Due to the lack of READ_ONCE() on p->mm, this code can in fact turn into a NULL deref when we hit do_exit() around exit_mm(). The first p->mm read is before and sees !NULL, the second is after and does observe NULL, which triggers a null pointer dereference.
Signed-off-by: Mathieu Desnoyers <[email protected]> Cc: Peter Zijlstra <[email protected]> Cc: Oleg Nesterov <[email protected]> Cc: "Eric W. Biederman" <[email protected]> Cc: Linus Torvalds <[email protected]> Cc: Russell King - ARM Linux admin <[email protected]> Cc: Chris Metcalf <[email protected]> Cc: Christoph Lameter <[email protected]> Cc: Kirill Tkhai <[email protected]> Cc: Mike Galbraith <[email protected]> Cc: Thomas Gleixner <[email protected]> Cc: Ingo Molnar <[email protected]> --- kernel/sched/membarrier.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/kernel/sched/membarrier.c b/kernel/sched/membarrier.c index aa8d75804108..02feb7c8da4f 100644 --- a/kernel/sched/membarrier.c +++ b/kernel/sched/membarrier.c @@ -72,12 +72,16 @@ static int membarrier_global_expedited(void) rcu_read_lock(); p = task_rcu_dereference(&cpu_rq(cpu)->curr); - if (p && p->mm && (atomic_read(&p->mm->membarrier_state) & + if (p) { + struct mm_struct *mm = READ_ONCE(p->mm); + + if (mm && (atomic_read(&mm->membarrier_state) & MEMBARRIER_STATE_GLOBAL_EXPEDITED)) { - if (!fallback) - __cpumask_set_cpu(cpu, tmpmask); - else - smp_call_function_single(cpu, ipi_mb, NULL, 1); + if (!fallback) + __cpumask_set_cpu(cpu, tmpmask); + else + smp_call_function_single(cpu, ipi_mb, NULL, 1); + } } rcu_read_unlock(); } -- 2.17.1
