pids: sys_getsid: fix unsafe *pid usage, fix possible 0 instead of -ESRCH

1. sys_getsid() needs rcu_read_lock() to derive the session _nr, even if
   the task is current, otherwise we can race with another thread which
   does sys_setsid().

2. The task can exit between find_task_by_vpid() and task_session_vnr(),
   in that unlikely case sys_getsid() returns 0 instead of -ESRCH.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/kernel/sys.c b/kernel/sys.c
index 5d0b44cd435cf9d6032ece1ed944db714d29a92d..ddd28e261f3a06d8fc47d35d6eae5c4bcd2a9d8a 100644 (file)
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1022,23 +1022,30 @@ asmlinkage long sys_getpgrp(void)
 
 asmlinkage long sys_getsid(pid_t pid)
 {
+       struct task_struct *p;
+       struct pid *sid;
+       int retval;
+
+       rcu_read_lock();
        if (!pid)
-               return task_session_vnr(current);
+               sid = task_session(current);
        else {
-               int retval;
-               struct task_struct *p;
-
-               rcu_read_lock();
-               p = find_task_by_vpid(pid);
                retval = -ESRCH;
-               if (p) {
-                       retval = security_task_getsid(p);
-                       if (!retval)
-                               retval = task_session_vnr(p);
-               }
-               rcu_read_unlock();
-               return retval;
+               p = find_task_by_vpid(pid);
+               if (!p)
+                       goto out;
+               sid = task_session(p);
+               if (!sid)
+                       goto out;
+
+               retval = security_task_getsid(p);
+               if (retval)
+                       goto out;
        }
+       retval = pid_vnr(sid);
+out:
+       rcu_read_unlock();
+       return retval;
 }
 
 asmlinkage long sys_setsid(void)