KASAN splats indicate that in some cases we free a live mm, then continue to access it, with potentially disastrous results. This is likely due to a mismatched mmdrop() somewhere in the kernel, but so far the culprit remains elusive.
Let's have __mmdrop() verify that the mm isn't live for the current task, similar to the existing check for init_mm. This way, we can catch this class of issue earlier, and without requiring KASAN. Signed-off-by: Mark Rutland <[email protected]> Cc: Andrew Morton <[email protected]> Cc: Ingo Molnar <[email protected]> Cc: Mathieu Desnoyers <[email protected]> Cc: Michal Hocko <[email protected]> Cc: Peter Zijlstra <[email protected]> Cc: Rik van Riel <[email protected]> Cc: Will Deacon <[email protected]> --- kernel/fork.c | 2 ++ 1 file changed, 2 insertions(+) Hi, For context, we're seeing an intermittent use-after-free of an mm on arm64 [1], where it looks like an mm has been freed earlier than expected. So far KASAN has only caught legitimate mmdrop() uses, where mm_count is presumably already bogus. Mark. [1] https://lkml.kernel.org/r/[email protected] diff --git a/kernel/fork.c b/kernel/fork.c index e5d9d405ae4e..6922d93551b8 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -595,6 +595,8 @@ static void check_mm(struct mm_struct *mm) void __mmdrop(struct mm_struct *mm) { BUG_ON(mm == &init_mm); + BUG_ON(mm == current->mm); + BUG_ON(mm == current->active_mm); mm_free_pgd(mm); destroy_context(mm); hmm_mm_destroy(mm); -- 2.11.0
