lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120408174919.GA28428@redhat.com>
Date:	Sun, 8 Apr 2012 19:49:19 +0200
From:	Oleg Nesterov <oleg@...hat.com>
To:	Juri Lelli <juri.lelli@...il.com>
Cc:	peterz@...radead.org, tglx@...utronix.de, mingo@...hat.com,
	rostedt@...dmis.org, cfriesen@...tel.com, fweisbec@...il.com,
	darren@...art.com, johan.eker@...csson.com, p.faure@...tech.ch,
	linux-kernel@...r.kernel.org, claudio@...dence.eu.com,
	michael@...rulasolutions.com, fchecconi@...il.com,
	tommaso.cucinotta@...up.it, nicola.manica@...i.unitn.it,
	luca.abeni@...tn.it, dhaval.giani@...il.com, hgu1972@...il.com,
	paulmck@...ux.vnet.ibm.com, raistlin@...ux.it,
	insop.song@...csson.com, liming.wang@...driver.com
Subject: Re: [PATCH 01/16] sched: add sched_class->task_dead.

On 04/06, Juri Lelli wrote:
>
> --- a/kernel/sched.c
> +++ b/kernel/sched.c
> @@ -3219,6 +3219,9 @@ static void finish_task_switch(struct rq *rq, struct task_struct *prev)
>  	if (mm)
>  		mmdrop_delayed(mm);
>  	if (unlikely(prev_state == TASK_DEAD)) {
> +		if (prev->sched_class->task_dead)
> +			prev->sched_class->task_dead(prev);
> +

And 5/16 adds

	+static void task_dead_dl(struct task_struct *p)
	+{
	+       struct hrtimer *timer = &p->dl.dl_timer;
	+
	+	if (hrtimer_active(timer))
	+               hrtimer_try_to_cancel(timer);
	+}

This looks suspicious. finish_task_switch() does put_task_struct()
after that, it is quite possible this actually frees the memory.

What if hrtimer_try_to_cancel() fails because the timer is running?
In this case __run_hrtimer() can play with the freed timer. Say, to
clear HRTIMER_STATE_CALLBACK. Not to mention dl_task_timer() itself.

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