From nobody Sun Feb 8 01:33:49 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3F74EB64DC for ; Mon, 10 Jul 2023 07:24:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230358AbjGJHYQ (ORCPT ); Mon, 10 Jul 2023 03:24:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34384 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229462AbjGJHYJ (ORCPT ); Mon, 10 Jul 2023 03:24:09 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1FA8F12E for ; Mon, 10 Jul 2023 00:24:01 -0700 (PDT) Received: from kwepemm600020.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4QzwTS5zpczqSNc; Mon, 10 Jul 2023 15:23:24 +0800 (CST) Received: from kwepemm600014.china.huawei.com (7.193.23.54) by kwepemm600020.china.huawei.com (7.193.23.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Mon, 10 Jul 2023 15:23:57 +0800 Received: from kwepemm600014.china.huawei.com ([7.193.23.54]) by kwepemm600014.china.huawei.com ([7.193.23.54]) with mapi id 15.01.2507.027; Mon, 10 Jul 2023 15:23:57 +0800 From: "yiyang (D)" To: "gregkh@linuxfoundation.org" , "jirislaby@kernel.org" CC: "jannh@google.com" , "linux-kernel@vger.kernel.org" , "Fengtao (fengtao, Euler)" , "Guozihua (Scott)" Subject: RE: [PATCH RFC] tty: tty_jobctrl: fix pid memleak in tty_signal_session_leader() Thread-Topic: [PATCH RFC] tty: tty_jobctrl: fix pid memleak in tty_signal_session_leader() Thread-Index: AQHZrYT1bMsSMMhC5E+1pp+mQpdZtK+yo7Gg Date: Mon, 10 Jul 2023 07:23:57 +0000 Message-ID: References: <20230703080323.76548-1-yiyang13@huawei.com> In-Reply-To: <20230703080323.76548-1-yiyang13@huawei.com> Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.67.110.164] Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Ping=20 -----Original Message----- From: yiyang (D)=20 Sent: 2023=E5=B9=B47=E6=9C=883=E6=97=A5 16:03 To: gregkh@linuxfoundation.org; jirislaby@kernel.org Cc: jannh@google.com; linux-kernel@vger.kernel.org; Fengtao (fengtao, Euler= ) ; Guozihua (Scott) ; yiyang (D= ) Subject: [PATCH RFC] tty: tty_jobctrl: fix pid memleak in tty_signal_sessio= n_leader() There is a leaked pid in tty. unreferenced object 0xffff889362619440 (size 112): comm "sudo", pid 3603376, jiffies 4462415649 (age 71614.172s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 0f 00 40 da ..............@. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000fd13ed06>] alloc_pid+0x85/0x6b0 [<000000007c449cf0>] copy_process+0xf60/0x2840 [<000000008c3ae147>] kernel_clone+0x11a/0x510 [<000000005d9b1265>] __se_sys_clone+0xcd/0x110 [<000000009d4d672e>] do_syscall_64+0x33/0x40 [<000000002fc0b8b9>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 Race condition between disassociate_ctty() and tty_signal_session_leader() was found, which would cause a leakage of tty_old_pgrp. The race condition is described as follows: CPU1: CPU2: disassociate_ctty() { ... spin_lock_irq(¤t->sighand->siglock); put_pid(current->signal->tty_old_pgrp); current->signal->tty_old_pgrp =3D NULL; tty =3D tty_kref_get(current->signal->tty); spin_unlock_irq(¤t->sighand->siglock); tty_signal_session_leader() { spin_lock_irq(&p->sighand->siglock); ... spin_lock(&tty->ctrl_lock); tty_pgrp =3D get_pid(tty->pgrp); if (tty->pgrp) An extra get>> p->signal->tty_old_pgrp =3D get_pid(tty->pgrp); spin_unlock(&tty->ctrl_lock); spin_unlock_irq(&p->sighand->siglock); } if (tty) { tty_lock(tty); spin_lock_irqsave(&tty->ctrl_lock, flags); ... tty->pgrp =3D NULL; spin_unlock_irqrestore(&tty->ctrl_lock, flags); tty_unlock(tty); tty_kref_put(tty); } } The issue is believed to be introduced by commit c8bcd9c5be24 ("tty: Fix ->session locking") who moves the unlock of siglock in disassociate_ctty() above "if (tty)", making a small window allowing tty_signal_session_leader()to kick in. It can be easily reproduced by adding a delay before "if (tty)". To fix this issue, we check whether the session leader is exiting before assigning a new tty_old_pgrp. Fixes: c8bcd9c5be24 ("tty: Fix ->session locking") Signed-off-by: Yi Yang Co-developed-by: GUO Zihua Signed-off-by: GUO Zihua --- drivers/tty/tty_jobctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/tty_jobctrl.c b/drivers/tty/tty_jobctrl.c index 0d04287da098..f9a144aaedfc 100644 --- a/drivers/tty/tty_jobctrl.c +++ b/drivers/tty/tty_jobctrl.c @@ -220,7 +220,7 @@ int tty_signal_session_leader(struct tty_struct *tty, i= nt exit_session) put_pid(p->signal->tty_old_pgrp); /* A noop */ spin_lock(&tty->ctrl.lock); tty_pgrp =3D get_pid(tty->ctrl.pgrp); - if (tty->ctrl.pgrp) + if (tty->ctrl.pgrp && !(p->flags & PF_EXITING)) p->signal->tty_old_pgrp =3D get_pid(tty->ctrl.pgrp); spin_unlock(&tty->ctrl.lock); --=20 2.17.1