From: Andrea Arcangeli <aarcange@redhat.com>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>,
Dmitry Vyukov <dvyukov@google.com>,
syzbot
<bot+6a5269ce759a7bb12754ed9622076dc93f65a1f6@syzkaller.appspotmail.com>,
Jan Beulich <JBeulich@suse.com>, "H. Peter Anvin" <hpa@zytor.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
ldufour@linux.vnet.ibm.com, LKML <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@kernel.org>, Ingo Molnar <mingo@redhat.com>,
syzkaller-bugs@googlegroups.com,
Thomas Gleixner <tglx@linutronix.de>,
the arch/x86 maintainers <x86@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, Hugh Dickins <hughd@google.com>,
David Rientjes <rientjes@google.com>,
linux-mm@kvack.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Thorsten Leemhuis <regressions@leemhuis.info>
Subject: Re: KASAN: use-after-free Read in __do_page_fault
Date: Tue, 31 Oct 2017 20:15:06 +0100 [thread overview]
Message-ID: <20171031191506.GB2799@redhat.com> (raw)
In-Reply-To: <fbf1e43d-1f73-09c1-1837-3600bcedd5d2@suse.cz>
On Tue, Oct 31, 2017 at 03:28:26PM +0100, Vlastimil Babka wrote:
> Hmm that could indeed work, Dmitry can you try the patch below?
> But it still seems rather fragile so I'd hope Andrea can do it more
> robust, or at least make sure that we don't reintroduce this kind of
> problem in the future (explicitly set vma to NULL with a comment?).
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
>
> ----8<----
> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> index e2baeaa053a5..9bd16fc621db 100644
> --- a/arch/x86/mm/fault.c
> +++ b/arch/x86/mm/fault.c
> @@ -1441,6 +1441,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
> * the fault. Since we never set FAULT_FLAG_RETRY_NOWAIT, if
> * we get VM_FAULT_RETRY back, the mmap_sem has been unlocked.
> */
> + pkey = vma_pkey(vma);
> fault = handle_mm_fault(vma, address, flags);
> major |= fault & VM_FAULT_MAJOR;
>
> @@ -1467,7 +1468,6 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
> return;
> }
>
> - pkey = vma_pkey(vma);
> up_read(&mm->mmap_sem);
> if (unlikely(fault & VM_FAULT_ERROR)) {
> mm_fault_error(regs, error_code, address, &pkey, fault);
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Andrea Arcangeli <aarcange@redhat.com>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>,
Dmitry Vyukov <dvyukov@google.com>,
syzbot
<bot+6a5269ce759a7bb12754ed9622076dc93f65a1f6@syzkaller.appspotmail.com>,
Jan Beulich <JBeulich@suse.com>, "H. Peter Anvin" <hpa@zytor.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
ldufour@linux.vnet.ibm.com, LKML <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@kernel.org>, Ingo Molnar <mingo@redhat.com>,
syzkaller-bugs@googlegroups.com,
Thomas Gleixner <tglx@linutronix.de>,
the arch/x86 maintainers <x86@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, Hugh Dickins <hughd@google.com>,
David Rientjes <rientjes@google.com>,
linux-mm@kvack.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Thorsten Leemhuis <regressions@leemhuis.info>
Subject: Re: KASAN: use-after-free Read in __do_page_fault
Date: Tue, 31 Oct 2017 20:15:06 +0100 [thread overview]
Message-ID: <20171031191506.GB2799@redhat.com> (raw)
In-Reply-To: <fbf1e43d-1f73-09c1-1837-3600bcedd5d2@suse.cz>
On Tue, Oct 31, 2017 at 03:28:26PM +0100, Vlastimil Babka wrote:
> Hmm that could indeed work, Dmitry can you try the patch below?
> But it still seems rather fragile so I'd hope Andrea can do it more
> robust, or at least make sure that we don't reintroduce this kind of
> problem in the future (explicitly set vma to NULL with a comment?).
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
>
> ----8<----
> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> index e2baeaa053a5..9bd16fc621db 100644
> --- a/arch/x86/mm/fault.c
> +++ b/arch/x86/mm/fault.c
> @@ -1441,6 +1441,7 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
> * the fault. Since we never set FAULT_FLAG_RETRY_NOWAIT, if
> * we get VM_FAULT_RETRY back, the mmap_sem has been unlocked.
> */
> + pkey = vma_pkey(vma);
> fault = handle_mm_fault(vma, address, flags);
> major |= fault & VM_FAULT_MAJOR;
>
> @@ -1467,7 +1468,6 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
> return;
> }
>
> - pkey = vma_pkey(vma);
> up_read(&mm->mmap_sem);
> if (unlikely(fault & VM_FAULT_ERROR)) {
> mm_fault_error(regs, error_code, address, &pkey, fault);
>
next prev parent reply other threads:[~2017-10-31 19:15 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-30 19:12 KASAN: use-after-free Read in __do_page_fault syzbot
2017-10-30 19:15 ` Dmitry Vyukov
2017-10-30 19:15 ` Dmitry Vyukov
2017-10-31 12:00 ` Vlastimil Babka
2017-10-31 12:00 ` Vlastimil Babka
2017-10-31 12:42 ` Dmitry Vyukov
2017-10-31 12:42 ` Dmitry Vyukov
2017-10-31 13:20 ` Vlastimil Babka
2017-10-31 13:20 ` Vlastimil Babka
2017-10-31 13:57 ` Vlastimil Babka
2017-10-31 13:57 ` Vlastimil Babka
2017-10-31 14:11 ` Kirill A. Shutemov
2017-10-31 14:11 ` Kirill A. Shutemov
2017-10-31 14:28 ` Vlastimil Babka
2017-10-31 14:28 ` Vlastimil Babka
2017-10-31 19:15 ` Andrea Arcangeli [this message]
2017-10-31 19:15 ` Andrea Arcangeli
2017-11-01 7:42 ` Vlastimil Babka
2017-11-01 7:42 ` Vlastimil Babka
2017-11-01 10:17 ` Andrea Arcangeli
2017-11-01 10:17 ` Andrea Arcangeli
2017-11-01 12:14 ` Vlastimil Babka
2017-11-01 12:14 ` Vlastimil Babka
2017-10-31 15:37 ` Linus Torvalds
2017-10-31 15:37 ` Linus Torvalds
2017-10-31 19:13 ` Andrea Arcangeli
2017-10-31 19:13 ` Andrea Arcangeli
2017-11-01 15:26 ` Linus Torvalds
2017-11-01 15:26 ` Linus Torvalds
2017-11-02 19:36 ` Andrea Arcangeli
2017-11-02 19:36 ` Andrea Arcangeli
2017-11-02 10:00 ` Laurent Dufour
2017-11-02 10:00 ` Laurent Dufour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171031191506.GB2799@redhat.com \
--to=aarcange@redhat.com \
--cc=JBeulich@suse.com \
--cc=akpm@linux-foundation.org \
--cc=bot+6a5269ce759a7bb12754ed9622076dc93f65a1f6@syzkaller.appspotmail.com \
--cc=dvyukov@google.com \
--cc=hpa@zytor.com \
--cc=hughd@google.com \
--cc=jpoimboe@redhat.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=ldufour@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=regressions@leemhuis.info \
--cc=rientjes@google.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.