Re: timerfd: use-after-free in timerfd_remove_cancel

On Tue, Jan 31, 2017 at 12:45 PM, Thomas Gleixner wrote: > On Tue, 31 Jan 2017, Thomas Gleixner wrote: > >> On Mon, 30 Jan 2017, Dmitry Vyukov wrote: >> > >> > Seems that ctx->might_cancel is racy. >> >> Yes, it is. Fix below. > > And the fix is racy as well. Darn, we really

Re: timerfd: use-after-free in timerfd_remove_cancel

On Tue, Jan 31, 2017 at 12:45 PM, Thomas Gleixner wrote: > On Tue, 31 Jan 2017, Thomas Gleixner wrote: > >> On Mon, 30 Jan 2017, Dmitry Vyukov wrote: >> > >> > Seems that ctx->might_cancel is racy. >> >> Yes, it is. Fix below. > > And the fix is racy as well. Darn, we really need to lock the

Re: timerfd: use-after-free in timerfd_remove_cancel

On Tue, 31 Jan 2017, Thomas Gleixner wrote: > On Mon, 30 Jan 2017, Dmitry Vyukov wrote: > > > > Seems that ctx->might_cancel is racy. > > Yes, it is. Fix below. And the fix is racy as well. Darn, we really need to lock the context to avoid that mess.

Re: timerfd: use-after-free in timerfd_remove_cancel

On Tue, 31 Jan 2017, Thomas Gleixner wrote: > On Mon, 30 Jan 2017, Dmitry Vyukov wrote: > > > > Seems that ctx->might_cancel is racy. > > Yes, it is. Fix below. And the fix is racy as well. Darn, we really need to lock the context to avoid that mess.

Re: timerfd: use-after-free in timerfd_remove_cancel

On Mon, 30 Jan 2017, Dmitry Vyukov wrote: > > Seems that ctx->might_cancel is racy. Yes, it is. Fix below. 8<--- --- a/fs/timerfd.c +++ b/fs/timerfd.c @@ -40,9 +40,12 @@ struct timerfd_ctx { short unsigned settime_flags; /* to show in fdinfo */ struct rcu_head

Re: timerfd: use-after-free in timerfd_remove_cancel

On Mon, 30 Jan 2017, Dmitry Vyukov wrote: > > Seems that ctx->might_cancel is racy. Yes, it is. Fix below. 8<--- --- a/fs/timerfd.c +++ b/fs/timerfd.c @@ -40,9 +40,12 @@ struct timerfd_ctx { short unsigned settime_flags; /* to show in fdinfo */ struct rcu_head

Re: timerfd: use-after-free in timerfd_remove_cancel

On Tue, Jan 31, 2017 at 3:06 AM, Mateusz Guzik wrote: > On Mon, Jan 30, 2017 at 07:41:59PM +0100, Dmitry Vyukov wrote: >> Hello, >> >> The following program triggers use-after-free in timerfd_remove_cancel: >>

Re: timerfd: use-after-free in timerfd_remove_cancel

On Tue, Jan 31, 2017 at 3:06 AM, Mateusz Guzik wrote: > On Mon, Jan 30, 2017 at 07:41:59PM +0100, Dmitry Vyukov wrote: >> Hello, >> >> The following program triggers use-after-free in timerfd_remove_cancel: >>

Re: timerfd: use-after-free in timerfd_remove_cancel

On Mon, Jan 30, 2017 at 07:41:59PM +0100, Dmitry Vyukov wrote: > Hello, > > The following program triggers use-after-free in timerfd_remove_cancel: > https://gist.githubusercontent.com/dvyukov/202576d437c84ffbbe52e9ccd77e1b44/raw/5562bff8626a73627157331ea2b837f59080ac84/gistfile1.txt > > BUG:

Re: timerfd: use-after-free in timerfd_remove_cancel

On Mon, Jan 30, 2017 at 07:41:59PM +0100, Dmitry Vyukov wrote: > Hello, > > The following program triggers use-after-free in timerfd_remove_cancel: > https://gist.githubusercontent.com/dvyukov/202576d437c84ffbbe52e9ccd77e1b44/raw/5562bff8626a73627157331ea2b837f59080ac84/gistfile1.txt > > BUG:

timerfd: use-after-free in timerfd_remove_cancel

Hello, The following program triggers use-after-free in timerfd_remove_cancel: https://gist.githubusercontent.com/dvyukov/202576d437c84ffbbe52e9ccd77e1b44/raw/5562bff8626a73627157331ea2b837f59080ac84/gistfile1.txt BUG: KASAN: use-after-free in __list_del include/linux/list.h:104 [inline] at addr

timerfd: use-after-free in timerfd_remove_cancel

Hello, The following program triggers use-after-free in timerfd_remove_cancel: https://gist.githubusercontent.com/dvyukov/202576d437c84ffbbe52e9ccd77e1b44/raw/5562bff8626a73627157331ea2b837f59080ac84/gistfile1.txt BUG: KASAN: use-after-free in __list_del include/linux/list.h:104 [inline] at addr