On Fri, 25 Feb 2022 11:17:34 +0100 Michal Hocko <mhocko@xxxxxxxx> wrote: > On Thu 24-02-22 20:18:59, Andrew Morton wrote: > > On Tue, 15 Feb 2022 12:19:22 -0800 Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote: > > > > > After exit_mmap frees all vmas in the mm, mm->mmap needs to be reset, > > > otherwise it points to a vma that was freed and when reused leads to > > > a use-after-free bug. > > > > > > ... > > > > > > --- a/mm/mmap.c > > > +++ b/mm/mmap.c > > > @@ -3186,6 +3186,7 @@ void exit_mmap(struct mm_struct *mm) > > > vma = remove_vma(vma); > > > cond_resched(); > > > } > > > + mm->mmap = NULL; > > > mmap_write_unlock(mm); > > > vm_unacct_memory(nr_accounted); > > > } > > > > After the Maple tree patches, mm_struct.mmap doesn't exist. So I'll > > revert this fix as part of merging the maple-tree parts of linux-next. > > I'll be sending this fix to Linus this week. > > But this is a regression introduced in this release cycle so the patch > should be merged before Maple tree patches, no? Yes, I'll be sending this one-liner upstream very soon and we'll then undo it in the maple-tree patchset.
