In the Linux kernel, the following vulnerability has been resolved:
fork: defer linking file vma until vma is fully initialized
Thorvald reported a WARNING [1]. And the root cause is below race:
CPU 1 CPU 2 fork hugetlbfsfallocate dupmmap hugetlbfspunchhole immaplockwrite(mapping); vmaintervaltreeinsertafter -- Child vma is visible through immap tree. immapunlockwrite(mapping); hugetlbdupvmaprivate -- Clear vmalock outside immaprwsem! immaplockwrite(mapping); hugetlbvmdeletelist vmaintervaltreeforeach hugetlbvmatrylockwrite -- Vmalock is cleared. tmp->vmops->open -- Alloc new vmalock outside immaprwsem! hugetlbvmaunlockwrite -- Vmalock is assigned!!! immapunlockwrite(mapping);
hugetlbdupvmaprivate() and hugetlbvmopopen() are called outside immaprwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.