linux/kernel
Linus Torvalds 45c18b0bb5 Fix unlikely (but possible) race condition on task->user access
There's a possible race condition when doing a "switch_uid()" from one
user to another, which could race with another thread doing a signal
allocation and looking at the old thread ->user pointer as it is freed.

This explains an oops reported by Lukasz Trabinski:
	http://permalink.gmane.org/gmane.linux.kernel/462241

We fix this by delaying the (reference-counted) freeing of the user
structure until the thread signal handler lock has been released, so
that we know that the signal allocation has either seen the new value or
has properly incremented the reference count of the old one.

Race identified by Oleg Nesterov.

Cc: Lukasz Trabinski <lukasz@wsisiz.edu.pl>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Andrew Morton <akpm@osdl.org>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-11-04 10:06:02 -08:00
..
irq [PATCH] genirq: clean up irq-flow-type naming 2006-10-17 08:18:45 -07:00
power [PATCH] swsusp: debugging 2006-11-03 12:27:58 -08:00
time [PATCH] time_adjust cleared before use 2006-10-28 11:30:55 -07:00
.gitignore
acct.c [PATCH] csa: convert CONFIG tag for extended accounting routines 2006-10-01 00:39:29 -07:00
audit.c [PATCH] kauditd_thread warning fix 2006-10-06 08:53:39 -07:00
audit.h [PATCH] audit: AUDIT_PERM support 2006-09-11 13:32:30 -04:00
auditfilter.c [PATCH] arch filter lists with < or > should not be accepted 2006-10-04 08:31:16 -04:00
auditsc.c [PATCH] name_count array overrun 2006-10-04 08:31:21 -04:00
capability.c [PATCH] pidspace: is_init() 2006-09-29 09:18:12 -07:00
compat.c [PATCH] Create compat_sys_migrate_pages 2006-11-03 12:27:59 -08:00
configs.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
cpu.c [PATCH] cpu-hotplug: release `workqueue_mutex' properly on CPU hot-remove 2006-10-28 11:30:55 -07:00
cpuset.c [PATCH] cpuset ANSI prototype 2006-10-10 15:37:23 -07:00
delayacct.c [PATCH] task delay accounting fixes 2006-09-01 11:39:08 -07:00
dma.c [PATCH] kernel-doc for kernel/dma.c 2006-10-03 08:03:41 -07:00
exec_domain.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
exit.c [PATCH] taskstats_tgid_free: fix usage 2006-10-28 11:30:54 -07:00
extable.c [PATCH] symbol_put_addr() locks kernel 2006-05-15 11:20:55 -07:00
fork.c [PATCH] taskstats: kill ->taskstats_lock in favor of ->siglock 2006-10-28 11:30:54 -07:00
futex_compat.c [PATCH] __user annotations: futex 2006-10-10 15:37:22 -07:00
futex.c [PATCH] schedule removal of FUTEX_FD 2006-11-03 12:27:58 -08:00
hrtimer.c [PATCH] posix-timers: Fix clock_nanosleep() doesn't return the remaining time in compatibility mode 2006-09-29 09:18:15 -07:00
itimer.c [PATCH] hrtimers: remove data field 2006-03-26 08:57:03 -08:00
kallsyms.c [PATCH] Create kallsyms_lookup_size_offset() 2006-10-03 08:03:41 -07:00
Kconfig.hz
Kconfig.preempt
kexec.c [PATCH] kexec warning fix 2006-09-29 09:18:15 -07:00
kfifo.c [PATCH] memory ordering in __kfifo primitives 2006-09-29 09:18:13 -07:00
kmod.c [PATCH] introduce kernel_execve 2006-10-02 07:57:23 -07:00
kprobes.c [PATCH] kretprobe spinlock deadlock patch 2006-10-02 07:57:16 -07:00
ksysfs.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
kthread.c [PATCH] remove kernel/kthread.c:kthread_stop_sem() 2006-07-14 21:53:52 -07:00
latency.c [PATCH] maximum latency tracking infrastructure 2006-10-01 00:39:19 -07:00
lockdep_internals.h [PATCH] lockdep: double the number of stack-trace entries 2006-09-13 07:32:14 -07:00
lockdep_proc.c [PATCH] lockdep: procfs 2006-07-03 15:27:04 -07:00
lockdep.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2006-10-17 08:56:43 -07:00
Makefile [PATCH] srcu-3: RCU variant permitting read-side blocking 2006-10-04 07:55:30 -07:00
module.c [PATCH] ndiswrapper: don't set the module->taints flags 2006-10-30 12:08:40 -08:00
