| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 May 2021 17:16:12 +0800
From: Miaohe Lin <linmiaohe@...wei.com>
To: Linux-MM <linux-mm@...ck.org>,
linux-kernel <linux-kernel@...r.kernel.org>
CC: Andrew Morton <akpm@...ux-foundation.org>
Subject: [Question] Is there a race window between __anon_vma_prepare() with
page_lock_anon_vma_read() ?
Hi all,
I am investigating the rmap code, and I found the below possible race window:
CPU 1 CPU 2
----- -----
page_lock_anon_vma_read
rcu_read_lock
/* We assume anon_vam == root_anon_vma in this case. */
root_anon_vma = READ_ONCE(anon_vma->root);
root_anon_vma is *released* somewhere unfortunately.
down_read_trylock(&root_anon_vma->rwsem)
__anon_vma_prepare
anon_vma_alloc
root_anon_vma is *allocated* here.
init_rwsem(&anon_vma->rwsem);
!page_mapped(page)
up_read(&root_anon_vma->rwsem); -- *Oops!*
root_anon_vma->rwsem is reinitialized after locked. And reinitialized anon_vma->rwsem will be
unlocked without lock first.
I think this could happen due to the subtle SLAB_TYPESAFE_BY_RCU. But only can occur when anon_vma
is root anon_vma or they won't operate on the same rwsem.
Is this will really happen or Am I miss something ? Any reply would be very grateful.
Many Thanks! :)
Powered by blists - more mailing lists