lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1544340077-11491-1-git-send-email-gchen.guomin@gmail.com>
Date:   Sun,  9 Dec 2018 15:21:17 +0800
From:   gchen.guomin@...il.com
To:     "Michael S. Tsirkin" <mst@...hat.com>
Cc:     guominchen <guominchen@...cent.com>, <linux-mm@...ck.org>,
        <linux-kernel@...r.kernel.org>, Jason Wang <jasowang@...hat.com>,
        <netdev@...r.kernel.org>
Subject: [PATCH]  Fix mm->owner point to a task that does not exists

From: guominchen <guominchen@...cent.com>

  Under normal circumstances,When do_exit exits, mm->owner will
  be updated, but when the kernel process calls unuse_mm and exits,
  mm->owner cannot be updated. And will point to a task that has
  been released.

  Below is my issue on vhost_net:
    A, B are two kernel processes(such as vhost_worker),
    C is a user space process(such as qemu), and all
    three use the mm of the user process C.
    Now, because user process C exits abnormally, the owner of this
    mm becomes A. When A calls unuse_mm and exits, this mm->ower
    still points to the A that has been released.
    When B accesses this mm->owner again, A has been released.

  Process A		Process B
 vhost_worker()	       vhost_worker()
  ---------    		---------
  use_mm()		use_mm()
   ...
  unuse_mm()
     tsk->mm=NULL
   do_exit()     	page fault
    exit_mm()	 	access mm->owner
   can't update owner	kernel Oops

			unuse_mm()

Cc: <linux-mm@...ck.org>
Cc: <linux-kernel@...r.kernel.org>
Cc: "Michael S. Tsirkin" <mst@...hat.com>
Cc: Jason Wang <jasowang@...hat.com>
Cc: <netdev@...r.kernel.org>
Signed-off-by: guominchen <guominchen@...cent.com>
---
 mm/mmu_context.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mm/mmu_context.c b/mm/mmu_context.c
index 3e612ae..185bb23 100644
--- a/mm/mmu_context.c
+++ b/mm/mmu_context.c
@@ -56,7 +56,6 @@ void unuse_mm(struct mm_struct *mm)
 
 	task_lock(tsk);
 	sync_mm_rss(mm);
-	tsk->mm = NULL;
 	/* active_mm is still 'mm' */
 	enter_lazy_tlb(mm, tsk);
 	task_unlock(tsk);
-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