[PATCH] cgroup: fix use-after-free when umounting cgroupfs

public inbox for cgroups@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] cgroup: fix use-after-free when umounting cgroupfs
@ 2013-04-26  2:54 Li Zefan
       [not found] ` <5179EC53.6080006-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
  0 siblings, 1 reply; 2+ messages in thread
From: Li Zefan @ 2013-04-26  2:54 UTC (permalink / raw)
  To: Tejun Heo; +Cc: LKML, Cgroups

Try:
  # mount -t cgroup xxx /cgroup
  # mkdir /cgroup/sub && rmdir /cgroup/sub && umount /cgroup

And you might see this:

ida_remove called for id=1 which is not allocated.

It's because cgroup_kill_sb() is called to destroy root->cgroup_ida
and free cgrp->root before ida_simple_removed() is called. What's
worse is we're accessing cgrp->root while it has been freed.

Signed-off-by: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
---
 kernel/cgroup.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 6780459..a45aa12 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -845,9 +845,12 @@ static void cgroup_free_fn(struct work_struct *work)
 	 */
 	dput(cgrp->parent->dentry);
 
+	ida_simple_remove(&cgrp->root->cgroup_ida, cgrp->id);
+	
 	/*
 	 * Drop the active superblock reference that we took when we
-	 * created the cgroup
+	 * created the cgroup. This will free cgrp->root, if we are
+	 * holding the last reference to @sb.
 	 */
 	deactivate_super(cgrp->root->sb);
 
@@ -859,7 +862,6 @@ static void cgroup_free_fn(struct work_struct *work)
 
 	simple_xattrs_free(&cgrp->xattrs);
 
-	ida_simple_remove(&cgrp->root->cgroup_ida, cgrp->id);
 	kfree(rcu_dereference_raw(cgrp->name));
 	kfree(cgrp);
 }
-- 
1.8.0.2

^ permalink raw reply related	[flat|nested] 2+ messages in thread

[parent not found: <5179EC53.6080006-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>]

* Re: [PATCH] cgroup: fix use-after-free when umounting cgroupfs
       [not found] ` <5179EC53.6080006-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
@ 2013-04-26 18:59   ` Tejun Heo
  0 siblings, 0 replies; 2+ messages in thread
From: Tejun Heo @ 2013-04-26 18:59 UTC (permalink / raw)
  To: Li Zefan; +Cc: LKML, Cgroups

On Fri, Apr 26, 2013 at 10:54:11AM +0800, Li Zefan wrote:
> Try:
>   # mount -t cgroup xxx /cgroup
>   # mkdir /cgroup/sub && rmdir /cgroup/sub && umount /cgroup
> 
> And you might see this:
> 
> ida_remove called for id=1 which is not allocated.
> 
> It's because cgroup_kill_sb() is called to destroy root->cgroup_ida
> and free cgrp->root before ida_simple_removed() is called. What's
> worse is we're accessing cgrp->root while it has been freed.
> 
> Signed-off-by: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>

Applied to cgroup/for-3.10.

Thanks.

-- 
tejun

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-04-26 18:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-04-26  2:54 [PATCH] cgroup: fix use-after-free when umounting cgroupfs Li Zefan
     [not found] ` <5179EC53.6080006-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>
2013-04-26 18:59   ` Tejun Heo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox