Re: timerfd: use-after-free in timerfd_remove_cancel

From: Dmitry Vyukov
Date: Tue Jan 31 2017 - 07:10:22 EST

Next message: Rafael J. Wysocki: "Re: [Intel-gfx] [Linux v4.10.0-rc1+] Still call-traces after suspend-resume (pm? i915? cpu/hotplug?)"
Previous message: Joe Perches: "Re: [PATCH 001] staging: wlan-ng: Add tabstop preceding the statement"
In reply to: Thomas Gleixner: "Re: timerfd: use-after-free in timerfd_remove_cancel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jan 31, 2017 at 12:45 PM, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:
> On Tue, 31 Jan 2017, Thomas Gleixner wrote:
>
>> On Mon, 30 Jan 2017, Dmitry Vyukov wrote:
>> >
>> > Seems that ctx->might_cancel is racy.
>>
>> Yes, it is. Fix below.
>
> And the fix is racy as well. Darn, we really need to lock the context to
> avoid that mess.

Yes. I think we need to lock most of timerfd_settime. Otherwise we can
end up with a timer that needs to be in the cancel list, but it is
actually not; or vice versa.

Next message: Rafael J. Wysocki: "Re: [Intel-gfx] [Linux v4.10.0-rc1+] Still call-traces after suspend-resume (pm? i915? cpu/hotplug?)"
Previous message: Joe Perches: "Re: [PATCH 001] staging: wlan-ng: Add tabstop preceding the statement"
In reply to: Thomas Gleixner: "Re: timerfd: use-after-free in timerfd_remove_cancel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]