* [PATCH] cgroups: fix possible use after free
@ 2009-02-10 9:31 Li Zefan
2009-02-10 10:15 ` Paul Menage
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Li Zefan @ 2009-02-10 9:31 UTC (permalink / raw)
To: Andrew Morton; +Cc: Paul Menage, Al Viro, LKML, Linux Containers
In cgroup_kill_sb(), root is freed before sb is detached from the list,
so another sget() may find this sb and call cgroup_test_super(),
which will access the root that has been freed.
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
---
kernel/cgroup.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 5a54ff4..42fd3f2 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1122,8 +1122,8 @@ static void cgroup_kill_sb(struct super_block *sb) {
mutex_unlock(&cgroup_mutex);
- kfree(root);
kill_litter_super(sb);
+ kfree(root);
}
static struct file_system_type cgroup_fs_type = {
--
1.5.4.rc3
^ permalink raw reply related [flat|nested] 14+ messages in thread* Re: [PATCH] cgroups: fix possible use after free 2009-02-10 9:31 [PATCH] cgroups: fix possible use after free Li Zefan @ 2009-02-10 10:15 ` Paul Menage [not found] ` <6599ad830902100215o185edd31k8731e033717dbb49-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> [not found] ` <4991497B.4030200-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> 2009-02-11 0:01 ` Paul Menage 2 siblings, 1 reply; 14+ messages in thread From: Paul Menage @ 2009-02-10 10:15 UTC (permalink / raw) To: Li Zefan; +Cc: Andrew Morton, Al Viro, LKML, Linux Containers On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf@cn.fujitsu.com> wrote: > In cgroup_kill_sb(), root is freed before sb is detached from the list, > so another sget() may find this sb and call cgroup_test_super(), > which will access the root that has been freed. I think that I'd assumed that by the time we get to cgroup_kill_sb() there's no chance of the sb being resurrected by sget(). If anyone can call cgroup_test_super() on the sb that we're trying to free, isn't that bad? Since even with this patch we free root just after calling kill_litter_sb(), if anyone tries to reuse that super block then they're toast. Would it be better to set sb->s_fs_info to NULL, before calling kill_litter_sb(), and have cgroup_test_super() just return 0 for any sb with a NULL sb->s_fs_info. Paul > > Reported-by: Al Viro <viro@ZenIV.linux.org.uk> > Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> > --- > kernel/cgroup.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/kernel/cgroup.c b/kernel/cgroup.c > index 5a54ff4..42fd3f2 100644 > --- a/kernel/cgroup.c > +++ b/kernel/cgroup.c > @@ -1122,8 +1122,8 @@ static void cgroup_kill_sb(struct super_block *sb) { > > mutex_unlock(&cgroup_mutex); > > - kfree(root); > kill_litter_super(sb); > + kfree(root); > } > > static struct file_system_type cgroup_fs_type = { > -- > 1.5.4.rc3 > ^ permalink raw reply [flat|nested] 14+ messages in thread
[parent not found: <6599ad830902100215o185edd31k8731e033717dbb49-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH] cgroups: fix possible use after free 2009-02-10 10:15 ` Paul Menage @ 2009-02-10 12:45 ` Al Viro 0 siblings, 0 replies; 14+ messages in thread From: Al Viro @ 2009-02-10 12:45 UTC (permalink / raw) To: Paul Menage; +Cc: Linux Containers, Andrew Morton, LKML On Tue, Feb 10, 2009 at 02:15:36AM -0800, Paul Menage wrote: > On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> wrote: > > In cgroup_kill_sb(), root is freed before sb is detached from the list, > > so another sget() may find this sb and call cgroup_test_super(), > > which will access the root that has been freed. > > I think that I'd assumed that by the time we get to cgroup_kill_sb() > there's no chance of the sb being resurrected by sget(). There is none. grab_super() will fail to get it, so sget() will go through retry logics. Which doesn't mean that test won't be called on it in the meanwhile. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] cgroups: fix possible use after free @ 2009-02-10 12:45 ` Al Viro 0 siblings, 0 replies; 14+ messages in thread From: Al Viro @ 2009-02-10 12:45 UTC (permalink / raw) To: Paul Menage; +Cc: Li Zefan, Andrew Morton, LKML, Linux Containers On Tue, Feb 10, 2009 at 02:15:36AM -0800, Paul Menage wrote: > On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf@cn.fujitsu.com> wrote: > > In cgroup_kill_sb(), root is freed before sb is detached from the list, > > so another sget() may find this sb and call cgroup_test_super(), > > which will access the root that has been freed. > > I think that I'd assumed that by the time we get to cgroup_kill_sb() > there's no chance of the sb being resurrected by sget(). There is none. grab_super() will fail to get it, so sget() will go through retry logics. Which doesn't mean that test won't be called on it in the meanwhile. ^ permalink raw reply [flat|nested] 14+ messages in thread
