| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170428053420.GJ29622@ZenIV.linux.org.uk>
Date: Fri, 28 Apr 2017 06:34:20 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: Nikolay Borisov <nborisov@...e.com>
Cc: dvyukov@...gle.com, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller@...glegroups.com,
Dave Chinner <david@...morbit.com>
Subject: Re: [PATCH] fs: Handle register_shrinker failure
On Fri, Apr 28, 2017 at 05:30:46AM +0100, Al Viro wrote:
> I really don't like that. Your "remove it from all lists and pray that
> nobody has picked a reference of any kind" at the very least needs a careful
> written proof of correctness. AFAICS, somebody might've found it on the
> list and attempted to grab ->s_umount (grab_super() from another thread
> calling sget()). Then they'd block until your up_write() in there and
> bugger the system up trying to play with ->s_umount in the object you've
> freed.
>
> NAK. Yes, the bug is real, but this is not a solution.
Why do we register it that early, anyway? super_cache_scan() won't do
anything until we are done with setting the sucker up and dropped ->s_umount.
How about we initialize ->s_shrink.list in alloc_super(), have
deactivate_locked_super() call unregister_shrinker() only if list_empty(...)
and have mount_fs() do
error = register_shrinker(&sb->s_shrink);
if (error)
goto out_sb;
sb->s_flags |= MS_BORN;
error = security_sb_kern_mount(sb, flags, secdata);
if (error)
goto out_sb;
Folks? Am I missing something subtle here?
Powered by blists - more mailing lists