Bugzilla – Attachment 53881 Details for
Bug 127916
kernel crash at (de)registration of USB device
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
usbdevio-1.patch
usbdevio-1.patch (text/plain), 7.63 KB, created by
Olaf Hering
on 2005-10-12 21:08:43 UTC
(
hide
)
Description:
usbdevio-1.patch
Filename:
MIME Type:
Creator:
Olaf Hering
Created:
2005-10-12 21:08:43 UTC
Size:
7.63 KB
patch
obsolete
>Return-Path: <git-commits-head-owner@vger.kernel.org> >X-Original-To: olh@wotan.suse.de >Received: from Relay1.suse.de (relay1.suse.de [IPv6:2001:780:101:0:211:25ff:fe4a:6dba]) > by wotan.suse.de (Postfix) with ESMTP id 4A4DD421777 > for <olh@wotan.suse.de>; Tue, 11 Oct 2005 03:59:30 +0200 (CEST) >Received: by Relay1.suse.de (Postfix) > id 467432BF71; Tue, 11 Oct 2005 03:59:30 +0200 (CEST) >Received: from Relay1.suse.de (localhost [127.0.0.1]) > by Relay1.suse.de (Postfix) with ESMTP id 39FD62BF6F > for <olh@suse.de>; Tue, 11 Oct 2005 03:59:30 +0200 (CEST) >Received: from Relay1.suse.de ([127.0.0.1]) > by Relay1.suse.de (Relay1 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP > id 31502-20 for <olh@suse.de>; Tue, 11 Oct 2005 03:59:29 +0200 (CEST) >Received: from mx1.suse.de (ns1.suse.de [195.135.220.2]) > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by Relay1.suse.de (Postfix) with ESMTP id D5CB3298C7 > for <olh@suse.de>; Tue, 11 Oct 2005 03:59:29 +0200 (CEST) >Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) > by mx1.suse.de (Postfix) with ESMTP id 6A53DE3B4 > for <olh@suse.de>; Tue, 11 Oct 2005 03:59:29 +0200 (CEST) >Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand > id S1751350AbVJKB72 (ORCPT <rfc822;olh@suse.de>); > Mon, 10 Oct 2005 21:59:28 -0400 >Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751351AbVJKB72 > (ORCPT <rfc822;git-commits-head-outgoing>); > Mon, 10 Oct 2005 21:59:28 -0400 >Received: from hera.kernel.org ([140.211.167.34]:32648 "EHLO hera.kernel.org") > by vger.kernel.org with ESMTP id S1751350AbVJKB71 (ORCPT > <rfc822;git-commits-head@vger.kernel.org>); > Mon, 10 Oct 2005 21:59:27 -0400 >Received: from hera.kernel.org (localhost [127.0.0.1]) > by hera.kernel.org (8.13.1/8.13.1) with ESMTP id j9B1xPQW025187 > for <git-commits-head@vger.kernel.org>; Mon, 10 Oct 2005 18:59:25 -0700 >Received: (from dwmw2@localhost) > by hera.kernel.org (8.13.1/8.13.1/Submit) id j9B1xPPA025186 > for git-commits-head@vger.kernel.org; Mon, 10 Oct 2005 18:59:25 -0700 >Date: Mon, 10 Oct 2005 18:59:25 -0700 >Message-Id: <200510110159.j9B1xPPA025186@hera.kernel.org> >From: Linux Kernel Mailing List <linux-kernel@vger.kernel.org> >To: git-commits-head@vger.kernel.org >Subject: [PATCH] Fix signal sending in usbdevio on async URB completion >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >X-Git-Commit: 46113830a18847cff8da73005e57bc49c2f95a56 >X-Git-Parent: 094804c5a132f04c12dd4902ee15c64362e5c1af >X-Virus-Status: Clean >Sender: git-commits-head-owner@vger.kernel.org >Precedence: bulk >X-Mailing-List: git-commits-head@vger.kernel.org >X-Virus-Scanned: by amavisd-new at Relay1.suse.de >X-Spam-Status: No, hits=-1.0 tagged_above=-20.0 required=5.0 tests=BAYES_50, > MY_LINUX >X-Spam-Level: >X-my-mailinglist-tag: git-commits-head.vger.kernel.org > >tree 93946fc290d9481e7055217ff497583647d1e4d4 >parent 094804c5a132f04c12dd4902ee15c64362e5c1af >author Harald Welte <laforge@gnumonks.org> Mon, 10 Oct 2005 19:44:29 +0200 >committer Linus Torvalds <torvalds@g5.osdl.org> Tue, 11 Oct 2005 06:16:33 -0700 > >[PATCH] Fix signal sending in usbdevio on async URB completion > >If a process issues an URB from userspace and (starts to) terminate >before the URB comes back, we run into the issue described above. This >is because the urb saves a pointer to "current" when it is posted to the >device, but there's no guarantee that this pointer is still valid >afterwards. > >In fact, there are three separate issues: > >1) the pointer to "current" can become invalid, since the task could be > completely gone when the URB completion comes back from the device. > >2) Even if the saved task pointer is still pointing to a valid task_struct, > task_struct->sighand could have gone