Re: [PATCH] fork: fix incorrect fput of ->exe_file causing use-after-free
From: Oleg Nesterov <oleg@redhat.com>
Date: 2017-08-25 14:40:41
Also in:
linux-mm, stable
On 08/24, Eric Biggers wrote:
On Thu, Aug 24, 2017 at 03:20:41PM +0200, Oleg Nesterov wrote:quoted
On 08/23, Eric Biggers wrote:quoted
From: Eric Biggers <redacted> Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for write killable") made it possible to kill a forking task while it is waiting to acquire its ->mmap_sem for write, in dup_mmap(). However, it was overlooked that this introduced an new error path before a reference is taken on the mm_struct's ->exe_file.Hmm. Unless I am totally confused, the same problem with mm->exol_area? I'll recheck....I'm not sure what you mean by ->exol_area.
I meant mm->uprobes_state.xol_area, sorry
quoted
quoted
--- a/kernel/fork.c +++ b/kernel/fork.c@@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p, mm_init_cpumask(mm); mm_init_aio(mm); mm_init_owner(mm, p); + RCU_INIT_POINTER(mm->exe_file, NULL);Can't we simply move RCU_INIT_POINTER(mm->exe_file, get_mm_exe_file(oldmm)); from dup_mmap() here? Afaics this doesn't need mmap_sem.Two problems, even assuming that get_mm_exe_file() doesn't require mmap_sem: - If mm_alloc_pgd() or init_new_context() in mm_init() fails, mm_init() doesn't do the full mmput(), so the file reference would not be dropped. So it would need to be changed to drop the file reference too.
Ah yes, I forgot that mm_init() can fail after that, thanks for correcting me. Oleg.