Currently we do not properly handle the case when we destroy a memcache, and still have metadata of a KFENCE object.
One thing I noticed is that when inspecting /sys/kernel/debug/kfence/objects, the printing of a memcache name of a destroyed memcache results in KFENCE doing either a UAF and/or accessing random kernel memory and showing that to userspace.
In a test I ran, in /sys/kerne/debug/kfence/objects, the names of a destroyed memcaches was showing garbage data, i.e. we were leaking random kernel memory.
Currently we do not properly handle the case when we destroy a memcache, and still have metadata of a KFENCE object.
One thing I noticed is that when inspecting /sys/kernel/debug/kfence/objects, the printing of a memcache name of a destroyed memcache results in KFENCE doing either a UAF and/or accessing random kernel memory and showing that to userspace.
In a test I ran, in /sys/kerne/debug/kfence/objects, the names of a destroyed memcaches was showing garbage data, i.e. we were leaking random kernel memory.