Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers
History
Yi Yang 2122b9fb3e tty: tty_jobctrl: fix pid memleak in disassociate_ctty() 
[ Upstream commit 11e7f27b79757b6586645d87b95d5b78375ecdfc ]

There is a pid leakage:
------------------------------
unreferenced object 0xffff88810c181940 (size 224):
  comm "sshd", pid 8191, jiffies 4294946950 (age 524.570s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de  .............N..
    ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff  ....kkkk........
  backtrace:
    [<ffffffff814774e6>] kmem_cache_alloc+0x5c6/0x9b0
    [<ffffffff81177342>] alloc_pid+0x72/0x570
    [<ffffffff81140ac4>] copy_process+0x1374/0x2470
    [<ffffffff81141d77>] kernel_clone+0xb7/0x900
    [<ffffffff81142645>] __se_sys_clone+0x85/0xb0
    [<ffffffff8114269b>] __x64_sys_clone+0x2b/0x30
    [<ffffffff83965a72>] do_syscall_64+0x32/0x80
    [<ffffffff83a00085>] entry_SYSCALL_64_after_hwframe+0x61/0xc6

It turns out that there is a race condition between disassociate_ctty() and
tty_signal_session_leader(), which caused this leakage.

The pid memleak is triggered by the following race:
task[sshd]                     task[bash]
-----------------------        -----------------------
                               disassociate_ctty();
                               spin_lock_irq(&current->sighand->siglock);
                               put_pid(current->signal->tty_old_pgrp);
                               current->signal->tty_old_pgrp = NULL;
                               tty = tty_kref_get(current->signal->tty);
                               spin_unlock_irq(&current->sighand->siglock);
tty_vhangup();
tty_lock(tty);
...
tty_signal_session_leader();
spin_lock_irq(&p->sighand->siglock);
...
if (tty->ctrl.pgrp) //tty->ctrl.pgrp is not NULL
p->signal->tty_old_pgrp = get_pid(tty->ctrl.pgrp); //An extra get
spin_unlock_irq(&p->sighand->siglock);
...
tty_unlock(tty);
                               if (tty) {
                                   tty_lock(tty);
                                   ...
                                   put_pid(tty->ctrl.pgrp);
                                   tty->ctrl.pgrp = NULL; //It's too late
                                   ...
                                   tty_unlock(tty);
                               }

The issue is believed to be introduced by commit c8bcd9c5be24 ("tty:
Fix ->session locking") who moves the unlock of siglock in
disassociate_ctty() above "if (tty)", making a small window allowing
tty_signal_session_leader() to kick in. It can be easily reproduced by
adding a delay before "if (tty)" and at the entrance of
tty_signal_session_leader().

To fix this issue, we move "put_pid(current->signal->tty_old_pgrp)" after
"tty->ctrl.pgrp = NULL".

