Re: [PATCH bpf v3] bpf: Fix use-after-free on mm_struct in bpf_find_vma()

[Alexei Starovoitov]

On Tue Jun 9, 2026 at 3:52 AM PDT, Sanghyun Park wrote:
> bpf_find_vma() reads task->mm and calls mmap_read_trylock(mm) without
> holding a reference on the mm. On a foreign task, a concurrent exit_mm()
> can free the mm_struct between the lockless read and the trylock,
> resulting in a use-after-free. mm_struct is not SLAB_TYPESAFE_BY_RCU.
>
> For the current task, task->mm is stable. For a foreign task, pin the mm
> under task->alloc_lock and release it with mmput_async(), mirroring commit
> d8e27d2d22b6 ("bpf: fix mm lifecycle in open-coded task_vma iterator").
> Use spin_trylock() instead of get_task_mm() so BPF context does not block
> on alloc_lock. Reject irqs-disabled contexts and !CONFIG_MMU on the
> foreign-task path because dropping the mm reference is not safe there.
>
> Race:
>
>   CPU0 (BPF program)                  CPU1 (exiting task)
>   ============================        ==========================
>   bpf_find_vma(foreign_task):
>     mm = task->mm
>                                       exit_mm():
>                                         task->mm = NULL
>                                         mmput(mm) -> frees mm_struct
>     mmap_read_trylock(mm)
> 	// UAF on mm
>
> Fixes: 7c7e3d31e785 ("bpf: Introduce helper bpf_find_vma")
> Signed-off-by: Sanghyun Park <sanghyun.park.cnu@xxxxxxxxx>
> ---
> v3:
>  - Drop get_task_mm()+mmput(); mirror d8e27d2d22b6 with alloc_lock
>    trylock + mmput_async(). (Yonghong Song)
>  - Reject irqs-disabled contexts on the foreign-task path.
>  - Reject foreign-task path when !CONFIG_MMU: bpf_iter_mmput_async()
>    falls back to mmput() which may sleep, and bpf_find_vma() can run
>    in non-sleepable context.
>  - Shorten the foreign-task rationale comment and trim the changelog body.
>  - Fix the v2's whitespace damage.

Pls use [PATCH bpf-next] subject.

pw-bot: cr