Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/23, Eric Biggers wrote:
>
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
> write killable") made it possible to kill a forking task while it is
> waiting to acquire its ->mmap_sem for write, in dup_mmap().  However, it
> was overlooked that this introduced an new error path before a reference
> is taken on the mm_struct's ->exe_file.

Hmm. Unless I am totally confused, the same problem with mm->exol_area?
I'll recheck....

> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
>  	mm_init_cpumask(mm);
>  	mm_init_aio(mm);
>  	mm_init_owner(mm, p);
> +	RCU_INIT_POINTER(mm->exe_file, NULL);

Can't we simply move

	RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm));

from dup_mmap() here? Afaics this doesn't need mmap_sem.

Good catch!

Oleg.




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]