On 05/21/2013 04:48 PM, Seth Arnold wrote: > On Wed, May 01, 2013 at 02:31:06PM -0700, John Johansen wrote: >> Just add the labels to the tree to make sure insertions and deletions >> into the rb tree are working. > >> @@ -1330,6 +1347,8 @@ ssize_t aa_remove_profiles(char *fqname, size_t size) >> } >> name = profile->base.hname; >> __remove_profile(profile); >> + aa_label_remove(&ns->labels, &profile->label); >> + __aa_labelset_invalidate_all(ns, profile); >> mutex_unlock(&ns->lock); >> } > > __remove_profile() may already call __aa_label_remove(): > > __remove_profile() > __list_remove_profile() > aa_put_profile() > aa_label_kref() > __aa_label_remove() > > As a result of __remove_profile(), I believe that the next reference to > &profile->label may even be invalid: > yep
> ... > aa_label_kref() > label_free_rcu() > aa_free_profile() > kzfree() > > > I guess the RCU mechanisms might mean that the data wouldn't actually > be reaped until after the above code has already run to completion -- > I really should re-read the RCU paper -- but the mixing of cleanup > operations in current context vs in RCU callback is a bit more subtle > than me. :) > well the RCU mechanism does mean the data is still live, and the IN_TREE flag does keep it from being removed twice but yeah not good -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
