On 2014/03/19 22:22, Max Kellermann wrote:
> + list_add(&child->mnt_unmounted, &mnt->mnt_hash);
This is obviously a bug in my patch, sorry. Will resend a fixed
patch.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord
On 2014/03/19 22:22, Max Kellermann wrote:
> In the presence of user+mount namespaces, this bug can be exploited by
> any unprivileged user to stall the kernel (denial of service by soft
> lockup).
Proof-of-concept exploit attached.
/*
* Exploit for linux commit 48a066e72d970a3e225a9c18690d570c7
mount.mnt_hash is RCU-protected. However, list_move() breaks RCU
protection: when one thread walks the linked list while another calls
list_move(), it may "redirect" the first thread into the new list,
making it loop endlessly in __lookup_mnt(), because the list head is
never found.
The right way
3 matches
Mail list logo
