From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DFCD9C433F5 for ; Tue, 15 Feb 2022 20:27:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 502E86B0078; Tue, 15 Feb 2022 15:27:16 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 48BA76B007B; Tue, 15 Feb 2022 15:27:16 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 32BD96B007D; Tue, 15 Feb 2022 15:27:16 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0210.hostedemail.com [216.40.44.210]) by kanga.kvack.org (Postfix) with ESMTP id 202C16B0078 for ; Tue, 15 Feb 2022 15:27:16 -0500 (EST) Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id D76C69518F for ; Tue, 15 Feb 2022 20:27:15 +0000 (UTC) X-FDA: 79146148830.27.2696283 Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) by imf28.hostedemail.com (Postfix) with ESMTP id 628ACC0008 for ; Tue, 15 Feb 2022 20:27:15 +0000 (UTC) Received: from imladris.surriel.com ([96.67.55.152]) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nK4Pa-00060c-4r; Tue, 15 Feb 2022 15:26:58 -0500 Message-ID: <3db11c51eeb323c5b81ba29772128109160dc14f.camel@surriel.com> Subject: Re: [PATCH 1/1] mm: fix use-after-free bug when mm->mmap is reused after being freed From: Rik van Riel To: Suren Baghdasaryan , akpm@linux-foundation.org Cc: mhocko@kernel.org, mhocko@suse.com, shy828301@gmail.com, rientjes@google.com, willy@infradead.org, hannes@cmpxchg.org, guro@fb.com, minchan@kernel.org, kirill@shutemov.name, aarcange@redhat.com, brauner@kernel.org, christian@brauner.io, hch@infradead.org, oleg@redhat.com, david@redhat.com, jannh@google.com, shakeelb@google.com, luto@kernel.org, christian.brauner@ubuntu.com, fweimer@redhat.com, jengelh@inai.de, timmurray@google.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@android.com, syzbot+2ccf63a4bd07cf39cab0@syzkaller.appspotmail.com Date: Tue, 15 Feb 2022 15:26:57 -0500 In-Reply-To: <20220215201922.1908156-1-surenb@google.com> References: <20220215201922.1908156-1-surenb@google.com> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-FmyWs8UEexXTYm9YBNHJ" User-Agent: Evolution 3.42.3 (3.42.3-1.fc35) MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 628ACC0008 X-Stat-Signature: rkx1bdfhwt88xycuzdqezp1h1e4i8ec7 Authentication-Results: imf28.hostedemail.com; dkim=none; spf=none (imf28.hostedemail.com: domain of riel@shelob.surriel.com has no SPF policy when checking 96.67.55.147) smtp.mailfrom=riel@shelob.surriel.com; dmarc=none X-HE-Tag: 1644956835-656144 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --=-FmyWs8UEexXTYm9YBNHJ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2022-02-15 at 12:19 -0800, Suren Baghdasaryan wrote: > After exit_mmap frees all vmas in the mm, mm->mmap needs to be reset, > otherwise it points to a vma that was freed and when reused leads to > a use-after-free bug. >=20 > Reported-by: syzbot+2ccf63a4bd07cf39cab0@syzkaller.appspotmail.com > Suggested-by: Michal Hocko > Signed-off-by: Suren Baghdasaryan >=20 Reviewed-by: Rik van Riel --=20 All Rights Reversed. --=-FmyWs8UEexXTYm9YBNHJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEKR73pCCtJ5Xj3yADznnekoTE3oMFAmIMDJEACgkQznnekoTE 3oMmGwf7BPkOeYgY95xS38+UUl4fHxNFjY4/Pvo6cqwwcm0KCg34H6EWjkJ/DjBx KmvEc50MmagdnaYNsqwNCkKaEXnTtGMjajn6U95Wr5te6OaPjlv1dn3i+zv1RKIr UUyv2eznCQm7P3M4RZC795B55zVMwKtJ/fN04V9FHOnYQ9S5aJA1R7TBP4v58A8d dQxqFAZEEvU4HJCINyR/HGFkRBbhSnHstAKAY6GA6se2cDvCrbhxKeHIaPWgewWs g1YhRgM2c1ANGmNwAk/nYTfSedODfoSvojnlHvBUsjBJbqPK9KxfvAKX+XjgxBNe pILGfzCvk/u7dIvpr9ZT761EymjxJQ== =AgXC -----END PGP SIGNATURE----- --=-FmyWs8UEexXTYm9YBNHJ--