From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: [PATCH] cgroups: fix possible use after free Date: Tue, 10 Feb 2009 12:45:27 +0000 Message-ID: <20090210124527.GA28946@ZenIV.linux.org.uk> References: <4991497B.4030200@cn.fujitsu.com> <6599ad830902100215o185edd31k8731e033717dbb49@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <6599ad830902100215o185edd31k8731e033717dbb49-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Paul Menage Cc: Linux Containers , Andrew Morton , LKML List-Id: containers.vger.kernel.org On Tue, Feb 10, 2009 at 02:15:36AM -0800, Paul Menage wrote: > On Tue, Feb 10, 2009 at 1:31 AM, Li Zefan wrote: > > In cgroup_kill_sb(), root is freed before sb is detached from the list, > > so another sget() may find this sb and call cgroup_test_super(), > > which will access the root that has been freed. > > I think that I'd assumed that by the time we get to cgroup_kill_sb() > there's no chance of the sb being resurrected by sget(). There is none. grab_super() will fail to get it, so sget() will go through retry logics. Which doesn't mean that test won't be called on it in the meanwhile.