CVE-2025-38554

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: fix a UAF when vma-&gt;mm is freed after vma-&gt;vm_refcnt got dropped<br /> <br /> By inducing delays in the right places, Jann Horn created a reproducer for<br /> a hard to hit UAF issue that became possible after VMAs were allowed to be<br /> recycled by adding SLAB_TYPESAFE_BY_RCU to their cache.<br /> <br /> Race description is borrowed from Jann&amp;#39;s discovery report:<br /> lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under<br /> rcu_read_lock(). At that point, the VMA may be concurrently freed, and it<br /> can be recycled by another process. vma_start_read() then increments the<br /> vma-&gt;vm_refcnt (if it is in an acceptable range), and if this succeeds,<br /> vma_start_read() can return a recycled VMA.<br /> <br /> In this scenario where the VMA has been recycled, lock_vma_under_rcu()<br /> will then detect the mismatching -&gt;vm_mm pointer and drop the VMA through<br /> vma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops<br /> the refcount and then calls rcuwait_wake_up() using a copy of vma-&gt;vm_mm. <br /> This is wrong: It implicitly assumes that the caller is keeping the VMA&amp;#39;s<br /> mm alive, but in this scenario the caller has no relation to the VMA&amp;#39;s mm,<br /> so the rcuwait_wake_up() can cause UAF.<br /> <br /> The diagram depicting the race:<br /> T1 T2 T3<br /> == == ==<br /> lock_vma_under_rcu<br /> mas_walk<br /> <br /> mmap<br /> <br /> vma_start_read<br /> __refcount_inc_not_zero_limited_acquire<br /> munmap<br /> __vma_enter_locked<br /> refcount_add_not_zero<br /> vma_end_read<br /> vma_refcount_put<br /> __refcount_dec_and_test<br /> rcuwait_wait_event<br /> <br /> rcuwait_wake_up [UAF]<br /> <br /> Note that rcuwait_wait_event() in T3 does not block because refcount was<br /> already dropped by T1. At this point T3 can exit and free the mm causing<br /> UAF in T1.<br /> <br /> To avoid this we move vma-&gt;vm_mm verification into vma_start_read() and<br /> grab vma-&gt;vm_mm to stabilize it before vma_refcount_put() operation.<br /> <br /> [surenb@google.com: v3]