cgroup/files: use task_get_css() to get a valid css during dup_fd()
hulk inclusion
category: bugfix
bugzilla: 50779
CVE: NA
-------------------------------------------------
Process fork and cgroup migration can happen simultaneously, and
in the following case use-after-free of css_set is possible:
CPU 0: process fork CPU 1: cgroup migration
dup_fd __cgroup1_procs_write(threadgroup=false)
files_cgroup_assign
// task A
task_lock
task_cgroup(current, files_cgrp_id)
css_set = task_css_set_check()
cgroup_migrate_execute
files_cgroup_can_attach
css_set_move_task
put_css_set_locked()
files_cgroup_attach
// task B which is in the same
// thread group as task A
task_lock
cgroup_migrate_finish
// the css_set will be freed
put_css_set_locked()
// use-after-free
css_set->subsys[files_cgrp_id]
Fix it by using task_get_css() instead to get a valid css.
Fixes: 52cc1eccf6de ("cgroups: Resource controller for open files")
Signed-off-by: 
Hou Tao <houtao1@huawei.com>
Reviewed-by: luojiajun <luojiajun3@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Lu Jialin <lujialin4@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
Loading
Please sign in to comment