Re: perf: use-after-free in perf_release

From: Dmitry Vyukov
Date: Tue Mar 07 2017 - 09:27:31 EST

Next message: Kirill A. Shutemov: "Re: [RFC 04/11] mm: remove SWAP_MLOCK check for SWAP_SUCCESS in ttu"
Previous message: Shanker Donthineni: "[PATCH v3] irqchip/gicv3-its: Avoid memory over allocation for ITEs"
In reply to: Oleg Nesterov: "Re: perf: use-after-free in perf_release"
Next in thread: Oleg Nesterov: "Re: perf: use-after-free in perf_release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 7, 2017 at 3:04 PM, Oleg Nesterov <oleg@xxxxxxxxxx> wrote:
> On 03/06, Peter Zijlstra wrote:
>>
>> and this is a failed fork().
>>
>>
>> However, inherited events don't have a filedesc to fput(), and
>> similarly, a task that fails for has never been visible to attach a perf
>> event to because it never hits the pid-hash.
>
> Yes, it is not visible to find_task_by_vpid() until copy_process() does
> attach_pid(PIDTYPE_PID), and copy_process() can't fail after that.

I would what is that that is failed in copy_process. Could it be
perf_event_init_task itself? Maybe it leaves a pointer to p in some
shared state on some error conditions?

Next message: Kirill A. Shutemov: "Re: [RFC 04/11] mm: remove SWAP_MLOCK check for SWAP_SUCCESS in ttu"
Previous message: Shanker Donthineni: "[PATCH v3] irqchip/gicv3-its: Avoid memory over allocation for ITEs"
In reply to: Oleg Nesterov: "Re: perf: use-after-free in perf_release"
Next in thread: Oleg Nesterov: "Re: perf: use-after-free in perf_release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]