Fixes: c8bcd9c5be24 ("tty: Fix ->session locking")
Signed-off-by: Yi Yang <yiyang13@huawei.com>
Co-developed-by: GUO Zihua <guozihua@huawei.com>
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Link: https://lore.kernel.org/r/20230831023329.165737-1-yiyang13@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-18 11:43:05 +01:00
..
accessibility Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
acpi ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() 2024-11-18 11:42:50 +01:00
amba Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
android binder_alloc: Disable debug logging by default 2024-11-17 17:43:54 +01:00
ata ata: libata-eh: Fix compilation warning in ata_eh_link_report() 2024-11-08 11:26:16 +01:00
atm Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
auxdisplay Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
base regmap: debugfs: Fix a erroneous check after snprintf() 2024-11-18 11:42:53 +01:00
battery drivers: battery_v2: sec_battery: export {CURRENT/VOLTAGE}_MAX to sysfs 2024-11-17 17:43:14 +01:00
bcma Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
block zram: use copy_page for full page copy 2024-11-17 17:41:38 +01:00
bluetooth Bluetooth: vhci: Fix race when opening vhci device 2024-11-08 11:26:08 +01:00
bts Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
bus Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
cdrom Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
char hwrng: geode - fix accessing registers 2024-11-18 11:43:02 +01:00
clk clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped 2024-11-18 11:43:02 +01:00
clocksource Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
connector Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
counter counter: microchip-tcb-capture: Fix the use of internal GCLK logic 2024-11-08 11:25:51 +01:00
cpufreq s5e8825: Tuning 2024-10-17 12:50:20 -03:00
cpuidle Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
crypto crypto: qat - increase size of buffers 2024-11-18 11:43:03 +01:00
dax Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dca Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
devfreq PM / devfreq: rockchip-dfi: Make pmu regmap mandatory 2024-11-18 11:42:49 +01:00
dio Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dma dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe 2024-11-18 10:58:46 +01:00
dma-buf Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
edac Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
eisa Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
extcon Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fingerprint Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
firewire Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
firmware firmware: ti_sci: Mark driver as non removable 2024-11-18 11:43:02 +01:00
fpga Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fsi Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gnss Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gpio gpio: vf610: set value before the direction to avoid a glitch 2024-11-08 11:26:20 +01:00
gpu drm/rockchip: Fix type promotion bug in rockchip_gem_iommu_map() 2024-11-18 11:42:55 +01:00
greybus Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gud Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hid HID: logitech-hidpp: Move get_wireless_feature_index() check to hidpp_connect_event() 2024-11-18 11:43:04 +01:00
hsi Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hv Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hwmon hwmon: (coretemp) Fix potentially truncated sysfs attribute name 2024-11-18 11:42:55 +01:00
hwspinlock Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hwtracing Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
i2c i2c: aspeed: Fix i2c bus hang in slave read 2024-11-18 10:58:31 +01:00
i3c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ide Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
idle Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ifconn Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
iio iio: adc: xilinx-xadc: Don't clobber preset voltage/temperature thresholds 2024-11-18 10:58:32 +01:00
infiniband RDMA/hfi1: Workaround truncation compilation error 2024-11-18 11:43:04 +01:00
input Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport 2024-11-18 10:58:46 +01:00
interconnect Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
iommu iommu/samsung: Disable fault reporting by default 2024-11-17 17:44:13 +01:00
ipack Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
irqchip irqchip/stm32-exti: add missing DT IRQ flag translation 2024-11-18 10:58:46 +01:00
isdn Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
kperfmon Kperfmon: add xyunbound version 2024-06-15 16:28:49 -03:00
kq/mesh Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
leds leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu' 2024-11-18 11:43:05 +01:00
lightnvm Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
macintosh Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mailbox Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mcb mcb-lpc: Reallocate memory region to avoid memory overlapping 2024-11-18 10:58:28 +01:00
md Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
media mfc: Reduce QoS boosting from Samsung hacks 2024-11-17 17:43:58 +01:00
memory Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
memstick Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
message Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mfd mfd: dln2: Fix double put in dln2_probe 2024-11-18 11:43:04 +01:00
misc misc: fastrpc: Clean buffers on remote invocation failures 2024-11-18 10:58:31 +01:00
mmc mmc: renesas_sdhi: use custom mask for TMIO_MASK_ALL 2024-11-18 10:58:28 +01:00
most Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mtd mtd: physmap-core: Restore map_rom fallback 2024-11-08 11:26:18 +01:00
muic Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
mux Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
net ipvlan: properly track tx_errors 2024-11-18 11:42:52 +01:00
nfc drivers/nfc_logger: Fix implicit int 2024-06-15 16:28:48 -03:00
ntb Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
nubus Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
nvdimm nd_btt: Make BTT lanes preemptible 2024-11-18 11:43:03 +01:00
nvme nvme-rdma: do not try to stop unallocated queues 2024-11-08 11:26:19 +01:00
nvmem nvmem: imx: correct nregs for i.MX6UL 2024-11-18 10:58:31 +01:00
of Backport mac80211 patches from linux-6.1.y 2024-06-15 16:29:20 -03:00
opp Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
oprofile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
parisc Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
parport Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
pci PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device 2024-11-18 10:58:47 +01:00
pcmcia Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
perf perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 2024-11-08 11:24:52 +01:00
phy phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins 2024-11-08 11:26:20 +01:00
pinctrl Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" 2024-11-08 11:26:19 +01:00
platform platform/x86: wmi: Fix opening of char device 2024-11-18 11:42:54 +01:00
pnp Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
power Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
powercap Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
pps Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ps3 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ptp Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
pwm Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
rapidio Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ras Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
regulator regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()" 2024-11-08 11:26:17 +01:00
remoteproc Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
reset Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
rpmsg rpmsg: Fix possible refcount leak in rpmsg_register_device_override() 2024-11-18 10:58:46 +01:00
rtc Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
s390 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
samsung Fix clang 16 errors treewide 2024-06-15 16:28:48 -03:00
sbus Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
scsi scsi: ufs: core: Leave space for '\0' in utf8 desc string 2024-11-18 11:43:03 +01:00
sensorhub treewide: fix build errors 2024-06-15 16:21:17 -03:00
sensors Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sfi Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sh Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
siox Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
slimbus Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
soc soc: qcom: llcc: Handle a second device without data corruption 2024-11-18 11:43:02 +01:00
soundwire Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spi spi: nxp-fspi: use the correct ioremap function 2024-11-18 11:42:53 +01:00
spmi Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
spu_verify Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
ssb Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
staging Backport mac80211 patches from linux-6.1.y 2024-06-15 16:29:20 -03:00
sti Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
target Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tc Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tee tee: amdtee: fix use-after-free vulnerability in amdtee_close_session 2024-11-08 11:25:50 +01:00
thermal thermal: core: prevent potential string overflow 2024-11-18 11:42:50 +01:00
thunderbolt thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge 2024-11-08 11:26:11 +01:00
tty tty: tty_jobctrl: fix pid memleak in disassociate_ctty() 2024-11-18 11:43:05 +01:00
uh Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
uio Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
usb usb: raw-gadget: properly handle interrupted requests 2024-11-18 10:58:48 +01:00
vdpa Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vfio Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vhost Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vibrator Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
video fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() 2024-11-18 10:58:46 +01:00
virt Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
virtio virtio-mmio: fix memory leak of vm_dev 2024-11-18 10:58:28 +01:00
vision Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vision3 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
visorbus Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vlynq Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
vme Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
w1 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
watchdog Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xen xen-pciback: Consider INTx disabled when MSI/MSI-X is enabled 2024-11-18 11:42:55 +01:00
zorro Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Kconfig drivers: add stub kperfmon 2024-06-15 16:28:49 -03:00
Kconfig.variant1 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Makefile drivers: add stub kperfmon 2024-06-15 16:28:49 -03:00
Makefile.variant1 Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00