system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-07-01 07:55:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,280,677 Commits 6 Branches 843 Tags 5.8 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
4f2a129b33
Go to file
Jann Horn 4f2a129b33 drm/drm_file: Fix pid refcounting race 
<maarten.lankhorst@linux.intel.com>, Maxime Ripard
<mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de>

filp->pid is supposed to be a refcounted pointer; however, before this
patch, drm_file_update_pid() only increments the refcount of a struct
pid after storing a pointer to it in filp->pid and dropping the
dev->filelist_mutex, making the following race possible:

process A               process B
=========               =========
                        begin drm_file_update_pid
                        mutex_lock(&dev->filelist_mutex)
                        rcu_replace_pointer(filp->pid, <pid B>, 1)
                        mutex_unlock(&dev->filelist_mutex)
begin drm_file_update_pid
mutex_lock(&dev->filelist_mutex)
rcu_replace_pointer(filp->pid, <pid A>, 1)
mutex_unlock(&dev->filelist_mutex)
get_pid(<pid A>)
synchronize_rcu()
put_pid(<pid B>)   *** pid B reaches refcount 0 and is freed here ***
                        get_pid(<pid B>)   *** UAF ***
                        synchronize_rcu()
                        put_pid(<pid A>)

As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y
because it requires RCU to detect a quiescent state in code that is not
explicitly calling into the scheduler.

This race leads to use-after-free of a "struct pid".
It is probably somewhat hard to hit because process A has to pass
through a synchronize_rcu() operation while process B is between
mutex_unlock() and get_pid().

Fix it by ensuring that by the time a pointer to the current task's pid
is stored in the file, an extra reference to the pid has been taken.

This fix also removes the condition for synchronize_rcu(); I think
that optimization is unnecessary complexity, since in that case we
would usually have bailed out on the lockless check above.

Fixes: 1c7a387ffe ("drm: Update file owner during use")
Cc: <stable@vger.kernel.org>
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2024-06-28 08:56:26 +10:00
arch - fix lseek in o32 compat mode 2024-06-23 07:20:02 -07:00
block block: unmap and free user mapped integrity via submitter 2024-06-12 11:00:50 -06:00
certs kbuild: use $(src) instead of $(srctree)/$(src) for source directory 2024-05-10 04:34:52 +09:00
crypto This push fixes a bug in the new ecc P521 code as well as a buggy 2024-05-20 08:47:54 -07:00
Documentation The core gains placeholders for recently added functions when CONFIG_I2C 2024-06-23 11:06:01 -04:00
drivers drm/drm_file: Fix pid refcounting race 2024-06-28 08:56:26 +10:00
fs Five smb3 client fixes 2024-06-23 11:01:57 -04:00
include The core gains placeholders for recently added functions when CONFIG_I2C 2024-06-23 11:06:01 -04:00
init gcc: disable '-Warray-bounds' for gcc-9 2024-06-15 10:43:04 -07:00
io_uring io_uring/rsrc: fix incorrect assignment of iter->nr_segs in io_import_fixed 2024-06-20 06:51:56 -06:00
ipc Mainly singleton patches, documented in their respective changelogs. 2024-05-19 14:02:03 -07:00
kernel Including fixes from wireless, bpf and netfilter. 2024-06-20 10:49:50 -07:00
lib bcachefs fixes for 6.10-rc5 2024-06-22 09:02:39 -07:00
LICENSES LICENSES: Add the copyleft-next-0.3.1 license 2022-11-08 15:44:01 +01:00
mm memblock: fix fragility in checks for unset node ID 2024-06-23 10:32:24 -04:00
net nfsd-6.10 fixes: 2024-06-22 13:55:56 -07:00
rust rust: avoid unused import warning in rusttest 2024-06-11 23:33:28 +02:00
samples tracing/treewide: Remove second parameter of __assign_str() 2024-05-22 20:14:47 -04:00
scripts Kbuild fixes for v6.10 (second) 2024-06-08 10:12:33 -07:00
security lsm/stable-6.10 PR 20240617 2024-06-17 18:35:12 -07:00
sound ALSA: hda: Use imply for suggesting CONFIG_SERIAL_MULTI_INSTANTIATE 2024-06-21 12:04:19 +02:00
tools ARM: 2024-06-22 07:41:57 -07:00
usr kbuild: use $(src) instead of $(srctree)/$(src) for source directory 2024-05-10 04:34:52 +09:00
virt KVM fixes for 6.10 2024-06-21 08:03:55 -04:00
.clang-format clang-format: Update with v6.7-rc4's for_each macro list 2023-12-08 23:54:38 +01:00
.cocciconfig
.editorconfig .editorconfig: remove trim_trailing_whitespace option 2024-06-13 16:47:52 +02:00
.get_maintainer.ignore Add Jeff Kirsher to .get_maintainer.ignore 2024-03-08 11:36:54 +00:00
.gitattributes .gitattributes: set diff driver for Rust source code files 2023-05-31 17:48:25 +02:00
.gitignore kbuild: create a list of all built DTB files 2024-02-19 18:20:39 +09:00
.mailmap bpf-for-netdev 2024-06-14 17:57:10 -07:00
.rustfmt.toml
COPYING
CREDITS MAINTAINERS: Drop Gustavo Pimentel as PCI DWC Maintainer 2024-03-27 13:41:02 -05:00
Kbuild Kbuild updates for v6.1 2022-10-10 12:00:45 -07:00
Kconfig
MAINTAINERS ARM: 2024-06-22 07:41:57 -07:00
Makefile Linux 6.10-rc5 2024-06-23 17:08:54 -04:00
README README: Fix spelling 2024-03-18 03:36:32 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.