[parent not found: <20090210124527.GA28946-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>]
* Re: [PATCH] cgroups: fix possible use after free 2009-02-10 12:45 ` Al Viro @ 2009-02-11 0:01 ` Paul Menage -1 siblings, 0 replies; 14+ messages in thread From: Paul Menage @ 2009-02-11 0:01 UTC (permalink / raw) To: Al Viro; +Cc: Linux Containers, Andrew Morton, LKML On Tue, Feb 10, 2009 at 4:45 AM, Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> wrote: > On Tue, Feb 10, 2009 at 02:15:36AM -0800, Paul Menage wrote: >> On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> wrote: >> > In cgroup_kill_sb(), root is freed before sb is detached from the list, >> > so another sget() may find this sb and call cgroup_test_super(), >> > which will access the root that has been freed. >> >> I think that I'd assumed that by the time we get to cgroup_kill_sb() >> there's no chance of the sb being resurrected by sget(). > > There is none. grab_super() will fail to get it, so sget() will go > through retry logics. Which doesn't mean that test won't be called > on it in the meanwhile. OK, so Zefan's patch looks like the safest way to fix this particular issue. I think I see some other potential races with cgroup_test_super() though - we probably need to synchronize against the changing of a root's subsys_bits in rebind_subsystems(). Taking cgroup_mutex around the call to sget() would certainly provide that, but I'd have to check whether it causes locking cycles. Paul ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] cgroups: fix possible use after free @ 2009-02-11 0:01 ` Paul Menage 0 siblings, 0 replies; 14+ messages in thread From: Paul Menage @ 2009-02-11 0:01 UTC (permalink / raw) To: Al Viro; +Cc: Li Zefan, Andrew Morton, LKML, Linux Containers On Tue, Feb 10, 2009 at 4:45 AM, Al Viro <viro@zeniv.linux.org.uk> wrote: > On Tue, Feb 10, 2009 at 02:15:36AM -0800, Paul Menage wrote: >> On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf@cn.fujitsu.com> wrote: >> > In cgroup_kill_sb(), root is freed before sb is detached from the list, >> > so another sget() may find this sb and call cgroup_test_super(), >> > which will access the root that has been freed. >> >> I think that I'd assumed that by the time we get to cgroup_kill_sb() >> there's no chance of the sb being resurrected by sget(). > > There is none. grab_super() will fail to get it, so sget() will go > through retry logics. Which doesn't mean that test won't be called > on it in the meanwhile. OK, so Zefan's patch looks like the safest way to fix this particular issue. I think I see some other potential races with cgroup_test_super() though - we probably need to synchronize against the changing of a root's subsys_bits in rebind_subsystems(). Taking cgroup_mutex around the call to sget() would certainly provide that, but I'd have to check whether it causes locking cycles. Paul ^ permalink raw reply [flat|nested] 14+ messages in thread
[parent not found: <6599ad830902101601i294ffaa5xd01611c5121a5685-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH] cgroups: fix possible use after free 2009-02-11 0:01 ` Paul Menage @ 2009-02-11 1:19 ` Al Viro -1 siblings, 0 replies; 14+ messages in thread From: Al Viro @ 2009-02-11 1:19 UTC (permalink / raw) To: Paul Menage; +Cc: Linux Containers, Andrew Morton, LKML On Tue, Feb 10, 2009 at 04:01:07PM -0800, Paul Menage wrote: > On Tue, Feb 10, 2009 at 4:45 AM, Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> wrote: > > On Tue, Feb 10, 2009 at 02:15:36AM -0800, Paul Menage wrote: > >> On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> wrote: > >> > In cgroup_kill_sb(), root is freed before sb is