CVE-2022-48649

In the Linux kernel, the following vulnerability has been resolved:

mm/slabcommon: fix possible double free of kmemcache

When doing slubdebug test, kfence's 'testmemcachetypesafeby_rcu' kunit test case cause a use-after-free error:

BUG: KASAN: use-after-free in kobjectdel+0x14/0x30 Read of size 8 at addr ffff888007679090 by task kunittry_catch/261

CPU: 1 PID: 261 Comm: kunittrycatch Tainted: G B N 6.0.0-rc5-next-20220916 #17 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x34/0x48 printaddressdescription.constprop.0+0x87/0x2a5 printreport+0x103/0x1ed kasanreport+0xb7/0x140 kobjectdel+0x14/0x30 kmemcachedestroy+0x130/0x170 testexit+0x1a/0x30 kunittryruncase+0xad/0xc0 kunitgenericrunthreadfn_adapter+0x26/0x50 kthread+0x17b/0x1b0 </TASK>

The cause is inside kmemcachedestroy():

kmemcachedestroy acquire lock/mutex shutdowncache schedulework(kmemcacherelease) (if RCU flag set) release lock/mutex kmemcacherelease (if RCU flag not set)

In some certain timing, the scheduled work could be run before the next RCU flag checking, which can then get a wrong value and lead to double kmemcacherelease().

Fix it by caching the RCU flag inside protected area, just like 'refcnt'