mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-19 02:34:01 +08:00
61cc4534b6
It was found that reading /proc/lockdep after a lockdep splat may
potentially cause an access to freed memory if lockdep_unregister_key()
is called after the splat but before access to /proc/lockdep [1]. This
is due to the fact that graph_lock() call in lockdep_unregister_key()
fails after the clearing of debug_locks by the splat process.
After lockdep_unregister_key() is called, the lock_name may be freed
but the corresponding lock_class structure still have a reference to
it. That invalid memory pointer will then be accessed when /proc/lockdep
is read by a user and a use-after-free (UAF) error will be reported if
KASAN is enabled.
To fix this problem, lockdep_unregister_key() is now modified to always
search for a matching key irrespective of the debug_locks state and
zap the corresponding lock class if a matching one is found.
[1] https://lore.kernel.org/lkml/77f05c15-81b6-bddd-9650-80d5f23fe330@i-love.sakura.ne.jp/
Fixes:
|
||
|---|---|---|
| .. | ||
| irqflag-debug.c | ||
| lock_events_list.h | ||
| lock_events.c | ||
| lock_events.h | ||
| lockdep_internals.h | ||
| lockdep_proc.c | ||
| lockdep_states.h | ||
| lockdep.c | ||
| locktorture.c | ||
| Makefile | ||
| mcs_spinlock.h | ||
| mutex-debug.c | ||
| mutex.c | ||
| mutex.h | ||
| osq_lock.c | ||
| percpu-rwsem.c | ||
| qrwlock.c | ||
| qspinlock_paravirt.h | ||
| qspinlock_stat.h | ||
| qspinlock.c | ||
| rtmutex_api.c | ||
| rtmutex_common.h | ||
| rtmutex.c | ||
| rwbase_rt.c | ||
| rwsem.c | ||
| semaphore.c | ||
| spinlock_debug.c | ||
| spinlock_rt.c | ||
| spinlock.c | ||
| test-ww_mutex.c | ||
| ww_mutex.h | ||
| ww_rt_mutex.c | ||