| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Nov 2015 15:48:13 -0500
From: Tejun Heo <tj@...nel.org>
To: Dave Jones <davej@...emonkey.org.uk>
Cc: Linux Kernel <linux-kernel@...r.kernel.org>,
cgroups@...r.kernel.org
Subject: Re: pids_free double free.
Hello, Dave.
On Thu, Nov 19, 2015 at 11:18:36PM -0500, Dave Jones wrote:
> One of my debian boxes got a systemd update. After rebooting,
> I started seeing a use-after-free trace, followed by a lockup.
>
> I have two slightly different traces from separate boots,
> which may give some clue as to how it's getting free'd in two ways..
>
> http://codemonkey.org.uk/junk/IMG_0474.jpg
> http://codemonkey.org.uk/junk/IMG_0476.jpg
>
> This isn't new, I booted back to 4.3, and hit slab debugging warnings
> from the same code. (At the least it was broken differently)
>
> The WARN_ON referenced in the 2nd trace is this..
>
> static void pids_cancel(struct pids_cgroup *pids, int num)
> {
> /*
> * A negative count (or overflow for that matter) is invalid,
> * and indicates a bug in the `pids` controller proper.
> */
> WARN_ON_ONCE(atomic64_add_negative(-num, &pids->counter));
> }
I *think* I know what's going on. Zombies don't pin the css so if the
cgroup gets removed, the free path may end up operating on a css which
has already been freed. Will look more into it.
Thanks.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists