From: Pengfei Xu <pengfei.xu@intel.com>
To: Hillf Danton <hdanton@sina.com>
Cc: syzbot <syzbot+4c882a4a0697c4a25364@syzkaller.appspotmail.com>,
<linux-kernel@vger.kernel.org>, <syzkaller-bugs@googlegroups.com>
Subject: Re: [syzbot] [crypto?] KASAN: slab-use-after-free Read in handle_mm_fault
Date: Wed, 17 Jul 2024 10:09:13 +0800 [thread overview]
Message-ID: <ZpcnyYS29p/Fud+L@xpf.sh.intel.com> (raw)
In-Reply-To: <20240716115504.1136-1-hdanton@sina.com>
On 2024-07-16 at 19:55:04 +0800, Hillf Danton wrote:
> On Tue, 16 Jul 2024 01:29:17 -0700
> > syzbot found the following issue on:
> >
> > HEAD commit: 3fe121b62282 Add linux-next specific files for 20240712
> > git tree: linux-next
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ce3259980000
>
> #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 3fe121b62282
>
> --- x/mm/memory.c
> +++ y/mm/memory.c
> @@ -5808,6 +5808,7 @@ vm_fault_t handle_mm_fault(struct vm_are
> /* If the fault handler drops the mmap_lock, vma may be freed */
> struct mm_struct *mm = vma->vm_mm;
> vm_fault_t ret;
> + bool droppable;
>
> __set_current_state(TASK_RUNNING);
>
> @@ -5831,6 +5832,7 @@ vm_fault_t handle_mm_fault(struct vm_are
>
> lru_gen_enter_fault(vma);
>
> + droppable = !!(vma->vm_flags & VM_DROPPABLE);
> if (unlikely(is_vm_hugetlb_page(vma)))
> ret = hugetlb_fault(vma->vm_mm, vma, address, flags);
> else
> @@ -5839,7 +5841,7 @@ vm_fault_t handle_mm_fault(struct vm_are
> lru_gen_exit_fault();
>
> /* If the mapping is droppable, then errors due to OOM aren't fatal. */
> - if (vma->vm_flags & VM_DROPPABLE)
> + if (droppable)
> ret &= ~VM_FAULT_OOM;
>
> if (flags & FAULT_FLAG_USER) {
> --
Should fix the following commit in next-20240715 tag kernel:
"
f73fad23fa mm: add MAP_DROPPABLE for designating always lazily freeable mappings
"
FYR.
Thanks!
next prev parent reply other threads:[~2024-07-17 2:08 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-16 8:29 [syzbot] [crypto?] KASAN: slab-use-after-free Read in handle_mm_fault syzbot
2024-07-16 11:55 ` Hillf Danton
2024-07-16 12:44 ` syzbot
2024-07-17 2:09 ` Pengfei Xu [this message]
2024-07-18 10:59 ` Vlastimil Babka (SUSE)
2024-07-18 15:43 ` Liam R. Howlett
2024-07-18 16:20 ` Suren Baghdasaryan
2024-07-18 16:23 ` Suren Baghdasaryan
2024-07-18 16:36 ` Jason A. Donenfeld
2024-07-18 16:42 ` Suren Baghdasaryan
2024-07-18 16:44 ` Jason A. Donenfeld
2024-07-18 16:49 ` Suren Baghdasaryan
2024-07-18 16:51 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZpcnyYS29p/Fud+L@xpf.sh.intel.com \
--to=pengfei.xu@intel.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+4c882a4a0697c4a25364@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.