diff options
| author | Waiman Long <longman@redhat.com> | 2023-01-18 23:01:11 -0500 |
|---|---|---|
| committer | Andrew Morton <akpm@linux-foundation.org> | 2023-02-02 22:33:25 -0800 |
| commit | 782e4179535971c3574c367bfaaefea8970b3e0b (patch) | |
| tree | 81b86358683a656f7386f383a2df170e5ac4ba56 /include/linux/damon.h | |
| parent | 6061e740822530a4ef443548b19c4e0bc6342c7a (diff) | |
mm/kmemleak: fix UAF bug in kmemleak_scan()
Commit 6edda04ccc7c ("mm/kmemleak: prevent soft lockup in first object
iteration loop of kmemleak_scan()") fixes soft lockup problem in
kmemleak_scan() by periodically doing a cond_resched(). It does take a
reference of the current object before doing it. Unfortunately, if the
object has been deleted from the object_list, the next object pointed to
by its next pointer may no longer be valid after coming back from
cond_resched(). This can result in use-after-free and other nasty
problem.
Fix this problem by adding a del_state flag into kmemleak_object structure
to synchronize the object deletion process between kmemleak_cond_resched()
and __remove_object() to make sure that the object remained in the
object_list in the duration of the cond_resched() call.
Link: https://lkml.kernel.org/r/20230119040111.350923-3-longman@redhat.com
Fixes: 6edda04ccc7c ("mm/kmemleak: prevent soft lockup in first object iteration loop of kmemleak_scan()")
Signed-off-by: Waiman Long <longman@redhat.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Muchun Song <songmuchun@bytedance.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Diffstat (limited to 'include/linux/damon.h')
0 files changed, 0 insertions, 0 deletions