It was found that a KASAN use-after-free error was reported in the kmemleak_scan() function. After further examination, it is believe that even though a reference is taken from the current object, it does not prevent the object pointed to by the next pointer from going away after a cond_resched(). So the heuristics is now changed to restart scanning from the beginning of object_list in case the current object is no longer in the object_list, i.e. OBJECT_ALLOCATED flag not set. While making the change, I also simplify the current usage of kmemleak_cond_resched() to make it easier to understand. Waiman Long (2): mm/kmemleak: Simplify kmemleak_cond_resched() usage mm/kmemleak: Fix UAF bug in kmemleak_scan() mm/kmemleak.c | 59 ++++++++++++++++++++------------------------------- 1 file changed, 23 insertions(+), 36 deletions(-) -- 2.31.1
