From: Al Viro <viro@ZenIV.linux.org.uk>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] mnt: Fix a memory stomp in umount
Date: Thu, 18 Dec 2014 20:01:10 +0000 [thread overview]
Message-ID: <20141218200110.GO22149@ZenIV.linux.org.uk> (raw)
In-Reply-To: <87d27gkia8.fsf@x220.int.ebiederm.org>
On Thu, Dec 18, 2014 at 10:57:19AM -0600, Eric W. Biederman wrote:
>
> While reviewing the code of umount_tree I realized that when we append
> to a preexisting unmounted list we do not change pprev of the former
> first item in the list.
>
> Which means later in namespace_unlock hlist_del_init(&mnt->mnt_hash) on
> the former first item of the list will stomp unmounted.first leaving
> it set to some random mount point which we are likely to free soon.
>
> This isn't likely to hit, but if it does I don't know how anyone could
> track it down.
All you need for that kind of loop to work is correct -next on all elements.
Seriously. Even correct first->pprev is not needed. Look:
struct hlist_head head = unmounted;
if (likely(hlist_empty(&head))) // no dereferences of ppre *or* next
sod off
head.first->pprev = &head.first; // pprev of the first is valid now
INIT_HLIST_HEAD(&unmounted);
hlist_for_each_entry(mnt, &head, mnt_hash)
if (mnt->mnt_ex_mountpoint.mnt)
mntget(mnt->mnt_ex_mountpoint.mnt);
// only needed ->next for that loop
...
while (!hlist_empty(&head)) {
mnt = hlist_entry(head.first, struct mount, mnt_hash);
hlist_del_init(&mnt->mnt_hash);
...
}
Now, we certainly need pprev of the first to be correct for hlist_del_init()
to work. What we do not need is correctness of pprev of the second as we
call hlist_del_init(). And _after_ hlist_del_init() pprev of what used to
be the second (the first, now) is healed.
So we actually are OK here.
next prev parent reply other threads:[~2014-12-18 20:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-18 16:57 [PATCH] mnt: Fix a memory stomp in umount Eric W. Biederman
[not found] ` <CA+55aFz6grtss0SXqOizXMOOF4sxT3FC4GC4NCiMF2Huy1vE4A@mail.gmail.com>
2014-12-18 18:41 ` Linus Torvalds
2014-12-18 19:24 ` Eric W. Biederman
2014-12-18 19:34 ` Linus Torvalds
2014-12-18 21:05 ` Al Viro
2014-12-18 21:18 ` Eric W. Biederman
2014-12-19 0:02 ` Al Viro
2014-12-19 0:03 ` Al Viro
2015-01-02 21:06 ` Eric W. Biederman
2015-01-02 21:13 ` Al Viro
2015-01-02 21:56 ` Eric W. Biederman
2014-12-18 20:01 ` Al Viro [this message]
2014-12-18 20:15 ` Al Viro
2014-12-18 20:40 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141218200110.GO22149@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.