detached from the list, > >> > so another sget() may find this sb and call cgroup_test_super(), > >> > which will access the root that has been freed. > >> > >> I think that I'd assumed that by the time we get to cgroup_kill_sb() > >> there's no chance of the sb being resurrected by sget(). > > > > There is none. grab_super() will fail to get it, so sget() will go > > through retry logics. Which doesn't mean that test won't be called > > on it in the meanwhile. > > OK, so Zefan's patch looks like the safest way to fix this particular > issue. I think I see some other potential races with > cgroup_test_super() though - we probably need to synchronize against > the changing of a root's subsys_bits in rebind_subsystems(). Taking > cgroup_mutex around the call to sget() would certainly provide that, > but I'd have to check whether it causes locking cycles. Deadlock. The whole point of what sget() is doing with retries is this: if you have a matching fs in the middle of shutdown, you obviously can't pick its sb (it's halfway shut down) and you can't start bringing your instance up until the halfdead one is gone. So you can't wrap sget() into a mutex that might be grabbed at some point of ->kill_sb() or it'll wait forever in that scenario. Note that test is essentially atomic; we are doing it fast for all superblocks of this type. If we find a match, we go ahead and pick that superblock. So there's no problem just assuming we'd won the race, got existing superblock and change (if any) of ->subsys_bits simply happened just after that. AFAICS, that's perfectly sane - you are talking about the race between mount picking fs instance with the same options and remount changing said instance. Other callers of rebind_subsystems() do not apply - one in your ->get_sb() won't change the field anyway and one in ->kill_sb() is irrelevant since the superblock will be rejected by grab_super(). So no exclusion is needed there at all. If you don't want later remount of the first mount to affect these flags of second one you shouldn't share the superblock at all, obviously... ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] cgroups: fix possible use after free @ 2009-02-11 1:19 ` Al Viro 0 siblings, 0 replies; 14+ messages in thread From: Al Viro @ 2009-02-11 1:19 UTC (permalink / raw) To: Paul Menage; +Cc: Li Zefan, Andrew Morton, LKML, Linux Containers On Tue, Feb 10, 2009 at 04:01:07PM -0800, Paul Menage wrote: > On Tue, Feb 10, 2009 at 4:45 AM, Al Viro <viro@zeniv.linux.org.uk> wrote: > > On Tue, Feb 10, 2009 at 02:15:36AM -0800, Paul Menage wrote: > >> On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf@cn.fujitsu.com> wrote: > >> > In cgroup_kill_sb(), root is freed before sb is detached from the list, > >> > so another sget() may find this sb and call cgroup_test_super(), > >> > which will access the root that has been freed. > >> > >> I think that I'd assumed that by the time we get to cgroup_kill_sb() > >> there's no chance of the sb being resurrected by sget(). > > > > There is none. grab_super() will fail to get it, so sget() will go > > through retry logics. Which doesn't mean that test won't be called > > on it in the meanwhile. > > OK, so Zefan's patch looks like the safest way to fix this particular > issue. I think I see some other potential races with > cgroup_test_super() though - we probably need to synchronize against > the changing of a root's subsys_bits in rebind_subsystems(). Taking > cgroup_mutex around the call to sget() would certainly provide that, > but I'd have to check whether it causes locking cycles. Deadlock. The whole point of what sget() is doing with retries is this: if you have a matching fs in the middle of shutdown, you obviously can't pick its sb (it's halfway shut down) and you can't start bringing your instance up until the halfdead one is gone. So you can't wrap sget() into a mutex that might be grabbed at some point of ->kill_sb() or it'll wait forever in that scenario. Note that test is essentially atomic; we are doing it fast for all superblocks of this type. If we find a match, we go ahead and pick that superblock. So there's no problem just assuming we'd won the race, got existing superblock and change (if any) of ->subsys_bits simply happened just after that. AFAICS, that's perfectly sane - you are talking about the race between mount picking fs instance with the same options and remount changing said instance. Other callers of rebind_subsystems() do not apply - one in your ->get_sb() won't change the field anyway and one in ->kill_sb() is irrelevant since the superblock will be rejected by grab_super(). So no exclusion is needed there at all. If you don't want later remount of the first mount to affect these flags of second one you shouldn't share the superblock at all, obviously... ^ permalink raw reply [flat|nested] 14+ messages in thread
