releases/4.9.45/pids-make-task_tgid_nr_ns-safe.patch

   1 From dd1c1f2f2028a7b851f701fc6a8ebe39dcb95e7c Mon Sep 17 00:00:00 2001
   2 From: Oleg Nesterov <oleg@redhat.com>
   3 Date: Mon, 21 Aug 2017 17:35:02 +0200
   4 Subject: pids: make task_tgid_nr_ns() safe
   5
   6 From: Oleg Nesterov <oleg@redhat.com>
   7
   8 commit dd1c1f2f2028a7b851f701fc6a8ebe39dcb95e7c upstream.
   9
  10 This was reported many times, and this was even mentioned in commit
  11 52ee2dfdd4f5 ("pids: refactor vnr/nr_ns helpers to make them safe") but
  12 somehow nobody bothered to fix the obvious problem: task_tgid_nr_ns() is
  13 not safe because task->group_leader points to nowhere after the exiting
  14 task passes exit_notify(), rcu_read_lock() can not help.
  15
  16 We really need to change __unhash_process() to nullify group_leader,
  17 parent, and real_parent, but this needs some cleanups.  Until then we
  18 can turn task_tgid_nr_ns() into another user of __task_pid_nr_ns() and
  19 fix the problem.
  20
  21 Reported-by: Troy Kensinger <tkensinger@google.com>
  22 Signed-off-by: Oleg Nesterov <oleg@redhat.com>
  23 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25 ---
  26  include/linux/pid.h   |    4 +++-
  27  include/linux/sched.h |   50 +++++++++++++++++++++++++++-----------------------
  28  kernel/pid.c          |   11 ++++-------
  29  3 files changed, 34 insertions(+), 31 deletions(-)
  30
  31 --- a/include/linux/pid.h
  32 +++ b/include/linux/pid.h
  33 @@ -8,7 +8,9 @@ enum pid_type
  34         PIDTYPE_PID,
  35         PIDTYPE_PGID,
  36         PIDTYPE_SID,
  37 -       PIDTYPE_MAX
  38 +       PIDTYPE_MAX,
  39 +       /* only valid to __task_pid_nr_ns() */
  40 +       __PIDTYPE_TGID
  41  };
  42
  43  /*
  44 --- a/include/linux/sched.h
  45 +++ b/include/linux/sched.h
  46 @@ -2132,31 +2132,8 @@ static inline pid_t task_tgid_nr(struct
  47         return tsk->tgid;
  48  }
  49
  50 -pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns);
  51 -
  52 -static inline pid_t task_tgid_vnr(struct task_struct *tsk)
  53 -{
  54 -       return pid_vnr(task_tgid(tsk));
  55 -}
  56 -
  57
  58  static inline int pid_alive(const struct task_struct *p);
  59 -static inline pid_t task_ppid_nr_ns(const struct task_struct *tsk, struct pid_namespace *ns)
  60 -{
  61 -       pid_t pid = 0;
  62 -
  63 -       rcu_read_lock();
  64 -       if (pid_alive(tsk))
  65 -               pid = task_tgid_nr_ns(rcu_dereference(tsk->real_parent), ns);
  66 -       rcu_read_unlock();
  67 -
  68 -       return pid;
  69 -}
  70 -
  71 -static inline pid_t task_ppid_nr(const struct task_struct *tsk)
  72 -{
  73 -       return task_ppid_nr_ns(tsk, &init_pid_ns);
  74 -}
  75
  76  static inline pid_t task_pgrp_nr_ns(struct task_struct *tsk,
  77                                         struct pid_namespace *ns)
  78 @@ -2181,6 +2158,33 @@ static inline pid_t task_session_vnr(str
  79         return __task_pid_nr_ns(tsk, PIDTYPE_SID, NULL);
  80  }
  81
  82 +static inline pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns)
  83 +{
  84 +       return __task_pid_nr_ns(tsk, __PIDTYPE_TGID, ns);
  85 +}
  86 +
  87 +static inline pid_t task_tgid_vnr(struct task_struct *tsk)
  88 +{
  89 +       return __task_pid_nr_ns(tsk, __PIDTYPE_TGID, NULL);
  90 +}
  91 +
  92 +static inline pid_t task_ppid_nr_ns(const struct task_struct *tsk, struct pid_namespace *ns)
  93 +{
  94 +       pid_t pid = 0;
  95 +
  96 +       rcu_read_lock();
  97 +       if (pid_alive(tsk))
  98 +               pid = task_tgid_nr_ns(rcu_dereference(tsk->real_parent), ns);
  99 +       rcu_read_unlock();
 100 +
 101 +       return pid;
 102 +}
 103 +
 104 +static inline pid_t task_ppid_nr(const struct task_struct *tsk)
 105 +{
 106 +       return task_ppid_nr_ns(tsk, &init_pid_ns);
 107 +}
 108 +
 109  /* obsolete, do not use */
 110  static inline pid_t task_pgrp_nr(struct task_struct *tsk)
 111  {
 112 --- a/kernel/pid.c
 113 +++ b/kernel/pid.c
 114 @@ -526,8 +526,11 @@ pid_t __task_pid_nr_ns(struct task_struc
 115         if (!ns)
 116                 ns = task_active_pid_ns(current);
 117         if (likely(pid_alive(task))) {
 118 -               if (type != PIDTYPE_PID)
 119 +               if (type != PIDTYPE_PID) {
 120 +                       if (type == __PIDTYPE_TGID)
 121 +                               type = PIDTYPE_PID;
 122                         task = task->group_leader;
 123 +               }
 124                 nr = pid_nr_ns(rcu_dereference(task->pids[type].pid), ns);
 125         }
 126         rcu_read_unlock();
 127 @@ -536,12 +539,6 @@ pid_t __task_pid_nr_ns(struct task_struc
 128  }
 129  EXPORT_SYMBOL(__task_pid_nr_ns);
 130
 131 -pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns)
 132 -{
 133 -       return pid_nr_ns(task_tgid(tsk), ns);
 134 -}
 135 -EXPORT_SYMBOL(task_tgid_nr_ns);
 136 -
 137  struct pid_namespace *task_active_pid_ns(struct task_struct *tsk)
 138  {
 139         return ns_of_pid(task_pid(tsk));