1. 27 Sep, 2018 1 commit
    • Eric W. Biederman's avatar
      signal/arm64: Push siginfo generation into arm64_notify_die · 6fa998e8
      Eric W. Biederman authored
      Instead of generating a struct siginfo before calling arm64_notify_die
      pass the signal number, tne sicode and the fault address into
      arm64_notify_die and have it call force_sig_fault instead of
      force_sig_info to let the generic code generate the struct siginfo.
      
      This keeps code passing just the needed information into
      siginfo generating code, making it easier to see what
      is happening and harder to get wrong.  Further by letting
      the generic code handle the generation of struct siginfo
      it reduces the number of sites generating struct siginfo
      making it possible to review them and verify that all
      of the fiddly details for a structure passed to userspace
      are handled properly.
      Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Tested-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      6fa998e8
  2. 21 Sep, 2018 22 commits
  3. 19 Sep, 2018 7 commits
  4. 16 Sep, 2018 4 commits
    • Eric W. Biederman's avatar
      signal: Pair exports with their functions · fb50f5a4
      Eric W. Biederman authored
      For readability and consistency with the other exports in
      kernel/signal.c pair the exports of signal sending functions with
      their functions, instead of having the exports in one big clump.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      fb50f5a4
    • Eric W. Biederman's avatar
      signal: Remove specific_send_sig_info · b21c5bd5
      Eric W. Biederman authored
      This function is static and it only has two callers.  As
      specific_send_sig_info is only called twice remembering what
      specific_send_sig_info does when reading the code is difficutl and it
      makes it hard to see which sending sending functions are equivalent to
      which others.
      
      So remove specific_send_sig_info to make the code easier to read.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      b21c5bd5
    • Eric W. Biederman's avatar
      signal: Use group_send_sig_info to kill all processes in a pid namespace · 82058d66
      Eric W. Biederman authored
      Replace send_sig_info in zap_pid_ns_processes with
      group_send_sig_info.  This makes more sense as the entire process
      group is being killed.  More importantly this allows the kill of those
      processes with PIDTYPE_MAX to indicate all of the process in the pid
      namespace are being signaled.  This is needed for fork to detect when
      signals are sent to a group of processes.
      
      Admittedly fork has another case to catch SIGKILL but the principle remains
      that it is desirable to know when a group of processes is being signaled.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      82058d66
    • Eric W. Biederman's avatar
      tty_io: Use group_send_sig_info in __do_SACK to note it is a session being killed · a8ebd171
      Eric W. Biederman authored
      Replace send_sig and force_sig in __do_SAK with group_send_sig_info
      the general helper for sending a signal to a process group.  This is
      wordier but it allows specifying PIDTYPE_SID so that the signal code
      knows the signal went to a session.
      
      Both force_sig() and send_sig(..., 1) specify SEND_SIG_PRIV and the
      new call of group_send_sig_info does that explicitly.  This is enough
      to ensure even a pid namespace init is killed.
      
      The global init remains unkillable.  The guarantee that __do_SAK tries
      to provide is a clean path to login to a machine.  As the global init is
      unkillable, if it chooses to hold open a tty it can violate this
      guarantee.  A technique other than killing processes would be needed
      to provide this guarantee to userspace.
      
      The only difference between force_sig and send_sig when sending
      SIGKILL is that SIGNAL_UNKILLABLE is cleared.  This has no affect on
      the processing of a signal sent with SEND_SIG_PRIV by any process, making
      it unnecessary, and not behavior that needs to be preserved.
      
      force_sig was used originally because it did not take as many locks as
      send_sig.  Today send_sig, force_sig and group_send_sig_info take the
      same locks when delivering a signal.
      
      group_send_sig_info also contains a permission check that force_sig
      and send_sig do not.  However the presence of SEND_SIG_PRIV makes the
      permission check a noop.  So the permission check does not result
      in any behavioral differences.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      a8ebd171
  5. 15 Sep, 2018 1 commit
    • Eric W. Biederman's avatar
      signal/GenWQE: Fix sending of SIGKILL · 0ab93e9c
      Eric W. Biederman authored
      The genweq_add_file and genwqe_del_file by caching current without
      using reference counting embed the assumption that a file descriptor
      will never be passed from one process to another.  It even embeds the
      assumption that the the thread that opened the file will be in
      existence when the process terminates.   Neither of which are
      guaranteed to be true.
      
      Therefore replace caching the task_struct of the opener with
      pid of the openers thread group id.  All the knowledge of the
      opener is used for is as the target of SIGKILL and a SIGKILL
      will kill the entire process group.
      
      Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
      signal argument, update it's ownly caller, and use kill_pid
      instead of force_sig.
      
      The work force_sig does in changing signal handling state is not
      relevant to SIGKILL sent as SEND_SIG_PRIV.  The exact same processess
      will be killed just with less work, and less confusion.  The work done
      by force_sig is really only needed for handling syncrhonous
      exceptions.
      
      It will still be possible to cause genwqe_device_remove to wait
      8 seconds by passing a file descriptor to another process but
      the possible user after free is fixed.
      
      Fixes: eaf4722d ("GenWQE Character device and DDCB queue")
      Cc: stable@vger.kernel.org
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Frank Haverkamp <haver@linux.vnet.ibm.com>
      Cc: Joerg-Stephan Vogt <jsvogt@de.ibm.com>
      Cc: Michael Jung <mijung@gmx.net>
      Cc: Michael Ruettger <michael@ibmra.de>
      Cc: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
      Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
      Cc: Eberhard S. Amann <esa@linux.vnet.ibm.com>
      Cc: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
      Cc: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      0ab93e9c
  6. 11 Sep, 2018 5 commits