From nobody Mon Jun 8 10:56:43 2026 Received: from out-183.mta1.migadu.com (out-183.mta1.migadu.com [95.215.58.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4CDC3BCD34 for ; Thu, 4 Jun 2026 07:00:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.183 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780556454; cv=none; b=ExubIwpMO3ivfFOQF3cpJQRw4xDcg540XUuXTOma2YSD6V/P6pQZLqpIoCDYwyHxYmY6fl0htAOZTj4xQoe9r7MSCX41q4V4EBAyqZYws2VvK5GDELMkqRI4Q6spMGN2B7Oc9IbuSSzr0G1ETZu3MMbc/b9fFETDIzxF562yd80= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780556454; c=relaxed/simple; bh=A/CC9M+iMWuHIb6Hhjilv7V9Kpg2x/PD0bO+ihO77E4=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=l3QCjmvvQ321FHXmhoyPLHlQTulZ6i0g2CxRQSSN7uZFLswRcv1Wd6AwhOsYo4wLNhAAYzMYLJGvWWopC8IJv1n/hhhTOtLqZ5jMy/qRPlAPKZr/4iQwSyAZ2Ekn4/eGCYWo2Qa9UKQCygFEiiafvThsjJB4G1FYLOAucL3be00= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=IM+De4kI; arc=none smtp.client-ip=95.215.58.183 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="IM+De4kI" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1780556450; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=TjIpgjmM+vdGa28OxsmD6HXDMP3817Snwv7Mrurc7oY=; b=IM+De4kIrbge4FkTNpW9wNUN9uboIOfk5lnAduVgVqEzkJb5URL/aHNJO1dcHsW2bFuXsh B/Y8KmR4N68WZrdGsmwX86ciK5S1MdeVEeri342oYeHMqdoZtiyLRlFpsjZT1i1FdYZcBt bKmAK1JCUvt5ni0CmNGBePRKfviF0Mc= From: Hao Ge To: Suren Baghdasaryan , Kent Overstreet , Andrew Morton Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, Hao Ge Subject: [PATCH v2] alloc_tag: fix use-after-free in /proc/allocinfo after module unload Date: Thu, 4 Jun 2026 14:59:38 +0800 Message-Id: <20260604065938.105991-1-hao.ge@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" allocinfo_start() only reinitializes the codetag iterator at position 0. For subsequent reads (position > 0), it reuses cached iterator state from the previous batch. allocinfo_stop() drops mod_lock between read batches, which allows module unload to complete and free the module memory that the cached iterator still references: CPU0 (read) CPU1 (rmmod) ---- ---- allocinfo_start(pos=3D0) down_read(mod_lock) allocinfo_show() ... allocinfo_stop() up_read(mod_lock) codetag_unload_module() kfree(cmod) release_module_tags() ... free_mod_mem() allocinfo_start(pos=3DN) down_read(mod_lock) // reuses cached iter, skips re-init allocinfo_show() ct->filename <-- UAF After free_mod_mem() frees the module's .rodata, allocinfo_show() dereferences ct->filename, ct->function which point there. Save the iterator state in allocinfo_next() and resume from it in allocinfo_start() with codetag_next_ct(), which detects module removal via idr_find() returning NULL and skips to the next module. Fixes: 9f44df50fee4 ("alloc_tag: keep codetag iterator active between read(= )") Suggested-by: Suren Baghdasaryan Signed-off-by: Hao Ge Acked-by: Suren Baghdasaryan --- v2: - save the iterator state in allocinfo_next() and resume from it in allocinfo_start() with codetag_next_ct(), which detects module removal via idr_find() returning NULL and skips to the next module (Suggested by Suren). v1 link: https://lore.kernel.org/all/20260525072117.112779-1-hao.ge@linux= .dev/ --- lib/alloc_tag.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/alloc_tag.c b/lib/alloc_tag.c index f2f574bcf383..551cc14bb1fd 100644 --- a/lib/alloc_tag.c +++ b/lib/alloc_tag.c @@ -45,6 +45,7 @@ int alloc_tag_ref_offs; =20 struct allocinfo_private { struct codetag_iterator iter; + struct codetag_iterator reported_iter; bool print_header; }; =20 @@ -58,16 +59,20 @@ static void *allocinfo_start(struct seq_file *m, loff_t= *pos) if (node =3D=3D 0) { priv->print_header =3D true; priv->iter =3D codetag_get_ct_iter(alloc_tag_cttype); - codetag_next_ct(&priv->iter); + } else { + priv->iter =3D priv->reported_iter; } + codetag_next_ct(&priv->iter); return priv->iter.ct ? priv : NULL; } =20 static void *allocinfo_next(struct seq_file *m, void *arg, loff_t *pos) { struct allocinfo_private *priv =3D (struct allocinfo_private *)arg; - struct codetag *ct =3D codetag_next_ct(&priv->iter); + struct codetag *ct; =20 + priv->reported_iter =3D priv->iter; + ct =3D codetag_next_ct(&priv->iter); (*pos)++; if (!ct) return NULL; --=20 2.25.1