CVE-2022-48649

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/slab_common: fix possible double free of kmem_cache<br /> <br /> When doing slub_debug test, kfence&amp;#39;s &amp;#39;test_memcache_typesafe_by_rcu&amp;#39;<br /> kunit test case cause a use-after-free error:<br /> <br /> BUG: KASAN: use-after-free in kobject_del+0x14/0x30<br /> Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261<br /> <br /> CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x48<br /> print_address_description.constprop.0+0x87/0x2a5<br /> print_report+0x103/0x1ed<br /> kasan_report+0xb7/0x140<br /> kobject_del+0x14/0x30<br /> kmem_cache_destroy+0x130/0x170<br /> test_exit+0x1a/0x30<br /> kunit_try_run_case+0xad/0xc0<br /> kunit_generic_run_threadfn_adapter+0x26/0x50<br /> kthread+0x17b/0x1b0<br /> <br /> <br /> The cause is inside kmem_cache_destroy():<br /> <br /> kmem_cache_destroy<br /> acquire lock/mutex<br /> shutdown_cache<br /> schedule_work(kmem_cache_release) (if RCU flag set)<br /> release lock/mutex<br /> kmem_cache_release (if RCU flag not set)<br /> <br /> In some certain timing, the scheduled work could be run before<br /> the next RCU flag checking, which can then get a wrong value<br /> and lead to double kmem_cache_release().<br /> <br /> Fix it by caching the RCU flag inside protected area, just like &amp;#39;refcnt&amp;#39;