* [stable] please do not merge 058504edd026 (was Re: fs: use after free in /proc/pid/mountinfo)
[not found] ` <53B6C051.2060704@oracle.com>
@ 2014-07-04 22:35 ` David Rientjes
2014-07-07 23:05 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: David Rientjes @ 2014-07-04 22:35 UTC (permalink / raw)
To: Sasha Levin, stable
Cc: Al Viro, Jan Kara, Dave Jones, Heiko Carstens, Andrew Morton,
Linus Torvalds, linux-kernel, linux-fsdevel
On Fri, 4 Jul 2014, Sasha Levin wrote:
> > Does this now reproduce on Linus's tree? If so, does reverting commit
> > 058504edd026 ("fs/seq_file: fallback to vmalloc allocation") prevent this
> > issue?
> >
> > This is a use-after-free since the poison value is 0x6b and I'm presuming
> > that your /proc/self/mountinfo may be larger than PAGE_SIZE in your
> > testing environment.
> >
>
> Good call, reverting that patch made both issues go away.
>
Thanks for checking, Sasha.
Stable maintainers, please do not merge commit 058504edd026 ("fs/seq_file:
fallback to vmalloc allocation") that is annotated with a cc for
stable@vger.kernel.org in Linus's tree into stable kernels.
Although we're at 3.16-rc3, I'm hoping that we can get a fix for the
use-after-free in the next couple days before asking for a revert. Sasha
confirms[*] this commit causes the bug.
Thanks.
[*] http://marc.info/?l=linux-kernel&m=140448573612154
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [stable] please do not merge 058504edd026 (was Re: fs: use after free in /proc/pid/mountinfo)
2014-07-04 22:35 ` [stable] please do not merge 058504edd026 (was Re: fs: use after free in /proc/pid/mountinfo) David Rientjes
@ 2014-07-07 23:05 ` Greg KH
2014-07-07 23:06 ` Andrew Morton
0 siblings, 1 reply; 4+ messages in thread
From: Greg KH @ 2014-07-07 23:05 UTC (permalink / raw)
To: David Rientjes
Cc: Sasha Levin, stable, Al Viro, Jan Kara, Dave Jones,
Heiko Carstens, Andrew Morton, Linus Torvalds, linux-kernel,
linux-fsdevel
On Fri, Jul 04, 2014 at 03:35:54PM -0700, David Rientjes wrote:
> On Fri, 4 Jul 2014, Sasha Levin wrote:
>
> > > Does this now reproduce on Linus's tree? If so, does reverting commit
> > > 058504edd026 ("fs/seq_file: fallback to vmalloc allocation") prevent this
> > > issue?
> > >
> > > This is a use-after-free since the poison value is 0x6b and I'm presuming
> > > that your /proc/self/mountinfo may be larger than PAGE_SIZE in your
> > > testing environment.
> > >
> >
> > Good call, reverting that patch made both issues go away.
> >
>
> Thanks for checking, Sasha.
>
> Stable maintainers, please do not merge commit 058504edd026 ("fs/seq_file:
> fallback to vmalloc allocation") that is annotated with a cc for
> stable@vger.kernel.org in Linus's tree into stable kernels.
>
> Although we're at 3.16-rc3, I'm hoping that we can get a fix for the
> use-after-free in the next couple days before asking for a revert. Sasha
> confirms[*] this commit causes the bug.
I should also drop "Subject: /proc/stat: convert to single_open_size()"
from the -stable tree, right?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [stable] please do not merge 058504edd026 (was Re: fs: use after free in /proc/pid/mountinfo)
2014-07-07 23:05 ` Greg KH
@ 2014-07-07 23:06 ` Andrew Morton
2014-07-07 23:19 ` Greg KH
0 siblings, 1 reply; 4+ messages in thread
From: Andrew Morton @ 2014-07-07 23:06 UTC (permalink / raw)
To: Greg KH
Cc: David Rientjes, Sasha Levin, stable, Al Viro, Jan Kara,
Dave Jones, Heiko Carstens, Linus Torvalds, linux-kernel,
linux-fsdevel
On Mon, 7 Jul 2014 16:05:42 -0700 Greg KH <greg@kroah.com> wrote:
> On Fri, Jul 04, 2014 at 03:35:54PM -0700, David Rientjes wrote:
> > On Fri, 4 Jul 2014, Sasha Levin wrote:
> >
> > > > Does this now reproduce on Linus's tree? If so, does reverting commit
> > > > 058504edd026 ("fs/seq_file: fallback to vmalloc allocation") prevent this
> > > > issue?
