From nobody Tue Jun  9 00:58:52 2026
Received: from out-185.mta0.migadu.com (out-185.mta0.migadu.com
 [91.218.175.185])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E6353D1A8E
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 07:22:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=91.218.175.185
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779693741; cv=none;
 b=FAi623nE28WB0WhxrTdik9fACRxOmZX/GijIXD2G09FXp9lMj+sirQcHRbrNIyaslb/UOOQaDuTWiKvx18LwWK3VS4QLXJkHKEPbScI08gzwR/m1RjVqW8UsPeUMzsR3ig/BHlVbgXfJH6vzad2zNqg/Jjvr3QDMTjeLCbNghic=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779693741; c=relaxed/simple;
	bh=m0v8yf85hJwj/9v28716XA1hjfUiI6BM07PkUTVEu+M=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=DFQrdBQ8DXGCSkuKMsZpBKEE4tZTXNuCc+4elatQjyPU9wSPjsHfbg76/ZnouQOeP+NZrLUseTO3dtm19ywhZMA6XI4nCdgSwJ9W+5PvEUe4u0Ayq+TamnMMTra/8bDy069NCdkQAMosYNxwC6Cc8YGQXi7AqUdWEuRhlUu7S1Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev;
 spf=pass smtp.mailfrom=linux.dev;
 dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b=FEE6BK9a; arc=none smtp.client-ip=91.218.175.185
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linux.dev
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev
 header.b="FEE6BK9a"
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and
 include these headers.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1779693737;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=bW8KaJpi8udYmyiUW7NK6ANQnUM7EADuYOYwL7NnDmk=;
	b=FEE6BK9amCw43FKvVXDblujY4YIpWo+NfMEwirwwINe0sGuo1G9VKJQLQufS41ZwPqi1NA
	iz9AXc/5BOnIDzLVEz/nwbBSWsJ7qykslYvELVZCpVnNEoDWBwZcFutFJ7ExBPS17s+J5e
	/HOYZczl/jgKfiIFIo2tlyd6A6aVQsk=
From: Hao Ge <hao.ge@linux.dev>
To: Suren Baghdasaryan <surenb@google.com>,
	Kent Overstreet <kent.overstreet@linux.dev>,
	Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Hao Ge <hao.ge@linux.dev>
Subject: [PATCH] alloc_tag: fix use-after-free in /proc/allocinfo after module
 unload
Date: Mon, 25 May 2026 15:21:17 +0800
Message-Id: <20260525072117.112779-1-hao.ge@linux.dev>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Migadu-Flow: FLOW_OUT
Content-Type: text/plain; charset="utf-8"

allocinfo_start() only reinitializes the codetag iterator at position 0.
For subsequent reads (position > 0), it reuses cached iterator state from
the previous batch.  allocinfo_stop() drops mod_lock between read batches,
which allows module unload to complete and free the module memory that the
cached iterator still references:

  CPU0 (read)                        CPU1 (rmmod)
  ----                               ----
  allocinfo_start(pos=3D0)
    down_read(mod_lock)
    allocinfo_show()
    ...
  allocinfo_stop()
    up_read(mod_lock)
                                     codetag_unload_module()
                                       kfree(cmod)
                                       release_module_tags()
                                     ...
                                     free_mod_mem()
  allocinfo_start(pos=3DN)
    down_read(mod_lock)
    // reuses cached iter, skips re-init
  allocinfo_show()
    ct->filename   <-- UAF

After free_mod_mem() frees the module's .rodata, allocinfo_show()
dereferences ct->filename, ct->function which point there.

Fix by always reinitializing the iterator in allocinfo_start().

Fixes: 9f44df50fee4 ("alloc_tag: keep codetag iterator active between read(=
)")
Signed-off-by: Hao Ge <hao.ge@linux.dev>
---
 lib/alloc_tag.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/alloc_tag.c b/lib/alloc_tag.c
index ed1bdcf1f8ab..2b2d1580c714 100644
--- a/lib/alloc_tag.c
+++ b/lib/alloc_tag.c
@@ -51,16 +51,19 @@ struct allocinfo_private {
 static void *allocinfo_start(struct seq_file *m, loff_t *pos)
 {
 	struct allocinfo_private *priv;
+	struct codetag *ct;
 	loff_t node =3D *pos;
=20
 	priv =3D (struct allocinfo_private *)m->private;
 	codetag_lock_module_list(alloc_tag_cttype, true);
-	if (node =3D=3D 0) {
+	if (node =3D=3D 0)
 		priv->print_header =3D true;
-		priv->iter =3D codetag_get_ct_iter(alloc_tag_cttype);
-		codetag_next_ct(&priv->iter);
-	}
-	return priv->iter.ct ? priv : NULL;
+
+	priv->iter =3D codetag_get_ct_iter(alloc_tag_cttype);
+	while ((ct =3D codetag_next_ct(&priv->iter)) !=3D NULL && node)
+		node--;
+
+	return ct ? priv : NULL;
 }
=20
 static void *allocinfo_next(struct seq_file *m, void *arg, loff_t *pos)
--=20
2.25.1