mirror of
https://github.com/torvalds/linux.git
synced 2026-03-08 01:04:41 +01:00
d66adabe91
syzbot reported that it discovered a use-after-free vulnerability, [0]
[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/
idr_for_each() is protected by rwsem, but this is not enough. If it is
not protected by RCU read-critical region, when idr_for_each() calls
radix_tree_node_free() through call_rcu() to free the radix_tree_node
structure, the node will be freed immediately, and when reading the next
node in radix_tree_for_each_slot(), the already freed memory may be read.
Therefore, we need to add code to make sure that idr_for_each() is
protected within the RCU read-critical region when we call it in
shm_destroy_orphaned().
Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com
Fixes:
|
||
|---|---|---|
| .. | ||
| compat.c | ||
| ipc_sysctl.c | ||
| Makefile | ||
| mq_sysctl.c | ||
| mqueue.c | ||
| msg.c | ||
| msgutil.c | ||
| namespace.c | ||
| sem.c | ||
| shm.c | ||
| syscall.c | ||
| util.c | ||
| util.h | ||