/0x4a0 > [ 5536.123697] [] ? process_one_work+0x710/0x710 > [ 5536.130426] [] kthread+0xfe/0x120 > [ 5536.135991] [] ret_from_fork+0x1f/0x40 > [ 5536.142041] [] ? kthread_create_on_node+0x230/0x230 > > One cgroup maintainer mentioned that "cgroup is trying to offline > a cpuset css, which takes place under cgroup_mutex. The offlining > ends up trying to drain active usages of a sysctl table which apprently > is not happening." > The real reason is that proc_sys_readdir doesn't drop reference added > by grab_header when return from !dir_emit_dots path. So this cpuset > offline path will wait here forever. > > See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13 > > Reported-by: CAI Qian > Tested-by: Yang Shukui > Signed-off-by: Zhou Chengming > --- > fs/proc/proc_sysctl.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c > index 5d931bf..c4c90bd 100644 > --- a/fs/proc/proc_sysctl.c > +++ b/fs/proc/proc_sysctl.c > @@ -718,7 +718,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx) > ctl_dir = container_of(head, struct ctl_dir, header); > > if (!dir_emit_dots(file, ctx)) > - return 0; > + goto out; > > pos = 2; > > @@ -728,6 +728,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx) > break; > } > } > +out: > sysctl_head_finish(head); > return 0; > }