OpenVZ Forum: Devel » [PATCH 0/4] Fix race between sk_filter reassign and sk

Home » Mailing lists » Devel » [PATCH 0/4] Fix race between sk_filter reassign and sk_clone()

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: [PATCH 0/4] Fix race between sk_filter reassign and sk_clone() [message #21938 is a reply to message #21864]

Thu, 18 October 2007 04:23

davem
Messages: 463
Registered: February 2006

Senior Member

From: Pavel Emelyanov <xemul@openvz.org>
Date: Wed, 17 Oct 2007 13:45:54 +0400

> The race can result in that some sock will get an sk_filter
> pointer set to kfree-d memory. Look
> 
> CPU1:                            CPU2:
> sk_clone():                      sk_attach_filter():
>   new_sk = sk_alloc(...);
>   sock_copy(new_sk, sk); 
>   /* copies the filter ptr */
>   ...
>   filter = new_sk->sk_filter;
>   if (filter)
>                                      old_fp = sk->sk_filter;
>                                      ...
>                                      sk_filter_release(old_fp);
>                                        if (atomic_dec_and_test(&old_fp->refcnt))
>      atomic_inc(&filter->refcnt);
>                                           /* true */
>                                           call_rcu(&fp->rcu, kfree);
> 
> that's it - after a quiescent state pass the new_sk will have 
> a pointer on kfree-d filter.
> 
> The same problem exists for detaching filter (SO_DETACH_FILTER).
> 
> The proposed fix consists of 3 preparation patches and the fix itself.
> 
> Signed-off-by: Pavel Emelyanov <xemul@openvz.org>

Looks good, applied.

Thanks for fixing this bug Pavel!

Report message to a moderator

[Message index]

		[PATCH 0/4] Fix race between sk_filter reassign and sk_clone() By: Pavel Emelianov on Wed, 17 October 2007 09:45
		[PATCH 1/4] Introduce the sk_detach_filter() call By: Pavel Emelianov on Wed, 17 October 2007 09:47
		[PATCH 2/4] Move the filter releasing into a separate call By: Pavel Emelianov on Wed, 17 October 2007 09:49
		[PATCH 3/4] Cleanup the error path in sk_attach_filter By: Pavel Emelianov on Wed, 17 October 2007 09:51
		[PATCH 4/4] Fix the race between sk_filter_(de\|at)tach and sk_clone() By: Pavel Emelianov on Wed, 17 October 2007 09:53
		Re: [PATCH 0/4] Fix race between sk_filter reassign and sk_clone() By: davem on Thu, 18 October 2007 04:23
		Re: [PATCH 0/4] Fix race between sk_filter reassign and sk_clone() By: Olof Johansson on Fri, 19 October 2007 02:29
		Re: [PATCH 0/4] Fix race between sk_filter reassign and sk_clone() By: davem on Fri, 19 October 2007 04:55
		Re: [PATCH 0/4] Fix race between sk_filter reassign and sk_clone() By: Pavel Emelianov on Fri, 19 October 2007 07:37
		Re: [PATCH 0/4] Fix race between sk_filter reassign and sk_clone() By: davem on Fri, 19 October 2007 07:52

Previous Topic:	How Inactive may be much greather than cached?
Next Topic:	Re: 2.6.23-mm1 s390 driver problem

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Fri Aug 22 07:31:09 GMT 2025

Total time taken to generate the page: 0.05691 seconds