| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160406004956.GA102852@kernel.org> Date: Tue, 5 Apr 2016 17:49:56 -0700 From: Shaohua Li <shli@...nel.org> To: Lars Ellenberg <lars.ellenberg@...bit.com> Cc: Neil Brown <neilb@...e.de>, Jens Axboe <axboe@...nel.dk>, Chris Mason <clm@...com>, Josef Bacik <jbacik@...com>, David Sterba <dsterba@...e.com>, linux-raid@...r.kernel.org, linux-kernel@...r.kernel.org, linux-btrfs@...r.kernel.org Subject: Re: [PATCH] [RFC] fix potential access after free: return value of blk_check_plugged() must be used schedule() safe On Tue, Apr 05, 2016 at 03:36:57PM +0200, Lars Ellenberg wrote: > blk_check_plugged() will return a pointer > to an object linked on current->plug->cb_list. > > That list may "at any time" be implicitly cleared by > blk_flush_plug_list() > flush_plug_callbacks() > either as a result of blk_finish_plug(), > or implicitly by schedule() [and maybe other implicit mechanisms?] > > If there is no protection against an implicit unplug > between the call to blk_check_plug() and using its return value, > that implicit unplug may have already happened, > even before the plug is actually initialized or populated, > and we may be using a pointer to already free()d data. This isn't correct. flush plug is never called in preemption, which is designed only called when the task is going to sleep. See sched_submit_work. Am I missing anything? Thanks, Shaohua
Powered by blists - more mailing lists