From: Eric Biggers <ebiggers@kernel.org>
To: Lokesh Gidra <lokeshgidra@google.com>
Cc: viro@zeniv.linux.org.uk, stephen.smalley.work@gmail.com,
casey@schaufler-ca.com, jmorris@namei.org,
kaleshsingh@google.com, dancol@dancol.org, surenb@google.com,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
nnk@google.com, jeffv@google.com, calin@google.com,
kernel-team@android.com, yanfei.xu@windriver.com,
syzbot+75867c44841cb6373570@syzkaller.appspotmail.com
Subject: Re: [PATCH] Userfaultfd: Avoid double free of userfault_ctx and remove O_CLOEXEC
Date: Tue, 4 Aug 2020 13:45:43 -0700 [thread overview]
Message-ID: <20200804204543.GA1992048@gmail.com> (raw)
In-Reply-To: <20200804203155.2181099-1-lokeshgidra@google.com>
On Tue, Aug 04, 2020 at 01:31:55PM -0700, Lokesh Gidra wrote:
> when get_unused_fd_flags returns error, ctx will be freed by
> userfaultfd's release function, which is indirectly called by fput().
> Also, if anon_inode_getfile_secure() returns an error, then
> userfaultfd_ctx_put() is called, which calls mmdrop() and frees ctx.
>
> Also, the O_CLOEXEC was inadvertently added to the call to
> get_unused_fd_flags() [1].
>
> Adding Al Viro's suggested-by, based on [2].
>
> [1] https://lore.kernel.org/lkml/1f69c0ab-5791-974f-8bc0-3997ab1d61ea@dancol.org/
> [2] https://lore.kernel.org/lkml/20200719165746.GJ2786714@ZenIV.linux.org.uk/
>
> Fixes: d08ac70b1e0d (Wire UFFD up to SELinux)
> Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
> Reported-by: syzbot+75867c44841cb6373570@syzkaller.appspotmail.com
> Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
What branch does this patch apply to? Neither mainline nor linux-next works.
- Eric
next prev parent reply other threads:[~2020-08-04 20:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-04 20:31 [PATCH] Userfaultfd: Avoid double free of userfault_ctx and remove O_CLOEXEC Lokesh Gidra
2020-08-04 20:45 ` Eric Biggers [this message]
2020-08-04 20:49 ` Lokesh Gidra
2020-08-04 20:58 ` Eric Biggers
2020-08-04 23:34 ` Lokesh Gidra
2020-08-05 3:47 ` Aleksa Sarai
2020-08-05 4:08 ` Eric Biggers
2020-08-05 4:54 ` Lokesh Gidra
2020-08-06 23:59 ` Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200804204543.GA1992048@gmail.com \
--to=ebiggers@kernel.org \
--cc=calin@google.com \
--cc=casey@schaufler-ca.com \
--cc=dancol@dancol.org \
--cc=jeffv@google.com \
--cc=jmorris@namei.org \
--cc=kaleshsingh@google.com \
--cc=kernel-team@android.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lokeshgidra@google.com \
--cc=nnk@google.com \
--cc=stephen.smalley.work@gmail.com \
--cc=surenb@google.com \
--cc=syzbot+75867c44841cb6373570@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=yanfei.xu@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.