On Tue, 15 Feb 2022 12:19:22 -0800 Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote: > After exit_mmap frees all vmas in the mm, mm->mmap needs to be reset, > otherwise it points to a vma that was freed and when reused leads to > a use-after-free bug. > > ... > > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -3186,6 +3186,7 @@ void exit_mmap(struct mm_struct *mm) > vma = remove_vma(vma); > cond_resched(); > } > + mm->mmap = NULL; > mmap_write_unlock(mm); > vm_unacct_memory(nr_accounted); > } After the Maple tree patches, mm_struct.mmap doesn't exist. So I'll revert this fix as part of merging the maple-tree parts of linux-next. I'll be sending this fix to Linus this week. All of which means that the thusly-resolved Maple tree patches might reintroduce this use-after-free bug.
