| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 07 Dec 2012 01:41:03 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: Herton Ronaldo Krzesinski <herton.krzesinski@...onical.com>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
akpm@...ux-foundation.org, alan@...rguk.ukuu.org.uk,
Tejun Heo <tj@...nel.org>,
"Serge E. Hallyn" <serge.hallyn@...ntu.com>,
Aristeu Rozanski <aris@...hat.com>,
Li Zefan <lizefan@...wei.com>
Subject: Re: [ 06/89] device_cgroup: fix RCU usage
On Thu, 2012-12-06 at 17:36 -0200, Herton Ronaldo Krzesinski wrote:
> On Mon, Dec 03, 2012 at 02:31:52PM +0000, Ben Hutchings wrote:
> > 3.2-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Tejun Heo <tj@...nel.org>
> >
> > commit 201e72acb2d3821e2de9ce6091e98859c316b29a upstream.
> >
> > dev_cgroup->exceptions is protected with devcgroup_mutex for writes
> > and RCU for reads; however, RCU usage isn't correct.
> >
> > * dev_exception_clean() doesn't use RCU variant of list_del() and
> > kfree(). The function can race with may_access() and may_access()
> > may end up dereferencing already freed memory. Use list_del_rcu()
> > and kfree_rcu() instead.
> >
> > * may_access() may be called only with RCU read locked but doesn't use
> > RCU safe traversal over ->exceptions. Use list_for_each_entry_rcu().
> >
> > Signed-off-by: Tejun Heo <tj@...nel.org>
> > Acked-by: Serge E. Hallyn <serge.hallyn@...ntu.com>
> > Cc: Aristeu Rozanski <aris@...hat.com>
> > Cc: Li Zefan <lizefan@...wei.com>
> > [bwh: Backported to 3.2:
> > - Adjust context
> > - Exception list is called whitelist]
> > Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
>
> I belive this backport is uneeded for 3.2 (or any stable <= 3.6), since
> may_access_whitelist (may_access now in mainline) isn't called under
> rcu_read_lock.
I think you're right. There are other readers that do rely on
rcu_read_lock(), but I don't think any of them can race with
devcgroup_destroy() (and if they can, it would have to use
kfree_rcu(dev_cgroup) as well).
You were too late for 3.2.35 but I'll revert this in the next update.
Ben.
> > ---
> > security/device_cgroup.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > --- a/security/device_cgroup.c
> > +++ b/security/device_cgroup.c
> > @@ -202,8 +202,8 @@ static void devcgroup_destroy(struct cgr
> >
> > dev_cgroup = cgroup_to_devcgroup(cgroup);
> > list_for_each_entry_safe(wh, tmp, &dev_cgroup->whitelist, list) {
> > - list_del(&wh->list);
> > - kfree(wh);
> > + list_del_rcu(&wh->list);
> > + kfree_rcu(wh, rcu);
> > }
> > kfree(dev_cgroup);
> > }
> > @@ -278,7 +278,7 @@ static int may_access_whitelist(struct d
> > {
> > struct dev_whitelist_item *whitem;
> >
> > - list_for_each_entry(whitem, &c->whitelist, list) {
> > + list_for_each_entry_rcu(whitem, &c->whitelist, list) {
> > if (whitem->type & DEV_ALL)
> > return 1;
> > if ((refwh->type & DEV_BLOCK) && !(whitem->type & DEV_BLOCK))
> >
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe stable" in
> > the body of a message to majordomo@...r.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
--
Ben Hutchings
Computers are not intelligent. They only think they are.
Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)
Powered by blists - more mailing lists