Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU

From: Lorenzo Stoakes
Date: Thu Jul 24 2025 - 01:24:53 EST

Next message: Neeraj Upadhyay: "Re: [PATCH] rcu: Fix delayed execution of hurry callbacks"
Previous message: Yao Zi: "Re: [PATCH v4 5/6] phy: rockchip: naneng-combphy: Add RK3528 support"
In reply to: Lorenzo Stoakes: "Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU"
Next in thread: Vlastimil Babka: "Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jul 23, 2025 at 10:00:40PM +0200, Jann Horn wrote:
> On Wed, Jul 23, 2025 at 9:52 PM Jann Horn <jannh@xxxxxxxxxx> wrote:
> > I'm not sure if I'm understanding you correctly; but yes,
> > __vma_enter_locked() waits for all the waiters to drop their
> > "refcounts". (It's not really a refcount, you can also think of it as
> > a sleepable read-write lock where the low bits are the number of
> > readers.)
>
> Sorry, that's not entirely true, since an attached VMA has a refcount
> elevated by one. It's kind of a refcount, and kind of forms part of a
> sleepable read-write lock, it's complicated.

And needs internal impl detail documentation IMO. Which I'll provide...

Next message: Neeraj Upadhyay: "Re: [PATCH] rcu: Fix delayed execution of hurry callbacks"
Previous message: Yao Zi: "Re: [PATCH v4 5/6] phy: rockchip: naneng-combphy: Add RK3528 support"
In reply to: Lorenzo Stoakes: "Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU"
Next in thread: Vlastimil Babka: "Re: [BUG] hard-to-hit mm_struct UAF due to insufficiently careful vma_refcount_put() wrt SLAB_TYPESAFE_BY_RCU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]