Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in __vma_reservation_common

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vishal Moola <vishal.moola@gmail.com>
To: syzbot <syzbot+ad1b592fc4483655438b@syzkaller.appspotmail.com>
Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, muchun.song@linux.dev,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in __vma_reservation_common
Date: Mon, 15 Apr 2024 15:05:44 -0700	[thread overview]
Message-ID: <Zh2kuFX9BWOGN1Mo@fedora> (raw)
In-Reply-To: <000000000000ae5d410615fea3bf@google.com>

[-- Attachment #1: Type: text/plain, Size: 707 bytes --]

On Sat, Apr 13, 2024 at 11:34:32AM -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    9ed46da14b9b Add linux-next specific files for 20240412
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=12bd4457180000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=7ea0abc478c49859
> dashboard link: https://syzkaller.appspot.com/bug?extid=ad1b592fc4483655438b
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1370ea67180000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 9ed46da14b9b

[-- Attachment #2: 0001-hugetlb-Check-for-anon_vma-prior-to-folio-allocation.patch --]
[-- Type: text/plain, Size: 1797 bytes --]

From fb3415a90a2b2a6fdbe4a5f32370f06141591011 Mon Sep 17 00:00:00 2001
From: "Vishal Moola (Oracle)" <vishal.moola@gmail.com>
Date: Mon, 15 Apr 2024 14:17:47 -0700
Subject: [PATCH] hugetlb: Check for anon_vma prior to folio allocation

Commit 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of
anon_vma_prepare()") may bailout after allocating a folio if we do not
hold the mmap lock. When this occurs, vmf_anon_prepare() will release the
vma lock. Hugetlb then attempts to call restore_reserve_on_error(),
which depends on the vma lock being held.

We can move vmf_anon_prepare() prior to the folio allocation in order to
avoid calling restore_reserve_on_error() without the vma lock.

Fixes: 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()")
Reported-by: syzbot+ad1b592fc4483655438b@syzkaller.appspotmail.com
Signed-off-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
---
 mm/hugetlb.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index f826dc681081..fbd278a2e9f6 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -6271,6 +6271,10 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm,
 							VM_UFFD_MISSING);
 		}
 
+		ret = vmf_anon_prepare(vmf);
+		if (unlikely(ret))
+			goto out;
+
 		folio = alloc_hugetlb_folio(vma, vmf->address, 0);
 		if (IS_ERR(folio)) {
 			/*
@@ -6310,15 +6314,12 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm,
 				restore_reserve_on_error(h, vma, vmf->address,
 							folio);
 				folio_put(folio);
+				ret = VM_FAULT_SIGBUS;
 				goto out;
 			}
 			new_pagecache_folio = true;
 		} else {
 			folio_lock(folio);
-
-			ret = vmf_anon_prepare(vmf);
-			if (unlikely(ret))
-				goto backout_unlocked;
 			anon_rmap = 1;
 		}
 	} else {
-- 
2.43.0

next prev parent reply	other threads:[~2024-04-15 22:05 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-12 13:32 [syzbot] [mm?] KASAN: slab-use-after-free Read in __vma_reservation_common syzbot
2024-04-13 18:34 ` syzbot
2024-04-13 23:33   ` Hillf Danton
2024-04-14  2:39     ` syzbot
2024-04-14  3:31   ` Hillf Danton
2024-04-14  4:02     ` syzbot
2024-04-15 22:05   ` Vishal Moola [this message]
2024-04-15 22:15     ` Matthew Wilcox
2024-04-15 23:02       ` Vishal Moola
2024-04-16  4:35         ` Matthew Wilcox
2024-04-16  5:36           ` Oscar Salvador
2024-04-16  8:13       ` Oscar Salvador
2024-04-17 21:31         ` Andrew Morton
2024-04-16  7:28     ` syzbot
2024-04-18 18:40 ` Vishal Moola
2024-04-18 18:40   ` syzbot
2024-04-18 18:45 ` Vishal Moola
2024-04-19  5:01   ` syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f826dc68108 dfblob:fbd278a2e9f )
 OR (
bs:"hugetlb: Check for anon_vma prior to folio allocation" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Zh2kuFX9BWOGN1Mo@fedora \
    --to=vishal.moola@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=muchun.song@linux.dev \
    --cc=syzbot+ad1b592fc4483655438b@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.