Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC]Oops while completing async USB via usbdevio

[Linus Torvalds]

On Tue, 27 Sep 2005, Sergey Vlasov wrote:
> 
> And then a process calls USBDEVFS_SUBMITURB and immediately exits; its
> pid gets reused by a completely different process (maybe even
> root-owned), then the urb completes, and kill_proc_info() sends the
> signal to the unsuspecting process.

Ehh.. pid's don't get re-used until they wrap.

Your _current_ code has that problem, though - "struct task_struct" _does_ 
get re-used.

Don't assume that the fixes are as bad.

Anyway, Christoph is certainly correct that what you _should_ be using is 
the SIGIO infrastructure, even if you don't actually use the fcntl() to 
register it. 

> Hmm, then probably send_sig_info() should check for non-NULL
> p->sighand after taking tasklist_lock?  Otherwise all uses of
> send_sig_info() for non-current tasks are unsafe.

I don't think so. 

Your oops is because you're using a STALE POINTER.

If you look it up by pid, it won't be stale, now will it?

Hint: the point where sighand is released is also the point where the 
process is unhashed.

			Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/