From: Linus Torvalds <firstname.lastname@example.org> To: Hillf Danton <email@example.com> Cc: "Eric W. Biederman" <firstname.lastname@example.org>, Linux Kernel Mailing List <email@example.com>, Alexey Gladkov <firstname.lastname@example.org> Subject: Re: [GIT PULL] ucount fix for v5.14-rc Date: Sat, 7 Aug 2021 08:10:53 -0700 [thread overview] Message-ID: <CAHk-=wh+z6ePDWhCX-EfypR-9VyHf8j_cQyOETOHtSzC6LPNAQ@mail.gmail.com> (raw) In-Reply-To: <email@example.com> On Sat, Aug 7, 2021 at 2:11 AM Hillf Danton <firstname.lastname@example.org> wrote: > > > CPU0 CPU1 CPU2 > ---- ---- ---- > given count == 2 > put uc > put uc > get uc > UAF No. The thread on CPU0 must have had a reference to the ucount. So if CPU1 and CPU2 are doing a put at the same time (and they held a ref to it too), then the starting count must have been at least 3. In other words, the above would be a bug - and not because of the UAF, but because somebody had screwed up their reference counts. You might as well had said "given count = 2, do 99x put_ucounts() -> UAF". True, but immaterial from the standpoint of "put_ucounts()" correctness. Get it? You can't do a "get_ucounts()" on something that you don't already have a reference to (and similarly, you obviously cannot do a "put_ucounts()" on something you don't hold a reference to). You *can* do a "find_ucount()" to find a ucount that you don't yet have a reference to, but that's why you have to hold the lock (and why anybody who does that has to increment the reference to it after finding it before they drop the lock). Linus
next prev parent reply other threads:[~2021-08-07 15:12 UTC|newest] Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-08-05 17:15 Eric W. Biederman 2021-08-05 19:26 ` pr-tracker-bot [not found] ` <email@example.com> 2021-08-06 3:38 ` Eric W. Biederman [not found] ` <firstname.lastname@example.org> 2021-08-06 17:37 ` Linus Torvalds [not found] ` <email@example.com> 2021-08-07 8:23 ` Linus Torvalds [not found] ` <firstname.lastname@example.org> 2021-08-07 15:10 ` Linus Torvalds [this message] [not found] ` <email@example.com> 2021-08-08 1:00 ` Linus Torvalds [not found] ` <firstname.lastname@example.org> 2021-08-08 1:45 ` Linus Torvalds 2021-08-08 2:05 ` Linus Torvalds
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAHk-=wh+z6ePDWhCX-EfypR-9VyHf8j_cQyOETOHtSzC6LPNAQ@mail.gmail.com' \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [GIT PULL] ucount fix for v5.14-rc' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).