meanwhile. > >3) Even if the process is perfectly fine, permissions may have changed, > and we can no longer send it a signal. > >So what we do instead, is to save the PID and uid's of the process, and >introduce a new kill_proc_info_as_uid() function. > >Signed-off-by: Harald Welte <laforge@gnumonks.org> >[ Fixed up types and added symbol exports ] >Signed-off-by: Linus Torvalds <torvalds@osdl.org> > > drivers/usb/core/devio.c | 12 +++++++++--- > include/linux/sched.h | 1 + > kernel/signal.c | 34 ++++++++++++++++++++++++++++++++++ > 3 files changed, 44 insertions(+), 3 deletions(-) > >diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c >--- a/drivers/usb/core/devio.c >+++ b/drivers/usb/core/devio.c >@@ -30,6 +30,8 @@ > * Revision history > * 22.12.1999 0.1 Initial release (split from proc_usb.c) > * 04.01.2000 0.2 Turned into its own filesystem >+ * 30.09.2005 0.3 Fix user-triggerable oops in async URB delivery >+ * (CAN-2005-3055) > */ > > /*****************************************************************************/ >@@ -58,7 +60,8 @@ static struct class *usb_device_class; > struct async { > struct list_head asynclist; > struct dev_state *ps; >- struct task_struct *task; >+ pid_t pid; >+ uid_t uid, euid; > unsigned int signr; > unsigned int ifnum; > void __user *userbuffer; >@@ -290,7 +293,8 @@ static void async_completed(struct urb * > sinfo.si_errno = as->urb->status; > sinfo.si_code = SI_ASYNCIO; > sinfo.si_addr = as->userurb; >- send_sig_info(as->signr, &sinfo, as->task); >+ kill_proc_info_as_uid(as->signr, &sinfo, as->pid, as->uid, >+ as->euid); > } > wake_up(&ps->wait); > } >@@ -988,7 +992,9 @@ static int proc_do_submiturb(struct dev_ > as->userbuffer = NULL; > as->signr = uurb->signr; > as->ifnum = ifnum; >- as->task = current; >+ as->pid = current->pid; >+ as->uid = current->uid; >+ as->euid = current->euid; > if (!(uurb->endpoint & USB_DIR_IN)) { > if (copy_from_user(as->urb->transfer_buffer, uurb->buffer, as->urb->transfer_buffer_length)) { > free_async(as); >diff --git a/include/linux/sched.h b/include/linux/sched.h >--- a/include/linux/sched.h >+++ b/include/linux/sched.h >@@ -1018,6 +1018,7 @@ extern int force_sig_info(int, struct si > extern int __kill_pg_info(int sig, struct siginfo *info, pid_t pgrp); > extern int kill_pg_info(int, struct siginfo *, pid_t); > extern int kill_proc_info(int, struct siginfo *, pid_t); >+extern int kill_proc_info_as_uid(int, struct siginfo *, pid_t, uid_t, uid_t); > extern void do_notify_parent(struct task_struct *, int); > extern void force_sig(int, struct task_struct *); > extern void force_sig_specific(int, struct task_struct *); >diff --git a/kernel/signal.c b/kernel/signal.c >--- a/kernel/signal.c >+++ b/kernel/signal.c >@@ -1193,6 +1193,40 @@ kill_proc_info(int sig, struct siginfo * > return error; > } > >+/* like kill_proc_info(), but doesn't use uid/euid of "current" */ >+int kill_proc_info_as_uid(int sig, struct siginfo *info, pid_t pid, >+ uid_t uid, uid_t euid) >+{ >+ int ret = -EINVAL; >+ struct task_struct *p; >+ >+ if (!valid_signal(sig)) >+ return ret; >+ >+ read_lock(&tasklist_lock); >+ p = find_task_by_pid(pid); >+ if (!p) { >+ ret = -ESRCH; >+ goto out_unlock; >+ } >+ if ((!info || ((unsigned long)info != 1 && >+ (unsigned long)info != 2 && SI_FROMUSER(info))) >+ && (euid != p->suid) && (euid != p->uid) >+ && (uid != p->suid) && (uid != p->uid)) { >+ ret = -EPERM; >+ goto out_unlock; >+ } >+ if (sig && p->sighand) { >+ unsigned long flags; >+ spin_lock_irqsave(&p->sighand->siglock, flags); >+ ret = __group_send_sig_info(sig, info, p); >+ spin_unlock_irqrestore(&p->sighand->siglock, flags); >+ } >+out_unlock: >+ read_unlock(&tasklist_lock); >+ return ret; >+} >+EXPORT_SYMBOL_GPL(kill_proc_info_as_uid); > > /* > * kill_something_info() interprets pid in interesting ways just like kill(2). >- >To unsubscribe from this list: send the line "unsubscribe git-commits-head" in >the body of a message to majordomo@vger.kernel.org >More majordomo info at http://vger.kernel.org/majordomo-info.html >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=53881">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 127916
: 53881 |
53882