Re: [mm/page_alloc or mm/vmscan or mm/zswap] use-after-free in obj_malloc()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Feb 22, 2024 at 6:10 PM Tetsuo Handa
<penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:
>
> I can observe this bug during evict_folios() from 6.7.0 to 6.8.0-rc5-00163-gffd2cb6b718e.
> Since I haven't observed with 6.6.0, this bug might be introduced in 6.7 cycle.

I am not familiar with KMSAN bug reports, but it seems like it's
reporting a user-after-free for zspage->freeobj. The report says it
was created in free_unref_page_prepare() during lruvec reclaim, and I
am not sure how that's possible given that zspage is allocated from
the slab allocator. Perhaps I am mis-interpreting the report.

I also don't see any recent changes in mm/zsmalloc.c that modify this
code, so maybe it wasn't introduce in 6.7. I will defer to Minchan and
Sergey, I don't think zswap is an active actor in this bug report.





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux