Use after free from pid_nr_ns()

There is use after free reported due to group leader task is already freed but other tasks are still holding the group leader task address in task->group_leader pointer. pid_nr_ns+0x10/0x38 cgroup_pidlist_start+0x144/0x400 cgroup_seqfile_start+0x1c/0x24 kernfs_seq_start+0x54/0x90 seq_read+0x15c/0x3a8 kernfs_fop_read+0x38/0x160 __vfs_read+0x28/0xc8 vfs_read+0x84/0xfc Change-Id: Ib6b3fc75bf0d24a04455bf81d54900c21c434958 Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org>
author: Oleg Nesterov <oleg@redhat.com> 2017-01-09 20:26:14 -0800
committer: Prasad Sodagudi <psodagud@codeaurora.org> 2017-01-23 18:31:21 -0800
commit: 5cbee2fa5de964083d6d9a2d4898615227393a9d (patch)
tree: 6cc9be3288bc0de132834fd818ad0e1d1fb1bb91 /include/linux/pid.h
parent: 4f1f60e00d6a434232e6fdc048d072296c24fb45 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/include/linux/pid.h b/include/linux/pid.h
index 23705a53abba..97b745ddece5 100644
--- a/include/linux/pid.h
+++ b/include/linux/pid.h
@@ -8,7 +8,9 @@ enum pid_type
 	PIDTYPE_PID,
 	PIDTYPE_PGID,
 	PIDTYPE_SID,
-	PIDTYPE_MAX
+	PIDTYPE_MAX,
+	/* only valid to __task_pid_nr_ns() */
+	__PIDTYPE_TGID
 };
 
 /*
author	Oleg Nesterov <oleg@redhat.com>	2017-01-09 20:26:14 -0800
committer	Prasad Sodagudi <psodagud@codeaurora.org>	2017-01-23 18:31:21 -0800
commit	5cbee2fa5de964083d6d9a2d4898615227393a9d (patch)
tree	6cc9be3288bc0de132834fd818ad0e1d1fb1bb91 /include/linux/pid.h
parent	4f1f60e00d6a434232e6fdc048d072296c24fb45 (diff)