Re: [linux-yocto][v5.4/standard/preempt-rt/base][PATCH] signal: Prevent double-free of user struct

[Bruce Ashfield]

In message: [linux-yocto][v5.4/standard/preempt-rt/base][PATCH] signal: Prevent 
double-free of user struct
on 17/08/2020 Yongxin Liu wrote:

> From: Matt Fleming <m...@codeblueprint.co.uk>
> 
> commit 9567db2ebe566a93485e1a27d8759969d0002d7a in linux-rt-devel.

Normally I'd pick this up when the 5.4 rt stable was updated ..
but that has been happening a bit slowly lately. So I've gone
ahead and merged the change.

SRCREV bumps will happen with my next round of 5.4-stable updates

Bruce

> 
> The way user struct reference counting works changed significantly with,
> 
>   fda31c50292a ("signal: avoid double atomic counter increments for user 
> accounting")
> 
> Now user structs are only freed once the last pending signal is
> dequeued. Make sigqueue_free_current() follow this new convention to
> avoid freeing the user struct multiple times and triggering this
> warning:
> 
>  refcount_t: underflow; use-after-free.
>  WARNING: CPU: 0 PID: 6794 at lib/refcount.c:288 
> refcount_dec_not_one+0x45/0x50
>  Call Trace:
>   refcount_dec_and_lock_irqsave+0x16/0x60
>   free_uid+0x31/0xa0
>   __dequeue_signal+0x17c/0x190
>   dequeue_signal+0x5a/0x1b0
>   do_sigtimedwait+0x208/0x250
>   __x64_sys_rt_sigtimedwait+0x6f/0xd0
>   do_syscall_64+0x72/0x200
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> Signed-off-by: Matt Fleming <m...@codeblueprint.co.uk>
> Reported-by: Daniel Wagner <w...@monom.org>
> Signed-off-by: Sebastian Andrzej Siewior <bige...@linutronix.de>
> Signed-off-by: Yongxin Liu <yongxin....@windriver.com>
> ---
>  kernel/signal.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 96d80e60e72e..710e079abf01 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -496,8 +496,8 @@ static void sigqueue_free_current(struct sigqueue *q)
>  
>       up = q->user;
>       if (rt_prio(current->normal_prio) && !put_task_cache(current, q)) {
> -             atomic_dec(&up->sigpending);
> -             free_uid(up);
> +             if (atomic_dec_and_test(&up->sigpending))
> +                     free_uid(up);
>       } else
>                 __sigqueue_free(q);
>  }
> -- 
> 2.14.4
> 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#8972): 
https://lists.yoctoproject.org/g/linux-yocto/message/8972
Mute This Topic: https://lists.yoctoproject.org/mt/76240226/21656
Group Owner: linux-yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-