Kernel on Moe's VR blog

Unix GC Remastered

Sun, 19 Apr 2026 00:00:00 +0000

Introduction

The AF_UNIX garbage collector is an interesting piece of the kernel. It exists because sockets can be sent with SCM_RIGHTS but they can become unreachable from user-space while still being kept alive by the kernel, which is not memory efficient; in this situation, the garbage collector intervenes to free them. Not long ago, the subsystem was rewritten from scratch on top of a graph/Strongly-Connected-Components model; but it is still bug prone. This post walks the rewrite end-to-end, and discusses a Use-After-Free bug.

CVE-2026-31419: Use-After-Free in the Linux Bonding Driver

Wed, 15 Apr 2026 00:00:00 +0000

Introduction

Linux offers a way to synchronize multiple network interfaces, physical or virtual, and make them run a single logical NIC. The bonding driver handles of all that work. It is present in all major distros and this bug is exploitable in the ones that allow usernamespaces for unprivileged users like in RedHat or Fedora; that is, it’s reachable from any code path that can send packets out of the bonding device.

CVE-2024-0582, or Easy Kernel Exploitation

Wed, 18 Mar 2026 00:00:00 +0000

Introduction

io_uring has been a heavily targeted subsystem in the Linux kernel — at one point it constituted 60% of kCTF entries (source). As with most newly introduced features, io_uring — since its introduction in 2019 — has been very bug-prone.

Notes On RCU

Mon, 09 Mar 2026 00:00:00 +0000

RCU is a mechanism in the Linux kernel for concurrency that is lock-free, wait-free (for readers) and that allows concurrent readers and a single updater. RCU is made up of three fundamental mechanisms, one for insertion, the other for deletion, and the third being used to allow readers to tolerate concurrent insertions and deletions. These mechanisms are described in the following sections, which focus on applying RCU to linked lists.

Notes on io_uring bugs & exploitation

Tue, 20 Jan 2026 00:00:00 +0000

Introduction

io_uring is one of the most ambitious kernel interfaces added in recent years: a shared-memory asynchronous I/O engine designed to avoid the syscall-heavy overhead of traditional read, write, and networking paths. That performance-oriented design also makes it unusually interesting from a security perspective, because the subsystem is full of long-lived shared state, lifetime-sensitive objects, and fast paths that interact closely with core kernel memory-management code.

Notes on refcounting and Unix Garbage Collector in the Linux Kernel

Tue, 23 Dec 2025 00:00:00 +0000

As a means of studying and getting to know more about the linux kernel, especially exploitation(LPE & RCE), i tried to make notes and go as far as i can in reviewing the unix garbage, or GC, collector, the io_uring subsystem, and some CVEs that showcase all of these. I am currently working on an N-day LPE for CVE-2022-2602 LPE to make it work with FUSE technique.

Notes on Linux Internals: The Slab Allocator

Sat, 06 Sep 2025 00:00:00 +0000

Introduction

This post is some of my early notes on the SLUB allocator.

The kernel heap allocator is an important component responsible for satisfying allocation/de-allocation requests coming from different sources like device drivers, usermode processes, filesystems, etc. These notes discuss only kmalloc and kmem_cache_alloc*, but there are three main memory allocators used by the kernel: