Commit 87ad46e6 authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Pull proc fix from Eric Biederman:
 "A brown paper bag slipped through my proc changes, and syzcaller
  caught it when the code ended up in your tree.

  I have opted to fix it the simplest cleanest way I know how, so there
  is no reasonable chance for the bug to repeat"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
  proc: Use a dedicated lock in struct pid
parents 75bdc929 63f818f4
...@@ -1839,9 +1839,9 @@ void proc_pid_evict_inode(struct proc_inode *ei) ...@@ -1839,9 +1839,9 @@ void proc_pid_evict_inode(struct proc_inode *ei)
struct pid *pid = ei->pid; struct pid *pid = ei->pid;
if (S_ISDIR(ei->vfs_inode.i_mode)) { if (S_ISDIR(ei->vfs_inode.i_mode)) {
spin_lock(&pid->wait_pidfd.lock); spin_lock(&pid->lock);
hlist_del_init_rcu(&ei->sibling_inodes); hlist_del_init_rcu(&ei->sibling_inodes);
spin_unlock(&pid->wait_pidfd.lock); spin_unlock(&pid->lock);
} }
put_pid(pid); put_pid(pid);
...@@ -1877,9 +1877,9 @@ struct inode *proc_pid_make_inode(struct super_block * sb, ...@@ -1877,9 +1877,9 @@ struct inode *proc_pid_make_inode(struct super_block * sb,
/* Let the pid remember us for quick removal */ /* Let the pid remember us for quick removal */
ei->pid = pid; ei->pid = pid;
if (S_ISDIR(mode)) { if (S_ISDIR(mode)) {
spin_lock(&pid->wait_pidfd.lock); spin_lock(&pid->lock);
hlist_add_head_rcu(&ei->sibling_inodes, &pid->inodes); hlist_add_head_rcu(&ei->sibling_inodes, &pid->inodes);
spin_unlock(&pid->wait_pidfd.lock); spin_unlock(&pid->lock);
} }
task_dump_owner(task, 0, &inode->i_uid, &inode->i_gid); task_dump_owner(task, 0, &inode->i_uid, &inode->i_gid);
...@@ -3273,7 +3273,7 @@ static const struct inode_operations proc_tgid_base_inode_operations = { ...@@ -3273,7 +3273,7 @@ static const struct inode_operations proc_tgid_base_inode_operations = {
void proc_flush_pid(struct pid *pid) void proc_flush_pid(struct pid *pid)
{ {
proc_invalidate_siblings_dcache(&pid->inodes, &pid->wait_pidfd.lock); proc_invalidate_siblings_dcache(&pid->inodes, &pid->lock);
put_pid(pid); put_pid(pid);
} }
......
...@@ -60,6 +60,7 @@ struct pid ...@@ -60,6 +60,7 @@ struct pid
{ {
refcount_t count; refcount_t count;
unsigned int level; unsigned int level;
spinlock_t lock;
/* lists of tasks that use this pid */ /* lists of tasks that use this pid */
struct hlist_head tasks[PIDTYPE_MAX]; struct hlist_head tasks[PIDTYPE_MAX];
struct hlist_head inodes; struct hlist_head inodes;
......
...@@ -256,6 +256,7 @@ struct pid *alloc_pid(struct pid_namespace *ns, pid_t *set_tid, ...@@ -256,6 +256,7 @@ struct pid *alloc_pid(struct pid_namespace *ns, pid_t *set_tid,
get_pid_ns(ns); get_pid_ns(ns);
refcount_set(&pid->count, 1); refcount_set(&pid->count, 1);
spin_lock_init(&pid->lock);
for (type = 0; type < PIDTYPE_MAX; ++type) for (type = 0; type < PIDTYPE_MAX; ++type)
INIT_HLIST_HEAD(&pid->tasks[type]); INIT_HLIST_HEAD(&pid->tasks[type]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment