| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Aug 2022 09:07:56 +0800
From: Kefeng Wang <wangkefeng.wang@...wei.com>
To: Andrew Morton <akpm@...ux-foundation.org>,
Muchun Song <muchun.song@...ux.dev>
CC: Linux MM <linux-mm@...ck.org>, Qian Cai <cai@....pw>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] mm: fix pgdat->kswap accessed concurrently
On 2022/8/21 4:59, Andrew Morton wrote:
> On Sat, 20 Aug 2022 15:33:04 +0800 Muchun Song <muchun.song@...ux.dev> wrote:
>
>>
>>> + if (IS_ERR(t)) {
>>> /* failure at boot is fatal */
>>> BUG_ON(system_state < SYSTEM_RUNNING);
>>> pr_err("Failed to start kswapd on node %d\n", nid);
>>> - pgdat->kswapd = NULL;
>>> + WRITE_ONCE(pgdat->kswapd, NULL);
>>> + } else {
>>> + WRITE_ONCE(pgdat->kswapd, t);
>>> }
>>> }
>> IIUC, the race is like the followings:
>>
>> CPU 0: CPU 1:
>>
>> kswapd_run()
>> pgdat->kswapd = kthread_run()
>> if (IS_ERR(pgdat->kswapd))
>> kswapd_is_running
>> // load pgdat->kswapd and it is NOT NULL.
>> pgdat->kswapd = NULL
>> task_is_running(pgdat->kswapd); // NULL pointer dereference
>>
> But don't we still have a bug? Sure, kswapd_is_running() will no
> longer deref a null pointer. But it now runs kswapd_is_running()
> against a task which has exited - a use-after-free?
we could add get/put_task_struct() to avoid the UAF, will update, thanks.
> .
Powered by blists - more mailing lists