Re: [PATCH] cgroup: fix use-after-free when umounting cgroupfs

From: Tejun Heo
Date: Fri Apr 26 2013 - 14:59:32 EST

Next message: Tejun Heo: "Re: [PATCH] cgroup: restore the call to eventfd->poll()"
Previous message: Jacob Shin: "[PATCH 1/3] perf/x86/amd: AMD support for bp_len > HW_BREAKPOINT_LEN_8"
In reply to: Li Zefan: "[PATCH] cgroup: fix use-after-free when umounting cgroupfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 26, 2013 at 10:54:11AM +0800, Li Zefan wrote:
> Try:
> # mount -t cgroup xxx /cgroup
> # mkdir /cgroup/sub && rmdir /cgroup/sub && umount /cgroup
>
> And you might see this:
>
> ida_remove called for id=1 which is not allocated.
>
> It's because cgroup_kill_sb() is called to destroy root->cgroup_ida
> and free cgrp->root before ida_simple_removed() is called. What's
> worse is we're accessing cgrp->root while it has been freed.
>
> Signed-off-by: Li Zefan <lizefan@xxxxxxxxxx>

Applied to cgroup/for-3.10.

Thanks.

--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tejun Heo: "Re: [PATCH] cgroup: restore the call to eventfd->poll()"
Previous message: Jacob Shin: "[PATCH 1/3] perf/x86/amd: AMD support for bp_len > HW_BREAKPOINT_LEN_8"
In reply to: Li Zefan: "[PATCH] cgroup: fix use-after-free when umounting cgroupfs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]