[parent not found: <20090211011933.GB28946-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>]
* Re: [PATCH] cgroups: fix possible use after free [not found] ` <20090211011933.GB28946-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org> @ 2009-02-11 1:54 ` Paul Menage 0 siblings, 0 replies; 14+ messages in thread From: Paul Menage @ 2009-02-11 1:54 UTC (permalink / raw) To: Al Viro; +Cc: Linux Containers, Andrew Morton, LKML On Tue, Feb 10, 2009 at 5:19 PM, Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> wrote: > > So you can't wrap sget() into a mutex that might be grabbed at some > point of ->kill_sb() or it'll wait forever in that scenario. Good point. > > So no exclusion is needed there at all. If you don't want later remount > of the first mount to affect these flags of second one you shouldn't share > the superblock at all, obviously... I have plans for some slightly more complex state in that structure - I'll probably just add a spinlock around accesses to those fields so that we can avoid exposing any inconsistent state. Paul ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] cgroups: fix possible use after free 2009-02-11 1:19 ` Al Viro (?) (?) @ 2009-02-11 1:54 ` Paul Menage -1 siblings, 0 replies; 14+ messages in thread From: Paul Menage @ 2009-02-11 1:54 UTC (permalink / raw) To: Al Viro; +Cc: Li Zefan, Andrew Morton, LKML, Linux Containers On Tue, Feb 10, 2009 at 5:19 PM, Al Viro <viro@zeniv.linux.org.uk> wrote: > > So you can't wrap sget() into a mutex that might be grabbed at some > point of ->kill_sb() or it'll wait forever in that scenario. Good point. > > So no exclusion is needed there at all. If you don't want later remount > of the first mount to affect these flags of second one you shouldn't share > the superblock at all, obviously... I have plans for some slightly more complex state in that structure - I'll probably just add a spinlock around accesses to those fields so that we can avoid exposing any inconsistent state. Paul ^ permalink raw reply [flat|nested] 14+ messages in thread
[parent not found: <4991497B.4030200-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>]
* Re: [PATCH] cgroups: fix possible use after free [not found] ` <4991497B.4030200-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> @ 2009-02-10 10:15 ` Paul Menage 2009-02-11 0:01 ` Paul Menage 1 sibling, 0 replies; 14+ messages in thread From: Paul Menage @ 2009-02-10 10:15 UTC (permalink / raw) To: Li Zefan; +Cc: Linux Containers, Andrew Morton, Al Viro, LKML On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> wrote: > In cgroup_kill_sb(), root is freed before sb is detached from the list, > so another sget() may find this sb and call cgroup_test_super(), > which will access the root that has been freed. I think that I'd assumed that by the time we get to cgroup_kill_sb() there's no chance of the sb being resurrected by sget(). If anyone can call cgroup_test_super() on the sb that we're trying to free, isn't that bad? Since even with this patch we free root just after calling kill_litter_sb(), if anyone tries to reuse that super block then they're toast. Would it be better to set sb->s_fs_info to NULL, before calling kill_litter_sb(), and have cgroup_test_super() just return 0 for any sb with a NULL sb->s_fs_info. Paul > > Reported-by: Al Viro <viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org> > Signed-off-by: Li Zefan <lizf-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> > --- > kernel/cgroup.