Re: KASAN: use-after-free Read in userfaultfd_release (2)

From: Daniel Colascione
Date: Mon Jul 20 2020 - 20:05:30 EST

Next message: Frederic Weisbecker: "[PATCH] timers: Recalculate next timer interrupt only when necessary"
Previous message: John Stultz: "Re: [PATCH 1/3] gpio: mxc: Support module build"
In reply to: Al Viro: "Re: KASAN: use-after-free Read in userfaultfd_release (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 7/20/20 9:00 AM, Al Viro wrote:

On Mon, Jul 13, 2020 at 04:45:12PM +0800, Hillf Danton wrote:

Bridge the gap between slab free and the fput in task work wrt
file's private data.

No. This

@@ -2048,6 +2055,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
if (fd < 0) {
+ file->private_data = NULL;
fput(file);
goto out;
}

is fundamentally wrong; you really shouldn't take over the cleanups
if you ever do fput().

Yep. I don't recall how the O_CLOEXEC got in there: that's indeed wrong, and probably the result of patch-editing butchery. As for the exit cleanup: yes, that's a bug. I was trying to keep the exit paths together. We could fix it forward (which seems simple enough) or re-submit.

Next message: Frederic Weisbecker: "[PATCH] timers: Recalculate next timer interrupt only when necessary"
Previous message: John Stultz: "Re: [PATCH 1/3] gpio: mxc: Support module build"
In reply to: Al Viro: "Re: KASAN: use-after-free Read in userfaultfd_release (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]