From 5cbee2fa5de964083d6d9a2d4898615227393a9d Mon Sep 17 00:00:00 2001 From: Oleg Nesterov Date: Mon, 9 Jan 2017 20:26:14 -0800 Subject: Use after free from pid_nr_ns() There is use after free reported due to group leader task is already freed but other tasks are still holding the group leader task address in task->group_leader pointer. pid_nr_ns+0x10/0x38 cgroup_pidlist_start+0x144/0x400 cgroup_seqfile_start+0x1c/0x24 kernfs_seq_start+0x54/0x90 seq_read+0x15c/0x3a8 kernfs_fop_read+0x38/0x160 __vfs_read+0x28/0xc8 vfs_read+0x84/0xfc Change-Id: Ib6b3fc75bf0d24a04455bf81d54900c21c434958 Signed-off-by: Oleg Nesterov Signed-off-by: Prasad Sodagudi --- include/linux/pid.h | 4 +++- include/linux/sched.h | 19 +++++++++++-------- 2 files changed, 14 insertions(+), 9 deletions(-) (limited to 'include/linux') diff --git a/include/linux/pid.h b/include/linux/pid.h index 23705a53abba..97b745ddece5 100644 --- a/include/linux/pid.h +++ b/include/linux/pid.h @@ -8,7 +8,9 @@ enum pid_type PIDTYPE_PID, PIDTYPE_PGID, PIDTYPE_SID, - PIDTYPE_MAX + PIDTYPE_MAX, + /* only valid to __task_pid_nr_ns() */ + __PIDTYPE_TGID }; /* diff --git a/include/linux/sched.h b/include/linux/sched.h index 0d1d21e9f081..858c975b2487 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -2109,15 +2109,8 @@ static inline pid_t task_tgid_nr(struct task_struct *tsk) return tsk->tgid; } -pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns); - -static inline pid_t task_tgid_vnr(struct task_struct *tsk) -{ - return pid_vnr(task_tgid(tsk)); -} - - static inline int pid_alive(const struct task_struct *p); +static inline pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns); static inline pid_t task_ppid_nr_ns(const struct task_struct *tsk, struct pid_namespace *ns) { pid_t pid = 0; @@ -2158,6 +2151,16 @@ static inline pid_t task_session_vnr(struct task_struct *tsk) return __task_pid_nr_ns(tsk, PIDTYPE_SID, NULL); } +static inline pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns) +{ + return __task_pid_nr_ns(tsk, __PIDTYPE_TGID, ns); +} + +static inline pid_t task_tgid_vnr(struct task_struct *tsk) +{ + return __task_pid_nr_ns(tsk, __PIDTYPE_TGID, NULL); +} + /* obsolete, do not use */ static inline pid_t task_pgrp_nr(struct task_struct *tsk) { -- cgit v1.2.3