On Tue, Feb 15, 2022 at 12:45 PM Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote: > > On Tue, Feb 15, 2022 at 12:37 PM Andrew Morton > <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > On Tue, 15 Feb 2022 12:19:22 -0800 Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote: > > > > > After exit_mmap frees all vmas in the mm, mm->mmap needs to be reset, > > > otherwise it points to a vma that was freed and when reused leads to > > > a use-after-free bug. > > > > > > ... > > > > > > --- a/mm/mmap.c > > > +++ b/mm/mmap.c > > > @@ -3186,6 +3186,7 @@ void exit_mmap(struct mm_struct *mm) > > > vma = remove_vma(vma); > > > cond_resched(); > > > } > > > + mm->mmap = NULL; > > > mmap_write_unlock(mm); > > > vm_unacct_memory(nr_accounted); > > > } > > > > https://lore.kernel.org/all/00000000000072ef2c05d7f81950@xxxxxxxxxx/ > > > > It would be nice to have a Fixes: for this. > > Oh, right. Should be: > > Fixes: 64591e8605d6 ("mm: protect free_pgtables with mmap_lock write > lock in exit_mmap") Andrew, do you want me to post another version with Fixes: 64591e8605d6 ("mm: protect free_pgtables with mmap_lock write lock in exit_mmap") added or you can add it directly? > > > > > Is it specific to process_mrelease(), or should we backport further? > > The broken change is recent and was introduced in v5.17-rc1.
