| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 May 2021 16:41:45 +0800
From: Miaohe Lin <linmiaohe@...wei.com>
To: Linux-MM <linux-mm@...ck.org>,
linux-kernel <linux-kernel@...r.kernel.org>
CC: Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [Question] Is there a race window between __anon_vma_prepare()
with page_lock_anon_vma_read() ?
On 2021/5/14 17:16, Miaohe Lin wrote:
> Hi all,
> I am investigating the rmap code, and I found the below possible race window:
>
> CPU 1 CPU 2
> ----- -----
> page_lock_anon_vma_read
> rcu_read_lock
> /* We assume anon_vam == root_anon_vma in this case. */
> root_anon_vma = READ_ONCE(anon_vma->root);
> root_anon_vma is *released* somewhere unfortunately.
> down_read_trylock(&root_anon_vma->rwsem)
> __anon_vma_prepare
> anon_vma_alloc
> root_anon_vma is *allocated* here.
> init_rwsem(&anon_vma->rwsem);
> !page_mapped(page)
> up_read(&root_anon_vma->rwsem); -- *Oops!*
>
> root_anon_vma->rwsem is reinitialized after locked. And reinitialized anon_vma->rwsem will be
> unlocked without lock first.
>
> I think this could happen due to the subtle SLAB_TYPESAFE_BY_RCU. But only can occur when anon_vma
> is root anon_vma or they won't operate on the same rwsem.
> Is this will really happen or Am I miss something ? Any reply would be very grateful.
> Many Thanks! :)
Any reply would be very grateful.
Many thanks!
>
Powered by blists - more mailing lists