Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU

From: Jann Horn
Date: Wed Jul 23 2025 - 16:01:25 EST

Next message: Lukasz Majewski: "Re: [net-next v15 06/12] net: mtip: Add net_device_ops functions to the L2 switch driver"
Previous message: Jonathan Denose: "Re: [PATCH 00/11] HID: Implement haptic forcepad support"
In reply to: Jann Horn: "Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU"
Next in thread: Suren Baghdasaryan: "Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jul 23, 2025 at 9:52 PM Jann Horn <jannh@xxxxxxxxxx> wrote:
> I'm not sure if I'm understanding you correctly; but yes,
> __vma_enter_locked() waits for all the waiters to drop their
> "refcounts". (It's not really a refcount, you can also think of it as
> a sleepable read-write lock where the low bits are the number of
> readers.)

Sorry, that's not entirely true, since an attached VMA has a refcount
elevated by one. It's kind of a refcount, and kind of forms part of a
sleepable read-write lock, it's complicated.

Next message: Lukasz Majewski: "Re: [net-next v15 06/12] net: mtip: Add net_device_ops functions to the L2 switch driver"
Previous message: Jonathan Denose: "Re: [PATCH 00/11] HID: Implement haptic forcepad support"
In reply to: Jann Horn: "Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU"
Next in thread: Suren Baghdasaryan: "Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]