From: Dave Jones <davej@redhat.com>
To: Jan Kara <jack@suse.cz>
Cc: Jiri Kosina <jkosina@suse.cz>,
Linus Torvalds <torvalds@linux-foundation.org>,
Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: fanotify use after free.
Date: Tue, 28 Jan 2014 10:24:08 -0500 [thread overview]
Message-ID: <20140128152408.GA16534@redhat.com> (raw)
In-Reply-To: <20140128145327.GC13676@quack.suse.cz>
On Tue, Jan 28, 2014 at 03:53:27PM +0100, Jan Kara wrote:
> On Tue 28-01-14 12:07:51, Jiri Kosina wrote:
> > On Tue, 28 Jan 2014, Jan Kara wrote:
> >
> > > > 2b:* 4d 8b 64 c6 08 mov 0x8(%r14,%rax,8),%r12 <-- trapping instruction
> > > >
> > > > R14 is 0x6b6b6b6b6b6b6c03, which looks like a use-after-free.
> > > Yup. But I'm somewhat puzzled by the trace. We crash when calling
> > > fsnotify_destroy_event() from fanotify_handle_event(). The fsnotify code
> > > has been called from do_sys_open() so the event was a 'FS_OPEN' which fails
> > > the fsn_event->mask & FAN_ALL_PERM_EVENTS test.
> > >
> > > Slapping my forehead, that's a really stupid bug. The event
> > > fsnotify_add_notify_event() returns may be freed by the time we return
> > > because we already dropped the notification mutex. And then fsn_event->mask
> > > & FAN_ALL_PERM_EVENTS test will pass because FAN_ALL_PERM_EVENTS matches
> > > with the poison pattern 0x6b6b6b6b. So yet another hacked up version of
> > > fanotify fix is attached. And I have to seriously think about use counts
> > > for fanotify version of that struct.
> >
> > With the fixed version of the patch, all the fanotify-related oopses are
> > gone on my system.
> Thanks for testing. So now I have to come up with something mergeable :)
Yep, looks good to me too. Thanks.
Dave
next prev parent reply other threads:[~2014-01-28 15:24 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-22 6:27 fanotify use after free Dave Jones
2014-01-22 16:43 ` Dave Jones
2014-01-22 18:20 ` Linus Torvalds
2014-01-22 23:36 ` Jan Kara
2014-01-23 0:08 ` Linus Torvalds
2014-01-23 0:32 ` Dave Jones
2014-01-23 15:05 ` Jan Kara
2014-01-23 10:23 ` Jiri Kosina
2014-01-23 15:05 ` Jan Kara
2014-01-23 15:07 ` Jiri Kosina
2014-01-23 23:55 ` Jan Kara
2014-01-24 7:26 ` Jiri Kosina
2014-01-27 23:40 ` Jan Kara
2014-01-28 6:10 ` Dave Jones
2014-01-28 8:02 ` Jan Kara
2014-01-28 11:07 ` Jiri Kosina
2014-01-28 14:53 ` Jan Kara
2014-01-28 15:24 ` Dave Jones [this message]
2014-01-28 10:53 ` Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140128152408.GA16534@redhat.com \
--to=davej@redhat.com \
--cc=jack@suse.cz \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.