The quilt patch titled Subject: mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped-v3 has been removed from the -mm tree. Its filename was mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped-v3.patch

This patch was dropped because it was folded into mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped.patch

------------------------------------------------------ From: Suren Baghdasaryan surenb@google.com Subject: mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped-v3 Date: Tue, 29 Jul 2025 07:57:09 -0700

- Addressed Lorenzo's nits, per Lorenzo Stoakes - Added a warning comment for vma_start_read() - Added Reviewed-by and Acked-by, per Vlastimil Babka and Lorenzo Stoakes

Link: https://lkml.kernel.org/r/20250729145709.2731370-1-surenb@google.com Fixes: 3104138517fc ("mm: make vma cache SLAB_TYPESAFE_BY_RCU") Reported-by: Jann Horn jannh@google.com Closes: https://lore.kernel.org/all/CAG48ez0-deFbVH=E3jbkWx=X3uVbd8nWeo6kbJPQ0KoUD+m... Signed-off-by: Suren Baghdasaryan surenb@google.com Reviewed-by: Vlastimil Babka vbabka@suse.cz Acked-by: Lorenzo Stoakes lorenzo.stoakes@oracle.com Cc: Liam Howlett liam.howlett@oracle.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---

include/linux/mmap_lock.h | 7 +++++++ mm/mmap_lock.c | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-)

--- a/include/linux/mmap_lock.h~mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped-v3 +++ a/include/linux/mmap_lock.h @@ -155,6 +155,10 @@ static inline void vma_refcount_put(stru * reused and attached to a different mm before we lock it. * Returns the vma on success, NULL on failure to lock and EAGAIN if vma got * detached. + * + * WARNING! The vma passed to this function cannot be used if the function + * fails to lock it because in certain cases RCU lock is dropped and then + * reacquired. Once RCU lock is dropped the vma can be concurently freed. */ static inline struct vm_area_struct *vma_start_read(struct mm_struct *mm, struct vm_area_struct *vma) @@ -194,9 +198,12 @@ static inline struct vm_area_struct *vma if (unlikely(vma->vm_mm != mm)) { /* Use a copy of vm_mm in case vma is freed after we drop vm_refcnt */ struct mm_struct *other_mm = vma->vm_mm; + /* * __mmdrop() is a heavy operation and we don't need RCU * protection here. Release RCU lock during these operations. + * We reinstate the RCU read lock as the caller expects it to + * be held when this function returns even on error. */ rcu_read_unlock(); mmgrab(other_mm); --- a/mm/mmap_lock.c~mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped-v3 +++ a/mm/mmap_lock.c @@ -235,7 +235,7 @@ retry: goto fallback; }

- /* Verify the vma is not behind of the last search position. */ + /* Verify the vma is not behind the last search position. */ if (unlikely(from_addr >= vma->vm_end)) goto fallback_unlock;

_

Patches currently in -mm which might be from surenb@google.com are

mm-fix-a-uaf-when-vma-mm-is-freed-after-vma-vm_refcnt-got-dropped.patch