On 12/21, Oleg Nesterov wrote: > > And in fact I think this is not strange, but simply wrong. > > Please consider the XXX case above. Suppose that free_pid(P) happens > after ns->child_reaper exits and thus this pointer points to nowhere. > Suppose also that there is another injected pid so nr_hashed == 2. > In this case wake_up_process(ns->child_reaper) means use-after-free, > no? Hmm. And another minor problem, unless I missed something. Once again, the parent namespace injects the task T after ns->reaper sees nr_hashed == 1 and returns. Suppose that reaper's parent does do_wait() and free_pidmap() clears the bit == 1. Now, what if T doesn't exit but forks? We must not re-create the task with pid_nr == 1 in the dead namespace. Normally this can't happen, RESERVED_PIDS logic in alloc_pidmap() saves us. But it seems that we need - .extra1 = &zero, + .extra1 = &one, in pid_ns_ctl_table. Oleg. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