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/kernel/cgroup.c b/kernel/cgroup.c > index 5a54ff4..42fd3f2 100644 > --- a/kernel/cgroup.c > +++ b/kernel/cgroup.c > @@ -1122,8 +1122,8 @@ static void cgroup_kill_sb(struct super_block *sb) { > > mutex_unlock(&cgroup_mutex); > > - kfree(root); > kill_litter_super(sb); > + kfree(root); > } > > static struct file_system_type cgroup_fs_type = { > -- > 1.5.4.rc3 > ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] cgroups: fix possible use after free [not found] ` <4991497B.4030200-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> 2009-02-10 10:15 ` Paul Menage @ 2009-02-11 0:01 ` Paul Menage 1 sibling, 0 replies; 14+ messages in thread From: Paul Menage @ 2009-02-11 0:01 UTC (permalink / raw) To: Li Zefan; +Cc: Linux Containers, Andrew Morton, Al Viro, LKML On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> wrote: > In cgroup_kill_sb(), root is freed before sb is detached from the list, > so another sget() may find this sb and call cgroup_test_super(), > which will access the root that has been freed. > > Reported-by: Al Viro <viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org> > Signed-off-by: Li Zefan <lizf-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> Acked-by: Paul Menage <menage-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> Seems like the safest fix. Paul ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] cgroups: fix possible use after free 2009-02-10 9:31 [PATCH] cgroups: fix possible use after free Li Zefan 2009-02-10 10:15 ` Paul Menage [not found] ` <4991497B.4030200-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> @ 2009-02-11 0:01 ` Paul Menage 2 siblings, 0 replies; 14+ messages in thread From: Paul Menage @ 2009-02-11 0:01 UTC (permalink / raw) To: Li Zefan; +Cc: Andrew Morton, Al Viro, LKML, Linux Containers On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan <lizf@cn.fujitsu.com> wrote: > In cgroup_kill_sb(), root is freed before sb is detached from the list, > so another sget() may find this sb and call cgroup_test_super(), > which will access the root that has been freed. > > Reported-by: Al Viro <viro@ZenIV.linux.org.uk> > Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> Acked-by: Paul Menage <menage@google.com> Seems like the safest fix. Paul ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH] cgroups: fix possible use after free @ 2009-02-10 9:31 Li Zefan 0 siblings, 0 replies; 14+ messages in thread From: Li Zefan @ 2009-02-10 9:31 UTC (permalink / raw) To: Andrew Morton; +Cc: Linux Containers, Paul Menage, Al Viro, LKML In cgroup_kill_sb(), root is freed before sb is detached from the list, so another sget() may find this sb and call cgroup_test_super(), which will access the root that has been freed. Reported-by: Al Viro <viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org> Signed-off-by: Li Zefan <lizf-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org> --- kernel/cgroup.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/cgroup.c b/kernel/cgroup.c index 5a54ff4..42fd3f2 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -1122,8 +1122,8 @@ static void cgroup_kill_sb(struct super_block *sb) { mutex_unlock(&cgroup_mutex); - kfree(root); kill_litter_super(sb); + kfree(root); } static struct file_system_type cgroup_fs_type = { -- 1.5.4.rc3 ^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2009-02-11 1:54 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-02-10 9:31 [PATCH] cgroups: fix possible use after free Li Zefan
2009-02-10 10:15 ` Paul Menage
[not found] ` <6599ad830902100215o185edd31k8731e033717dbb49-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-02-10 12:45 ` Al Viro
2009-02-10 12:45 ` Al Viro
[not found] ` <20090210124527.GA28946-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2009-02-11 0:01 ` Paul Menage
2009-02-11 0:01 ` Paul Menage
[not found] ` <6599ad830902101601i294ffaa5xd01611c5121a5685-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-02-11 1:19 ` Al Viro
2009-02-11 1:19 ` Al Viro
[not found] ` <20090211011933.GB28946-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2009-02-11 1:54 ` Paul Menage
2009-02-11 1:54 ` Paul Menage
[not found] ` <4991497B.4030200-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2009-02-10 10:15 ` Paul Menage
2009-02-11 0:01 ` Paul Menage
2009-02-11 0:01 ` Paul Menage
2009-02-10 9:31 Li Zefan
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.