Exploiting null-dereferences in the Linux kernel

This Project Zero blog describes a Linux kernel null-deref in /proc/[pid]/smaps_rollup that, while normally considered low-risk due to modern mitigations, can be abused by repeatedly triggering kernel oopses to leak and overflow the mm_users refcount. The author demonstrates a PoC attack path that causes the refcount to wrap to zero, enabling concurrent __mmput calls and leading to double-free/UAF primitives (not fully fleshed to working privilege escalation), explains practical mitigations and the upstream fixes (a direct bug patch and an oops limit) and recommends careful evaluation of seemingly "harmless" oops-inducing bugs.