From: Oleg Nesterov <oleg@redhat.com>
To: Qing Wang <wangqing7171@gmail.com>
Cc: mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com,
vincent.guittot@linaro.org, akpm@linux-foundation.org,
david@kernel.org, dietmar.eggemann@arm.com, rostedt@goodmis.org,
bsegall@google.com, lorenzo.stoakes@oracle.com,
Liam.Howlett@oracle.com, vbabka@suse.cz, rppt@kernel.org,
brauner@kernel.org, mjguzik@gmail.com, jack@suse.cz,
joel.granados@kernel.org, linux-kernel@vger.kernel.org,
syzbot+e0378d4f4fe57aa2bdd0@syzkaller.appspotmail.com
Subject: Re: [PATCH] fork/pid: Fix use-after-free in __task_pid_nr_ns
Date: Tue, 6 Jan 2026 10:04:17 +0100 [thread overview]
Message-ID: <aVzQEXa6eLhqmul_@redhat.com> (raw)
In-Reply-To: <20260105043627.1758935-1-wangqing7171@gmail.com>
On 01/05, Qing Wang wrote:
>
> The race condition occurs between the failure path of copy_process() and
> getting the PIDTYPE_TGID via __task_pid_nr_ns().
>
> Bug timeline:
> Task B
> perf_event_open()
> Task A <--------------------------- clone()
> copy_process()
> perf_event_init_task()
> ...
> one copy failed
> free_signal_struct() close(event_fd)
> perf_child_detach()
> __task_pid_nr_ns()
> access child task->signal
Sorry, this description very confusing to me... Is it Task B who does
clone? Or another Task A does copy_process() ? Could you write a more
clear changelog?
> bad_fork_cleanup_signal:
> - if (!(clone_flags & CLONE_THREAD))
> - free_signal_struct(p->signal);
> + if (!(clone_flags & CLONE_THREAD)) {
> + free_sig = p->signal;
> + p->signal = NULL;
> + free_signal_struct(free_sig);
> + }
> bad_fork_cleanup_sighand:
> __cleanup_sighand(p->sighand);
> bad_fork_cleanup_fs:
> diff --git a/kernel/pid.c b/kernel/pid.c
> index a31771bc89c1..1a012e033552 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -329,9 +329,9 @@ EXPORT_SYMBOL_GPL(find_vpid);
>
> static struct pid **task_pid_ptr(struct task_struct *task, enum pid_type type)
> {
> - return (type == PIDTYPE_PID) ?
> - &task->thread_pid :
> - &task->signal->pids[type];
> + if (type == PIDTYPE_PID)
> + return &task->thread_pid;
> + return task->signal ? &task->signal->pids[type] : NULL;
> }
At first glance this is racy. Can't task->signal be freed right after
the check?
And... Can't we make another fix? If copy_process() fails and does
free_signal_struct(), the child has not been added to rcu protected
lists and init_task_pid(child) was not called yet.
So perhaps something like the patch below can work?
Oleg.
---
--- x/kernel/events/core.c
+++ x/kernel/events/core.c
@@ -1422,16 +1422,17 @@ unclone_ctx(struct perf_event_context *c
static u32 perf_event_pid_type(struct perf_event *event, struct task_struct *p,
enum pid_type type)
{
- u32 nr;
+ u32 nr = 0;
/*
* only top level events have the pid namespace they were created in
*/
if (event->parent)
event = event->parent;
- nr = __task_pid_nr_ns(p, type, event->ns);
+ if (pid_alive(p))
+ nr = __task_pid_nr_ns(p, type, event->ns);
/* avoid -1 if it is idle thread or runs in another ns */
- if (!nr && !pid_alive(p))
+ if (!nr)
nr = -1;
return nr;
}
next prev parent reply other threads:[~2026-01-06 9:04 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-05 4:36 [PATCH] fork/pid: Fix use-after-free in __task_pid_nr_ns Qing Wang
2026-01-05 22:46 ` Andrew Morton
2026-01-06 7:07 ` Qing Wang
2026-01-06 9:04 ` Oleg Nesterov [this message]
2026-01-06 10:06 ` Qing Wang
2026-01-06 10:26 ` Qing Wang
2026-01-06 10:58 ` Oleg Nesterov
2026-01-06 10:58 ` Qing Wang
2026-01-06 11:19 ` Oleg Nesterov
2026-01-07 2:43 ` Qing Wang
2026-01-06 12:50 ` Oleg Nesterov
2026-01-07 9:40 ` Qing Wang
2026-01-07 14:54 ` Oleg Nesterov
2026-01-07 9:43 ` Oleg Nesterov
[not found] <20260105045609.1764387-1-wangqing7171@gmail.com>
2026-01-07 20:39 ` Kees Cook
2026-01-08 2:15 ` Qing Wang
2026-01-08 3:44 ` Qing Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aVzQEXa6eLhqmul_@redhat.com \
--to=oleg@redhat.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=bsegall@google.com \
--cc=david@kernel.org \
--cc=dietmar.eggemann@arm.com \
--cc=jack@suse.cz \
--cc=joel.granados@kernel.org \
--cc=juri.lelli@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mingo@redhat.com \
--cc=mjguzik@gmail.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=rppt@kernel.org \
--cc=syzbot+e0378d4f4fe57aa2bdd0@syzkaller.appspotmail.com \
--cc=vbabka@suse.cz \
--cc=vincent.guittot@linaro.org \
--cc=wangqing7171@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.