KASAN: use-after-free Read in task_is_descendant

Oleg Nesterov oleg at redhat.com
Thu Oct 25 16:25:54 UTC 2018


On 10/25, Oleg Nesterov wrote:
>
> Because our rcu read-lock critical section extends beyond the return from
> synchronize_rcu(), and thus we must have a full memory barrier _between_
> that synchronize_rcu() and our rcu_read_lock(). We must see all memory updates,
> including thread_pid = NULL which makes pid_alive() == F.

In case I was not clear....

Suppose we have int X = 0. If some CPU does

	X = 1;
	synchronize_rcu();

and another CPU does

	rcu_read_lock();
	x = X;
	rcu_read_unlock();

then x should be == 1 in case when rcu_read_unlock() happens _after_ return
from synchronize_rcu().

Oleg.



More information about the Linux-security-module-archive mailing list