> > > >
> > > > This is a use-after-free since the poison value is 0x6b and I'm presuming
> > > > that your /proc/self/mountinfo may be larger than PAGE_SIZE in your
> > > > testing environment.
> > > >
> > >
> > > Good call, reverting that patch made both issues go away.
> > >
> >
> > Thanks for checking, Sasha.
> >
> > Stable maintainers, please do not merge commit 058504edd026 ("fs/seq_file:
> > fallback to vmalloc allocation") that is annotated with a cc for
> > stable@vger.kernel.org in Linus's tree into stable kernels.
> >
> > Although we're at 3.16-rc3, I'm hoping that we can get a fix for the
> > use-after-free in the next couple days before asking for a revert. Sasha
> > confirms[*] this commit causes the bug.
>
> I should also drop "Subject: /proc/stat: convert to single_open_size()"
> from the -stable tree, right?
>
That would be best.
I can't see how "fs: use after free in /proc/pid/mountinfo" can cause a
use-after-free so perhaps the bug lies elsewhere and was hidden by luck
(slab buffering or slab rcu-freeing or something). In which case
"fs/seq_file: fallback to vmalloc allocation" might be the patch which
added the bug.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [stable] please do not merge 058504edd026 (was Re: fs: use after free in /proc/pid/mountinfo)
2014-07-07 23:06 ` Andrew Morton
@ 2014-07-07 23:19 ` Greg KH
0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2014-07-07 23:19 UTC (permalink / raw)
To: Andrew Morton
Cc: David Rientjes, Sasha Levin, stable, Al Viro, Jan Kara,
Dave Jones, Heiko Carstens, Linus Torvalds, linux-kernel,
linux-fsdevel
On Mon, Jul 07, 2014 at 04:06:27PM -0700, Andrew Morton wrote:
> On Mon, 7 Jul 2014 16:05:42 -0700 Greg KH <greg@kroah.com> wrote:
>
> > On Fri, Jul 04, 2014 at 03:35:54PM -0700, David Rientjes wrote:
> > > On Fri, 4 Jul 2014, Sasha Levin wrote:
> > >
> > > > > Does this now reproduce on Linus's tree? If so, does reverting commit
> > > > > 058504edd026 ("fs/seq_file: fallback to vmalloc allocation") prevent this
> > > > > issue?
> > > > >
> > > > > This is a use-after-free since the poison value is 0x6b and I'm presuming
> > > > > that your /proc/self/mountinfo may be larger than PAGE_SIZE in your
> > > > > testing environment.
> > > > >
> > > >
> > > > Good call, reverting that patch made both issues go away.
> > > >
> > >
> > > Thanks for checking, Sasha.
> > >
> > > Stable maintainers, please do not merge commit 058504edd026 ("fs/seq_file:
> > > fallback to vmalloc allocation") that is annotated with a cc for
> > > stable@vger.kernel.org in Linus's tree into stable kernels.
> > >
> > > Although we're at 3.16-rc3, I'm hoping that we can get a fix for the
> > > use-after-free in the next couple days before asking for a revert. Sasha
> > > confirms[*] this commit causes the bug.
> >
> > I should also drop "Subject: /proc/stat: convert to single_open_size()"
> > from the -stable tree, right?
> >
>
> That would be best.
Ok, now dropped, thanks.
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-07-07 23:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <53B3F331.7090204@oracle.com>
[not found] ` <53B4CAB8.5070407@oracle.com>
[not found] ` <alpine.DEB.2.02.1407031434470.10658@chino.kir.corp.google.com>
[not found] ` <53B6C051.2060704@oracle.com>
2014-07-04 22:35 ` [stable] please do not merge 058504edd026 (was Re: fs: use after free in /proc/pid/mountinfo) David Rientjes
2014-07-07 23:05 ` Greg KH
2014-07-07 23:06 ` Andrew Morton
2014-07-07 23:19 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).