Re: [PATCH 1/1] mm: fix use-after-free bug when mm->mmap is reused after being freed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 25 Feb 2022 11:17:34 +0100 Michal Hocko <mhocko@xxxxxxxx> wrote:

> On Thu 24-02-22 20:18:59, Andrew Morton wrote:
> > On Tue, 15 Feb 2022 12:19:22 -0800 Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote:
> > 
> > > After exit_mmap frees all vmas in the mm, mm->mmap needs to be reset,
> > > otherwise it points to a vma that was freed and when reused leads to
> > > a use-after-free bug.
> > > 
> > > ...
> > >
> > > --- a/mm/mmap.c
> > > +++ b/mm/mmap.c
> > > @@ -3186,6 +3186,7 @@ void exit_mmap(struct mm_struct *mm)
> > >  		vma = remove_vma(vma);
> > >  		cond_resched();
> > >  	}
> > > +	mm->mmap = NULL;
> > >  	mmap_write_unlock(mm);
> > >  	vm_unacct_memory(nr_accounted);
> > >  }
> > 
> > After the Maple tree patches, mm_struct.mmap doesn't exist.  So I'll
> > revert this fix as part of merging the maple-tree parts of linux-next.
> > I'll be sending this fix to Linus this week.
> 
> But this is a regression introduced in this release cycle so the patch
> should be merged before Maple tree patches, no?

Yes, I'll be sending this one-liner upstream very soon and we'll then
undo it in the maple-tree patchset.




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux