Re: [PATCH] mm: vmalloc: Prevent use after free in _vm_unmap_aliases
From: Uladzislau Rezki
Date: Thu Mar 18 2021 - 13:00:20 EST
On Thu, Mar 18, 2021 at 03:38:25PM +0530, vjitta@xxxxxxxxxxxxxx wrote:
> From: Vijayanand Jitta <vjitta@xxxxxxxxxxxxxx>
>
> A potential use after free can occur in _vm_unmap_aliases
> where an already freed vmap_area could be accessed, Consider
> the following scenario:
>
> Process 1 Process 2
>
> __vm_unmap_aliases __vm_unmap_aliases
> purge_fragmented_blocks_allcpus rcu_read_lock()
> rcu_read_lock()
> list_del_rcu(&vb->free_list)
> list_for_each_entry_rcu(vb .. )
> __purge_vmap_area_lazy
> kmem_cache_free(va)
> va_start = vb->va->va_start
Or maybe we should switch to kfree_rcu() instead of kmem_cache_free()?
--
Vlad Rezki