From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D7BC8C433EF for ; Wed, 25 May 2022 18:59:50 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 381C58D0003; Wed, 25 May 2022 14:59:50 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 32CDF8D0001; Wed, 25 May 2022 14:59:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 241C68D0003; Wed, 25 May 2022 14:59:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 1698F8D0001 for ; Wed, 25 May 2022 14:59:50 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id D709F3151B for ; Wed, 25 May 2022 18:59:49 +0000 (UTC) X-FDA: 79505179698.03.5393201 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by imf01.hostedemail.com (Postfix) with ESMTP id B123C40037 for ; Wed, 25 May 2022 18:59:45 +0000 (UTC) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B140EB81D52; Wed, 25 May 2022 18:59:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 388D6C385B8; Wed, 25 May 2022 18:59:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1653505186; bh=odI4jkB20tEIxtAuX3JIawo0E45ZjVnU7zCj/mQ04hY=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=sojdLojMUzNi57DGiQ+9h5DL2af9LX1VlGApnwynRJFt7DaKX+7m4xs02lu+4GV39 4kf1SroLaHv5sZ5lBDzD3HS+0Baz4ar4reA61RawAoDNdJX4Wkgyz2JGKmIWKb8UEF ZD6ld/W80XwZyOGe2ANxLl6LDC1JKi1NgV+MGsoU= Date: Wed, 25 May 2022 11:59:45 -0700 From: Andrew Morton To: Matthew Wilcox Cc: syzbot , linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] KASAN: use-after-free Read in do_sync_mmap_readahead Message-Id: <20220525115945.6256638242ee99db2a94d2e7@linux-foundation.org> In-Reply-To: References: <0000000000008cfbca05dfd6db81@google.com> <20220525095842.f97b64de9cbcc0e15d1257a6@linux-foundation.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Queue-Id: B123C40037 X-Stat-Signature: hfan44k3qh6espai35tk73fxziskr9id Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=sojdLojM; spf=pass (imf01.hostedemail.com: domain of akpm@linux-foundation.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org; dmarc=none X-Rspamd-Server: rspam03 X-HE-Tag: 1653505185-51759 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 25 May 2022 19:33:39 +0100 Matthew Wilcox wrote: > On Wed, May 25, 2022 at 06:57:55PM +0100, Matthew Wilcox wrote: > > > > Ohh, that makes sense. We unlocked the mmap_sem, so the file is > > pinned, but the VMA isn't. I'll whip up a patch. > > #syz test > > >From 01a4917c4cfe400eb310eba4f2fa466d381623c1 Mon Sep 17 00:00:00 2001 > From: "Matthew Wilcox (Oracle)" > Date: Wed, 25 May 2022 14:23:45 -0400 > Subject: [PATCH] mm/filemap: Cache the value of vm_flags > > After we have unlocked the mmap_lock for I/O, the file is pinned, but > the VMA is not. Checking this flag after that can be a use-after-free. > It's not a terribly interesting use-after-free as it can only read one > bit, and it's used to decide whether to read 2MB or 4MB. But it > upsets the automated tools and it's generally bad practice anyway, > so let's fix it. > > Reported-by: syzbot+5b96d55e5b54924c77ad@syzkaller.appspotmail.com > Fixes: 4687fdbb805a ("mm/filemap: Support VM_HUGEPAGE for file mappings") > Signed-off-by: Matthew Wilcox (Oracle) cc:stable also, please.