Re: [BUG] Use of probe_kernel_address() in task_rcu_dereference() without checking return value

From: Linus Torvalds
Date: Fri Aug 30 2019 - 11:30:24 EST

Next message: Tycho Andersen: "Re: [PATCH] selftests/seccomp: fix build on older kernels"
Previous message: Gao Xiang: "Re: [PATCH v3 1/7] erofs: on-disk format should have explicitly assigned numbers"
In reply to: Oleg Nesterov: "Re: [BUG] Use of probe_kernel_address() in task_rcu_dereference() without checking return value"
Next in thread: Russell King - ARM Linux admin: "Re: [BUG] Use of probe_kernel_address() in task_rcu_dereference() without checking return value"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 30, 2019 at 7:08 AM Russell King - ARM Linux admin
<linux@xxxxxxxxxxxxxxx> wrote:
>
> which means that when probe_kernel_address() returns -EFAULT, the
> destination is left uninitialised. In the case of
> task_rcu_dereference(), this means that "siginfo" can be used without
> having been initialised, resulting in this function returning an
> indeterminant result (based on the value of an uninitialised variable
> on the stack.)

Do you actually see that behavior?

Because the foillowing lines:

smp_rmb();
if (unlikely(task != READ_ONCE(*ptask)))
goto retry;

are what is supposed to protect it - yes, it could have faulted, but
only if 'task' isn't valid any more, and we just re-checked it.

Linus

Next message: Tycho Andersen: "Re: [PATCH] selftests/seccomp: fix build on older kernels"
Previous message: Gao Xiang: "Re: [PATCH v3 1/7] erofs: on-disk format should have explicitly assigned numbers"
In reply to: Oleg Nesterov: "Re: [BUG] Use of probe_kernel_address() in task_rcu_dereference() without checking return value"
Next in thread: Russell King - ARM Linux admin: "Re: [BUG] Use of probe_kernel_address() in task_rcu_dereference() without checking return value"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]