lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Feb 2009 16:01:07 -0800 From: Paul Menage <menage@...gle.com> To: Al Viro <viro@...iv.linux.org.uk> Cc: Li Zefan <lizf@...fujitsu.com>, Andrew Morton <akpm@...ux-foundation.org>, LKML <linux-kernel@...r.kernel.org>, Linux Containers <containers@...ts.linux-foundation.org> Subject: Re: [PATCH] cgroups: fix possible use after free On Tue, Feb 10, 2009 at 4:45 AM, Al Viro <viro@...iv.linux.org.uk> wrote: > On Tue, Feb 10, 2009 at 02:15:36AM -0800, Paul Menage wrote: >> On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf@...fujitsu.com> wrote: >> > In cgroup_kill_sb(), root is freed before sb is detached from the list, >> > so another sget() may find this sb and call cgroup_test_super(), >> > which will access the root that has been freed. >> >> I think that I'd assumed that by the time we get to cgroup_kill_sb() >> there's no chance of the sb being resurrected by sget(). > > There is none. grab_super() will fail to get it, so sget() will go > through retry logics. Which doesn't mean that test won't be called > on it in the meanwhile. OK, so Zefan's patch looks like the safest way to fix this particular issue. I think I see some other potential races with cgroup_test_super() though - we probably need to synchronize against the changing of a root's subsys_bits in rebind_subsystems(). Taking cgroup_mutex around the call to sget() would certainly provide that, but I'd have to check whether it causes locking cycles. Paul -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists