From nobody Wed Apr 15 16:30:43 2026 Received: from out-170.mta0.migadu.com (out-170.mta0.migadu.com [91.218.175.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1541E175A90 for ; Wed, 4 Mar 2026 07:01:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772607683; cv=none; b=lwVkAMal7CIOlYDKfJ8FqA/zDe2B3+uMcWvU3VDmgqOC2tdPPclO3dW4LDdY6xweRwP6GdlzFLobmsCIliWWEuZx0M6e8A+LOfMwPLBOYB9HRjhCJJ6utjTP4si3aPQKL+aZm0RdeCL1Jr8qsvyJgqU/G7PbGM8J4ZLP5WqHBDE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772607683; c=relaxed/simple; bh=UY/e71jM39tRDslCnMOxmDiApMGu06/4GFVRQTZJBuI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GDm7erhmk6c5CeRgVFbKGFQoHc7bq3VzV7N8MbLpGbk2WIiYW9i149rfZ25wLRMUyjCwjOq7IHfC8yahA9643+J6HgUdZO1PDeA21ufJP8Yup8P1ZFh4OCHMra9qO8vFeqqOf58ctPCD+wQ4bxETmm8eEhuk5IVVqfo/A3wC3+E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=FUB5Fd7h; arc=none smtp.client-ip=91.218.175.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="FUB5Fd7h" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772607680; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ujAxWBI/9YO9pDfOvAHGUhyTLccrKoAuXmKCcnkProM=; b=FUB5Fd7hKuAyUZrfs0QRjG5P0AU4qv+Kxtkp07ZzjrDUNabCsOusMyv9i1jU7FhQfTc1XO 46Y9Xm1PY6bh1j6o29bs6LvKCo8/GPVVSu03z6zJe3Acdu/E4nBacAFwrAubFTkI97GzUx Ds8T5fuM5TlvYr0Jx77/juZZEfAluDE= From: Hui Zhu To: Andrew Morton , "Liam R . Howlett" , Lorenzo Stoakes , Vlastimil Babka , Jann Horn , Pedro Falcato , linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Hui Zhu Subject: [PATCH mm-unstable 1/2] mm/mmap: fix Use-After-Free of vma_iterator in dup_mmap() error path Date: Wed, 4 Mar 2026 15:00:56 +0800 Message-ID: <2360c415d4aba233d80666b8820ee31aa77c54d6.1772607155.git.zhuhui@kylinos.cn> In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Hui Zhu When dup_mmap() fails during the process of duplicating VMAs, it jumps to the 'loop_out' label to clean up resources. The current implementation calls vma_iter_free(&vmi) at the beginning of this cleanup path. The error handling logic still needs to use the 'vmi' to traverse and tear down the partially initialized maple tree for the new mm. Since vma_iter_free() calls mas_destroy(), this results in a Use-After-Free (UAF). This patch fixes the UAF by moving the vma_iter_free() call to the end of the cleanup block, ensuring the iterator remains valid throughout the entire rollback process. Signed-off-by: Hui Zhu --- mm/mmap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/mmap.c b/mm/mmap.c index 843160946aa5..498c88a54a36 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1848,8 +1848,8 @@ __latent_entropy int dup_mmap(struct mm_struct *mm, s= truct mm_struct *oldmm) /* a new mm has just been created */ retval =3D arch_dup_mmap(oldmm, mm); loop_out: - vma_iter_free(&vmi); if (!retval) { + vma_iter_free(&vmi); mt_set_in_rcu(vmi.mas.tree); ksm_fork(mm, oldmm); khugepaged_fork(mm, oldmm); @@ -1893,6 +1893,7 @@ __latent_entropy int dup_mmap(struct mm_struct *mm, s= truct mm_struct *oldmm) charge =3D tear_down_vmas(mm, &vmi, tmp, end); vm_unacct_memory(charge); } + vma_iter_free(&vmi); __mt_destroy(&mm->mm_mt); /* * The mm_struct is going to exit, but the locks will be dropped --=20 2.43.0 From nobody Wed Apr 15 16:30:43 2026 Received: from out-184.mta0.migadu.com (out-184.mta0.migadu.com [91.218.175.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80F0E37269D for ; Wed, 4 Mar 2026 07:01:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.184 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772607685; cv=none; b=A3OoUBckNsXte/WuT9Ghh4RHahfiosTv20k2tEux8Afjz3Cl/eKRTFMqrAiCqwAeeVQ4mD/vpogE2RSW6a52OXRW3F06LUSrjfgwJxgjTxANsJfCdDuujrn89h1py6OymU6l1NFlsNHILtRUnNoEbGsQJMQikMhDYYS4qc684h8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772607685; c=relaxed/simple; bh=gVzMjGh8sU3WikxUsPKv7mwCUOk2QGCcB9F6MN2f7Cw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lGpndUBdYo63QuTLCiVpBZsP1YGlFYwfMts6MhgcxfWWaBktvpBuUxptZu7lC8fy9dh7iv028DcZtwzfDS4RlSnOZuEOaB0aIfudmYwu4kfYoFodTZMClbc4f60gS4AeGl19Xgdt8mOq/8dEagF0yU4KGG5VJHtQEc9vuvwBxlQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=qnUA21TJ; arc=none smtp.client-ip=91.218.175.184 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="qnUA21TJ" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772607682; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6lKswuYjrEG3QAg8jJw50bc3/7q3XegD5lJITgw3CtU=; b=qnUA21TJ2rTRiaEbYo+xhiz5/GeumGiXdRlOH6B9YZ9GCCOZ95NliCgzxBiUozKopHqWLO yv/VXUU0oqR5hWcAsbwyqoDaCi0iUJcUnXs2w2K9gn+SeWOCcCZKhOK6Xe+Or+K/rtwj2v mxEpBj7FsRwDHaQ+9b9z1sPBo3E9f00= From: Hui Zhu To: Andrew Morton , "Liam R . Howlett" , Lorenzo Stoakes , Vlastimil Babka , Jann Horn , Pedro Falcato , linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Hui Zhu Subject: [PATCH mm-unstable 2/2] mm/mmap: fix NULL pointer dereference in dup_mmap() error handling Date: Wed, 4 Mar 2026 15:00:57 +0800 Message-ID: <6dc840b8dc7da9f56787e7a353c633b3c12eda6a.1772607155.git.zhuhui@kylinos.cn> In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Hui Zhu If dup_mmap() fails very early in its execution, it's possible that no VMAs have been inserted into the new mm's maple tree. When vma_next() is called in the cleanup block to retrieve the first VMA ('tmp'), it may return NULL. The UNMAP_STATE macro and the subsequent call to tear_down_vmas() do not perform a NULL check on 'tmp' and directly attempt to access its fields (such as tmp->vm_end). This results in a NULL pointer dereference and a kernel panic. This patch adds an explicit NULL check for 'tmp' before proceeding with the unmap and tear down logic in the failure path of dup_mmap(). Signed-off-by: Hui Zhu --- mm/mmap.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 498c88a54a36..ca5645a2e456 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1879,19 +1879,24 @@ __latent_entropy int dup_mmap(struct mm_struct *mm,= struct mm_struct *oldmm) if (end) { vma_iter_set(&vmi, 0); tmp =3D vma_next(&vmi); - UNMAP_STATE(unmap, &vmi, /* first =3D */ tmp, - /* vma_start =3D */ 0, /* vma_end =3D */ end, - /* prev =3D */ NULL, /* next =3D */ NULL); - - /* - * Don't iterate over vmas beyond the failure point for - * both unmap_vma() and free_pgtables(). - */ - unmap.tree_end =3D end; - flush_cache_mm(mm); - unmap_region(&unmap); - charge =3D tear_down_vmas(mm, &vmi, tmp, end); - vm_unacct_memory(charge); + if (tmp) { + UNMAP_STATE(unmap, &vmi, + /* first =3D */ tmp, + /* vma_start =3D */ 0, + /* vma_end =3D */ end, + /* prev =3D */ NULL, + /* next =3D */ NULL); + + /* + * Don't iterate over vmas beyond the failure point for + * both unmap_vma() and free_pgtables(). + */ + unmap.tree_end =3D end; + flush_cache_mm(mm); + unmap_region(&unmap); + charge =3D tear_down_vmas(mm, &vmi, tmp, end); + vm_unacct_memory(charge); + } } vma_iter_free(&vmi); __mt_destroy(&mm->mm_mt); --=20 2.43.0