You need to sign in or sign up before continuing.
-
由 Hou Tao 提交于
euler inclusion category: bugfix bugzilla: 14007 CVE: NA ------------------------------------------------- Process fork and cgroup migration can happen simultaneously, and in the following case use-after-free of css_set is possible: CPU 0: process fork CPU 1: cgroup migration dup_fd __cgroup1_procs_write(threadgroup=false) files_cgroup_assign // task A task_lock task_cgroup(current, files_cgrp_id) css_set = task_css_set_check() cgroup_migrate_execute files_cgroup_can_attach css_set_move_task put_css_set_locked() files_cgroup_attach // task B which is in the same // thread group as task A task_lock cgroup_migrate_finish // the css_set will be freed put_css_set_locked() // use-after-free css_set->subsys[files_cgrp_id] Fix it by using task_get_css() instead to get a valid css. Fixes: 52cc1eccf6de ("cgroups: Resource controller for open files") Signed-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: Nluojiajun <luojiajun3@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>a8453b17