Hi,
As reported by Seth, there are two bugs in the arm64 MTE coredump code.
The first is a double freeing of the temporary tag storage object on an
error condition. The second is the racy traversing of the vma list and
fixing it required adding a struct coredump_params * parameter to the
elf_core_extra_phdrs() and elf_core_extra_data_size() functions. This
way the arm64 code can use the vma snapshot saved in cprm rather than
iterating over the vma list.
All patches are cc stable to 5.18 but I'm not aware of any MTE
deployment in production yet, so merging them in the new year is fine
(still aiming for the fix in one of the 6.2-rcX).
Thanks.
Catalin Marinas (3):
arm64: mte: Fix double-freeing of the temporary tag storage during
coredump
elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size}
arm64: mte: Avoid the racy walk of the vma list during core dump
arch/arm64/kernel/elfcore.c | 61 +++++++++++++++++--------------------
arch/ia64/kernel/elfcore.c | 4 +--
arch/x86/um/elfcore.c | 4 +--
fs/binfmt_elf.c | 4 +--
fs/binfmt_elf_fdpic.c | 4 +--
include/linux/elfcore.h | 8 ++---
6 files changed, 40 insertions(+), 45 deletions(-)
