From the explanation video of the Linux kernel vulnerability CVE-2016-6787, I don't understand is though put_ctx isn't inside a mutex, there's an atomic_dec_and_test inside put_ctx at the very beginning. kfree_rcu is only invoked if atomic_dec_and_test returns 1. How come two threads become racy then? Where is ctx getting used after the free operation?
Asked
Active
Viewed 152 times
2
sherlock
- 569
- 4
- 7