Oleg pointed out mm could be nulllified right after mm_access succeeds. This patch validates it before the using. Cc: Oleg Nesterov <oleg@xxxxxxxxxx> Signed-off-by: Minchan Kim <minchan@xxxxxxxxxx> --- mm/madvise.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/mm/madvise.c b/mm/madvise.c index 8611f1d39289..bb04c7897eb9 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -1073,7 +1073,11 @@ int do_madvise(struct task_struct *task, unsigned long start, int write; size_t len; struct blk_plug plug; - struct mm_struct *mm = task->mm; + struct mm_struct *mm = READ_ONCE(task->mm); + + /* task can exit and nullify its ->mm right after mm_access() */ + if (!mm) + return -ESRCH; start = untagged_addr(start); -- 2.25.0.225.g125e21ebc7-goog
