On Thu, Mar 18, 2021 at 03:38:25PM +0530, vjitta@xxxxxxxxxxxxxx wrote: > From: Vijayanand Jitta <vjitta@xxxxxxxxxxxxxx> > > A potential use after free can occur in _vm_unmap_aliases > where an already freed vmap_area could be accessed, Consider > the following scenario: > > Process 1 Process 2 > > __vm_unmap_aliases __vm_unmap_aliases > purge_fragmented_blocks_allcpus rcu_read_lock() > rcu_read_lock() > list_del_rcu(&vb->free_list) > list_for_each_entry_rcu(vb .. ) > __purge_vmap_area_lazy > kmem_cache_free(va) > va_start = vb->va->va_start Or maybe we should switch to kfree_rcu() instead of kmem_cache_free()? -- Vlad Rezki
