Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free

From: Oleg Nesterov
Date: Thu Aug 24 2017 - 09:24:37 EST

Next message: Jack Henschel: "[PATCH] perf stat: Fix path to PMU formats in documentation"
Previous message: Frederic Weisbecker: "Re: [RFC PATCH 12/12] housekeeping: Reimplement isolcpus on housekeeping"
Next in thread: Eric Biggers: "Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08/23, Eric Biggers wrote:
>
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
> write killable") made it possible to kill a forking task while it is
> waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it
> was overlooked that this introduced an new error path before a reference
> is taken on the mm_struct's ->exe_file.

Hmm. Unless I am totally confused, the same problem with mm->exol_area?
I'll recheck....

> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
> mm_init_cpumask(mm);
> mm_init_aio(mm);
> mm_init_owner(mm, p);
> + RCU_INIT_POINTER(mm->exe_file, NULL);

Can't we simply move

RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));

from dup_mmap() here? Afaics this doesn't need mmap_sem.

Good catch!

Oleg.

Next message: Jack Henschel: "[PATCH] perf stat: Fix path to PMU formats in documentation"
Previous message: Frederic Weisbecker: "Re: [RFC PATCH 12/12] housekeeping: Reimplement isolcpus on housekeeping"
Next in thread: Eric Biggers: "Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]