mutex-debug.c Lockdep: add lockdep_set_class_and_subclass() and lockdep_set_subclass() 2006-10-11 01:45:14 -04:00
mutex-debug.h [PATCH] lockdep: better lock debugging 2006-07-03 15:27:01 -07:00
mutex.c [PATCH] lockdep: prove mutex locking correctness 2006-07-03 15:27:04 -07:00
mutex.h [PATCH] lockdep: prove mutex locking correctness 2006-07-03 15:27:04 -07:00
nsproxy.c [PATCH] kernel/nsproxy.c: use kmemdup() 2006-10-20 10:26:44 -07:00
panic.c [PATCH] x86: Clean up x86 NMI sysctls 2006-09-30 01:47:55 +02:00
params.c [PATCH] module_subsys: initialize earlier 2006-09-29 09:18:08 -07:00
pid.c [PATCH] introduce get_task_pid() to fix unsafe get_pid() 2006-10-02 07:57:25 -07:00
posix-cpu-timers.c [PATCH] posix-cpu-timers: prevent signal delivery starvation 2006-10-17 08:18:43 -07:00
posix-timers.c fix file specification in comments 2006-10-03 23:01:26 +02:00
printk.c [PATCH] Add printk_timed_ratelimit() 2006-11-03 12:27:58 -08:00
profile.c [PATCH] bitmap: parse input from kernel and user buffers 2006-10-11 11:14:22 -07:00
ptrace.c [PATCH] pidspace: is_init() 2006-09-29 09:18:12 -07:00
rcupdate.c [PATCH] rcu: simplify/improve batch tuning 2006-10-04 07:55:31 -07:00
rcutorture.c [PATCH] rcu: add sched torture type to rcutorture 2006-10-04 07:55:31 -07:00
relay.c [PATCH] make kernel/relay.c __user-clean 2006-10-10 15:37:22 -07:00
resource.c [PATCH] kernel-doc for kernel/resource.c 2006-10-03 08:03:41 -07:00
rtmutex_common.h [PATCH] pi-futex: futex_lock_pi/futex_unlock_pi support 2006-06-27 17:32:47 -07:00
rtmutex-debug.c Remove all inclusions of <linux/config.h> 2006-10-04 03:38:54 -04:00
rtmutex-debug.h [PATCH] lockdep: better lock debugging 2006-07-03 15:27:01 -07:00
rtmutex-tester.c Remove all inclusions of <linux/config.h> 2006-10-04 03:38:54 -04:00
rtmutex.c [PATCH] clean up and remove some extra spinlocks from rtmutex 2006-09-29 09:18:09 -07:00
rtmutex.h [PATCH] lockdep: better lock debugging 2006-07-03 15:27:01 -07:00
rwsem.c [PATCH] lockdep: prove rwsem locking correctness 2006-07-03 15:27:04 -07:00
sched.c [PATCH] readjust comments of task_timeslice for kernel doc 2006-10-20 10:26:37 -07:00
seccomp.c
signal.c [PATCH] usb: fixup usb so it uses struct pid 2006-10-02 07:57:15 -07:00
softirq.c [PATCH] check return value of cpu_callback 2006-09-29 09:18:14 -07:00
softlockup.c [PATCH] check return value of cpu_callback 2006-09-29 09:18:14 -07:00
spinlock.c [PATCH] Directed yield: cpu_relax variants for spinlocks and rw-locks 2006-10-01 00:39:21 -07:00
srcu.c [PATCH] SRCU: report out-of-memory errors 2006-10-04 07:55:30 -07:00
stacktrace.c [PATCH] lockdep: stacktrace subsystem, core 2006-07-03 15:27:02 -07:00
stop_machine.c [PATCH] stop_machine.c copyright 2006-09-29 09:18:24 -07:00
sys_ni.c [PATCH] Create compat_sys_migrate_pages 2006-11-03 12:27:59 -08:00
sys.c [PATCH] SRCU: report out-of-memory errors 2006-10-04 07:55:30 -07:00
sysctl.c [PATCH] cad_pid sysctl with PROC_FS=n 2006-10-20 10:26:38 -07:00
taskstats.c [PATCH] taskstats: fix sub-threads accounting 2006-10-31 08:07:00 -08:00
time.c [PATCH] NTP: Move all the NTP related code to ntp.c 2006-10-01 00:39:26 -07:00
timer.c [PATCH] kill wall_jiffies 2006-10-01 00:39:27 -07:00
tsacct.c [PATCH] xacct_add_tsk: fix pure theoretical ->mm use-after-free 2006-10-30 12:08:41 -08:00
uid16.c [PATCH] Add more prevent_tail_call() 2006-04-19 16:27:18 -07:00
unwind.c [PATCH] x86-64: Speed up dwarf2 unwinder 2006-10-21 18:37:01 +02:00
user.c Fix unlikely (but possible) race condition on task->user access 2006-11-04 10:06:02 -08:00
utsname.c [PATCH] namespaces: utsname: implement CLONE_NEWUTS flag 2006-10-02 07:57:22 -07:00
wait.c [PATCH] uninline init_waitqueue_head() 2006-07-10 13:24:25 -07:00
workqueue.c [PATCH] workqueue: update kerneldoc 2006-10-28 11:30:55 -07:00