diff options
| author | Waiman Long <longman@redhat.com> | 2022-01-03 03:35:58 +0100 |
|---|---|---|
| committer | Peter Zijlstra <peterz@infradead.org> | 2022-01-25 22:30:28 +0100 |
| commit | 61cc4534b6550997c97a03759ab46b29d44c0017 (patch) | |
| tree | 4f7922d52522639795e1716ac63a64c2e064b9de /include/asm-generic | |
| parent | lockdep: Use memset_startat() helper in reinit_class() (diff) | |
| download | linux-61cc4534b6550997c97a03759ab46b29d44c0017.tar.xz linux-61cc4534b6550997c97a03759ab46b29d44c0017.zip | |
locking/lockdep: Avoid potential access of invalid memory in lock_class
It was found that reading /proc/lockdep after a lockdep splat may
potentially cause an access to freed memory if lockdep_unregister_key()
is called after the splat but before access to /proc/lockdep [1]. This
is due to the fact that graph_lock() call in lockdep_unregister_key()
fails after the clearing of debug_locks by the splat process.
After lockdep_unregister_key() is called, the lock_name may be freed
but the corresponding lock_class structure still have a reference to
it. That invalid memory pointer will then be accessed when /proc/lockdep
is read by a user and a use-after-free (UAF) error will be reported if
KASAN is enabled.
To fix this problem, lockdep_unregister_key() is now modified to always
search for a matching key irrespective of the debug_locks state and
zap the corresponding lock class if a matching one is found.
[1] https://lore.kernel.org/lkml/77f05c15-81b6-bddd-9650-80d5f23fe330@i-love.sakura.ne.jp/
Fixes: 8b39adbee805 ("locking/lockdep: Make lockdep_unregister_key() honor 'debug_locks' again")
Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lkml.kernel.org/r/20220103023558.1377055-1-longman@redhat.com
Diffstat (limited to 'include/asm-generic')
0 files changed, 0 insertions, 0 deletions