[PATCH] fix sighand use after free

Rik van Riel Wed, 13 Aug 2014 08:52:15 -0700

Subject: fix sighand use after free

__lock_task_sighand carefully takes the rcu_read_lock, gets
tsk->sighand with rcu_dereference, and verifies that the task
is still using the sighand_struct after taking the spinlock.


This works much better if the sighand struct is actually rcu
freed.

Signed-off-by: Rik van Riel <r...@redhat.com>
---
 kernel/fork.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index 1380d8a..754a7c6 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1017,7 +1017,7 @@ void __cleanup_sighand(struct sighand_struct *sighand)
 {
        if (atomic_dec_and_test(&sighand->count)) {
                signalfd_cleanup(sighand);
-               kmem_cache_free(sighand_cachep, sighand);
+               rcu_free(sighand_cachep, sighand);
        }
 }
 

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH] fix sighand use after free

Reply via email to