lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20221214025101.1268437-1-ming.lei@redhat.com>
Date:   Wed, 14 Dec 2022 10:50:58 +0800
From:   Ming Lei <ming.lei@...hat.com>
To:     Jens Axboe <axboe@...nel.dk>, Tejun Heo <tj@...nel.org>
Cc:     linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
        Zhong Jinghua <zhongjinghua@...wei.com>,
        Yu Kuai <yukuai3@...wei.com>, Dennis Zhou <dennis@...nel.org>,
        Ming Lei <ming.lei@...hat.com>
Subject: [PATCH 0/3] lib/percpu-refcount: fix use-after-free by late ->release

Hi,

The pattern of wait_event(percpu_ref_is_zero()) may cause
percpu_ref_exit() to be called before ->release() is done, so
user-after-free may be caused, fix the issue by draining ->release()
in percpu_ref_exit().


Ming Lei (3):
  lib/percpu-refcount: support to exit refcount automatically during
    releasing
  lib/percpu-refcount: apply PERCPU_REF_AUTO_EXIT
  lib/percpu-refcount: drain ->release() in perpcu_ref_exit()

 drivers/infiniband/ulp/rtrs/rtrs-srv.c |  4 +--
 include/linux/percpu-refcount.h        | 36 ++++++++++++++++++++++++--
 lib/percpu-refcount.c                  | 31 +++++++++++++++++++---
 mm/memcontrol.c                        |  5 ++--
 4 files changed, 66 insertions(+), 10 deletions(-)

-- 
2.38.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