On Tue, Sep 27, 2005 at 07:53:30AM -0700, Linus Torvalds wrote: > On Sun, 25 Sep 2005, Harald Welte wrote: > > > > async_completed() calls send_sig_info(), which in turn does a > > spin_lock(&tasklist_lock) to protect itself from task_struct->sighand > > from going away. However, the call to > > "spin_lock_irqsave(task_struct->sighand->siglock)" causes an oops, > > because "sighand" has disappeared. > > And the real bug is that you're buggering up the system in the first > place. > > You don't save "current". You save "pid", and then you send a signal using > that and kill_proc_info(). End of story, bug gone. And it works with > threaded programs too, which the old thing didn't work at all with. And then a process calls USBDEVFS_SUBMITURB and immediately exits; its pid gets reused by a completely different process (maybe even root-owned), then the urb completes, and kill_proc_info() sends the signal to the unsuspecting process. > I refuse to apply this patch - Greg, don't even _try_ to sneak this in > through a git merge. What a horribly broken thing to do: why would USB > _ever_ need to know about things like tasklist_lock, and internal signal > handling functions and rules like "p->sighand"? Hmm, then probably send_sig_info() should check for non-NULL p->sighand after taking tasklist_lock? Otherwise all uses of send_sig_info() for non-current tasks are unsafe. "git grep -w send_sig_info" shows that most callers call send_sig_info() for the current task, except these: arch/sparc/kernel/traps.c: send_sig_info(SIGFPE, &info, fpt); arch/sparc64/kernel/sys_sunos32.c: send_sig_info(SIGSYS, &info, current); drivers/char/drm/drm_irq.c: send_sig_info( vbl_sig->info.si_signo, &vbl_sig->info, vbl_sig->task ); drivers/usb/core/devio.c: send_sig_info(as->signr, &sinfo, as->task); drivers/usb/core/inode.c: send_sig_info(ds->discsignr, &sinfo, ds->disctask); drivers/usb/gadget/file_storage.c: send_sig_info(SIGUSR1, SEND_SIG_FORCED, thread_task); kernel/signal.c: return send_sig_info(sig, (void*)(long)(priv != 0), p); BTW, all other callers of send_sig_info() are under arch/{alpha,arm,sparc,sparc64}/ - 23 total.
Attachment:
pgpH9ksTo11fN.pgp
Description: PGP signature
- Follow-Ups:
- References:
- [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
- From: Harald Welte <[email protected]>
- Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
- From: Linus Torvalds <[email protected]>
- [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
- Prev by Date: Re: [patch 0/4] ide: Break ide_lock to per-hwgroup lock
- Next by Date: Re: Fw: Re: 2.6.14-rc2-mm1 ide problems on AMD64
- Previous by thread: Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
- Next by thread: Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
- Index(es):