From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B2B3C433F5 for ; Tue, 15 Feb 2022 20:43:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A98EF6B0078; Tue, 15 Feb 2022 15:43:14 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A1FF16B007B; Tue, 15 Feb 2022 15:43:14 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 89B1A6B007D; Tue, 15 Feb 2022 15:43:14 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0243.hostedemail.com [216.40.44.243]) by kanga.kvack.org (Postfix) with ESMTP id 7914A6B0078 for ; Tue, 15 Feb 2022 15:43:14 -0500 (EST) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 39C5F18128AE2 for ; Tue, 15 Feb 2022 20:43:14 +0000 (UTC) X-FDA: 79146189108.29.FD0FA23 Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) by imf25.hostedemail.com (Postfix) with ESMTP id C3CAFA000B for ; Tue, 15 Feb 2022 20:43:13 +0000 (UTC) Received: by mail-ed1-f46.google.com with SMTP id g7so304485edb.5 for ; Tue, 15 Feb 2022 12:43:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rYoNECFRoRtax9v4q/DTnJhRR8GgYNqcEGSi/x+S4/4=; b=HSGN1Qz3/q4thBI8gOdJ0RT71yBpAQe79qVf9e/dXJwrZk9vf5/5YipxDtEVkP3bmz 4xQOxbHjEkSKagCovzrIIMLgBW9o4cZuGJ3+boShVcyJVXBfhqFqTafuQtyk3CA5zKv4 cKMyd2c+H8B/cfHlWx/5R95jHN2aOk5yEVKwCjHt8RjKGR7cxN46wCghPsQLwujqihyF fWc6XByXXblP3eeFk65coACYet9qAjRVq6M6RMeqT3cFzInC1PqjqdHBd65WjejtFYgd 4BYvV1oq4pFFnPAMf+G0zv42wlRYZ4Ax+oeYsMTbEPsdCi+PM0LouLRlAdEgKmdAWqPf f3yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rYoNECFRoRtax9v4q/DTnJhRR8GgYNqcEGSi/x+S4/4=; b=j53jhpGiIzWSsQfKADn1QwPSAaNqFvPv48M5ow9Us5woXt02KV45I8MCi5wy0RTrDL JRjxX8PyOx9JFz7U/HpuMYp363eZ7bMM5nNdrGoo9qs3rYdEkWWNbC/TdBhuovGG1AHF gQjgCXTGU9G9Z7ScQXh3jnXiY9nSJXd9DlzQLtPJJBeHROkE+Wcosk+JWMtCJAMf1FaG /WOgdrj2/S3tT3saGNWGhwC3XQJHQ+MQTwNJb0KTDT52AgxBUhuzEuUfueAtGEHBezyz m7/zi6wypVXmyp6Q/sEWJV9uSnZ9n+WKFkvqX2ZV0uArvkfB05sD6Unq+TpXUELx0zoU i8/w== X-Gm-Message-State: AOAM533HCcyKMYO9DX4PKEnZR82CRUK8tE70ct+erF6ApOnMItovisjC 6NdeAP+SXba97Du+H+iNFGSzugGzQa6HI0nSne4= X-Google-Smtp-Source: ABdhPJyIMhG3qG68E9rODDqrvW4Bq400rqiW0xGzAZedQHNppZXM1A6rToO/9gTqM3ZOBvkciUHhCUwr/coD4jULxmc= X-Received: by 2002:a05:6402:3492:: with SMTP id v18mr716105edc.345.1644957792512; Tue, 15 Feb 2022 12:43:12 -0800 (PST) MIME-Version: 1.0 References: <20220215201922.1908156-1-surenb@google.com> In-Reply-To: <20220215201922.1908156-1-surenb@google.com> From: Yang Shi Date: Tue, 15 Feb 2022 12:42:59 -0800 Message-ID: Subject: Re: [PATCH 1/1] mm: fix use-after-free bug when mm->mmap is reused after being freed To: Suren Baghdasaryan Cc: Andrew Morton , Michal Hocko , Michal Hocko , David Rientjes , Matthew Wilcox , Johannes Weiner , Roman Gushchin , Rik van Riel , Minchan Kim , "Kirill A. Shutemov" , Andrea Arcangeli , brauner@kernel.org, christian@brauner.io, Christoph Hellwig , Oleg Nesterov , David Hildenbrand , Jann Horn , Shakeel Butt , luto@kernel.org, christian.brauner@ubuntu.com, fweimer@redhat.com, jengelh@inai.de, timmurray@google.com, Linux MM , Linux Kernel Mailing List , kernel-team@android.com, syzbot+2ccf63a4bd07cf39cab0@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: awx8ng4pb5iwm4bnn5j3ogo8d5krdrcj X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: C3CAFA000B Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=HSGN1Qz3; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf25.hostedemail.com: domain of shy828301@gmail.com designates 209.85.208.46 as permitted sender) smtp.mailfrom=shy828301@gmail.com X-Rspam-User: X-HE-Tag: 1644957793-422694 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Feb 15, 2022 at 12:19 PM Suren Baghdasaryan wrote: > > After exit_mmap frees all vmas in the mm, mm->mmap needs to be reset, > otherwise it points to a vma that was freed and when reused leads to > a use-after-free bug. > > Reported-by: syzbot+2ccf63a4bd07cf39cab0@syzkaller.appspotmail.com > Suggested-by: Michal Hocko > Signed-off-by: Suren Baghdasaryan Looks good to me. Reviewed-by: Yang Shi > --- > mm/mmap.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mm/mmap.c b/mm/mmap.c > index 1e8fdb0b51ed..d445c1b9d606 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -3186,6 +3186,7 @@ void exit_mmap(struct mm_struct *mm) > vma = remove_vma(vma); > cond_resched(); > } > + mm->mmap = NULL; > mmap_write_unlock(mm); > vm_unacct_memory(nr_accounted); > } > -- > 2.35.1.265.g69c8d7142f-goog >