From: PaX Team <pageexec@xxxxxxxxxxx> http://lkml.org/lkml/2013/9/17/30 SyS_remap_file_pages() calls mmap_region(), which calls remove_vma_list(), which calls remove_vma(), which frees the vma. Later (after out label) SyS_remap_file_pages() accesses the freed vma in vm_flags = vma->vm_flags. Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> Signed-off-by: PaX Team <pageexec@xxxxxxxxxxx> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx --- mm/fremap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/fremap.c b/mm/fremap.c index 5bff08147768..afad07b85ef2 100644 --- a/mm/fremap.c +++ b/mm/fremap.c @@ -218,6 +218,8 @@ get_write_lock: BUG_ON(addr != start); err = 0; } + vm_flags = vma->vm_flags; + vma = NULL; goto out; } mutex_lock(&mapping->i_mmap_mutex); -- 1.7.9.5 -- Kees Cook Chrome OS Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>