From: Oleg Nesterov <oleg@redhat.com>
To: Guenter Roeck <linux@roeck-us.net>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Ben Woodard <woodard@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>, Michal Hocko <mhocko@suse.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] exec: increase BINPRM_BUF_SIZE to 256
Date: Tue, 19 Feb 2019 18:36:54 +0100 [thread overview]
Message-ID: <20190219173654.GA4314@redhat.com> (raw)
In-Reply-To: <20190219162643.GA15202@roeck-us.net>
On 02/19, Guenter Roeck wrote:
>
> On Tue, Feb 19, 2019 at 01:37:57PM +0100, Oleg Nesterov wrote:
> >
> > looks unrelated...
> >
>
> Indeed...
>
> The underlying problem is in the error handling code of ace_setup(),
> which calls put_disk() followed by blk_cleanup_queue(). put_disk()
> calls disk_release(), which calls blk_put_queue(), which in turn
> results in a call to blk_mq_hw_sysfs_release().
>
> Added debug code, with your patch reverted, shows:
>
> ######### blk_mq_hw_sysfs_release hctx=cee4a800
> ...
> ######### blk_mq_run_hw_queue hctx=cee4a800
>
> blk_mq_hw_sysfs_release() calls kfree(htcx), so accessing it later is most
> definitely not a good idea.
Thanks!
> No idea why this only causes problems with your patch applied.
Well... blk_put_queue() may trigger kobject_uevent() which does call_usermodehelper.
So if one of the used-after-free datastructures was already re-allocated as
linux_binprm, then with my patch it can look "more corrupted"...
But honestly, I too have no idea.
Thanks Guenter.
Oleg.
next prev parent reply other threads:[~2019-02-19 17:37 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-12 16:09 [PATCH 1/2] exec: load_script: don't blindly truncate shebang string Oleg Nesterov
2018-11-12 16:09 ` [PATCH 2/2] exec: increase BINPRM_BUF_SIZE to 256 Oleg Nesterov
2018-11-12 23:52 ` Andrew Morton
2018-11-13 5:03 ` Kees Cook
2018-11-13 16:55 ` Oleg Nesterov
2018-11-13 20:43 ` Andrew Morton
2018-11-14 15:54 ` Oleg Nesterov
2018-11-14 16:01 ` Michal Hocko
2018-11-13 10:29 ` Michal Hocko
2018-11-16 17:49 ` Alan Cox
2018-11-22 12:15 ` Oleg Nesterov
[not found] ` <20181121160753.GA32685@asgard.redhat.com>
[not found] ` <CAKgNAkhFikJXeOx3W3yL3EUKa9ruXtAw93m4M=N+3Kg-bXbPDQ@mail.gmail.com>
2018-11-22 17:32 ` [PATCH] execve.2: document an effect of BINPRM_BUF_SIZE increase " Eugene Syromiatnikov
2019-02-18 19:37 ` [PATCH 2/2] exec: increase BINPRM_BUF_SIZE " Guenter Roeck
2019-02-19 12:37 ` Oleg Nesterov
2019-02-19 16:26 ` Guenter Roeck
2019-02-19 17:36 ` Oleg Nesterov [this message]
2018-11-13 10:27 ` [PATCH 1/2] exec: load_script: don't blindly truncate shebang string Michal Hocko
2018-11-13 16:41 ` Oleg Nesterov
2018-11-13 20:16 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190219173654.GA4314@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=mhocko@suse.com \
--cc=woodard@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.