From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A07EBC3DA49 for ; Thu, 18 Jul 2024 16:42:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3EC6F6B0085; Thu, 18 Jul 2024 12:42:57 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 39CD96B0089; Thu, 18 Jul 2024 12:42:57 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 264AD6B0096; Thu, 18 Jul 2024 12:42:57 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 096586B0085 for ; Thu, 18 Jul 2024 12:42:57 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id AEEC98012F for ; Thu, 18 Jul 2024 16:42:56 +0000 (UTC) X-FDA: 82353442752.05.D2A88FB Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com [209.85.128.173]) by imf06.hostedemail.com (Postfix) with ESMTP id E6FC018001B for ; Thu, 18 Jul 2024 16:42:54 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=BSivTBj8; spf=pass (imf06.hostedemail.com: domain of surenb@google.com designates 209.85.128.173 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1721320955; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=cI2QPhNVp09Qr9l9jfhIeKemivTmvklc7dGwXzlD48Y=; b=m6O0hioWSIhTJAqWE1DQRUfI/F+A50YRgDeK7MRMwSDSj7rwIiIAO6gW5NaUgP/IBL9Rp0 N/zVAToZAzN+bqn/al0N2sv+Nle2mmDXFAN2uh0lubjrkP4C1VF9C9Ied0tCqd20w5+/z/ r618jGqmpf6RyCObi2m0Rf8nrZU+pMM= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=BSivTBj8; spf=pass (imf06.hostedemail.com: domain of surenb@google.com designates 209.85.128.173 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721320955; a=rsa-sha256; cv=none; b=JiLrBvMoEaUc6ao+SnN9M/s4+MarwNuUeAdWBL1qrs7DfYvN2nKl9F9BjBa498W45Fp/cF 7CzfFarEcZ5b6JnNQspQ60Le+Tc93OyXUdDhlxNqPx6lSEAewS3KC+6k8sjoIkQlWOJ0ru DdXDUHdnci9CHs0AjA+ZgmEUN88gJ80= Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-663dd13c0bbso10840927b3.1 for ; Thu, 18 Jul 2024 09:42:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1721320974; x=1721925774; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=cI2QPhNVp09Qr9l9jfhIeKemivTmvklc7dGwXzlD48Y=; b=BSivTBj8gvNK76Q3uKOiTze4RJsfTa6RSAfeDKKAuko76YTW3X1xEbc4LlBoAy8beg m25G6tquZpK8wireFdk1dbklCXdchNEMhmIz/KtlJO536HUAm2YO2+MTBtL2M+iuvXA1 2cAsgJGYLqz0hbSIjvkDJvAY2zPX8rYMfs9Fl2xyONWGtWG4U5aXrFonauisWn/WnpUO sCr9ZJ3ZsFE6odUhIHEfo5UdJyrrrZW83YSrRqpa1TbVAxNJBBXmGZ4RLgNsKUvUcpK3 K/iKvkKbOuti0+CZ3sn7JxGuzEfosw/HLRqwvkM00BHp65SH06rqYwjphBMSbsDRsQha w62A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721320974; x=1721925774; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cI2QPhNVp09Qr9l9jfhIeKemivTmvklc7dGwXzlD48Y=; b=ow1hbNGoR3MlutVAn+wBpmeGD1LYAhX+e8SNGTJ/0Vt5m9NsIUuAfI0TVJCiSO3kRx QE34bQAw/oy4Dy3HZDakjkoYZaBnfhquODr/h3CkQC8x1L053TqQ5hhCi7Eal6YBKjed oce91Zgb0r/pTsI8gJgDAgpFeyejMwvnMLJfhIGxvC/tESMokkL5K9FvUiTaNn5vny9a /hfeKNNCXtv1+1nPLh5yLs3zXGLDQWrTNx83CZWz/eCS7t0VTuNNmTpv2CliZ5JqTLwy OtVbK95MMEOyimzPyl1TlDRT0ujZ9z8NqhL5wRcFTBQhTtk5e1ZyLdi1skQn+Ks0fnMs iLXQ== X-Forwarded-Encrypted: i=1; AJvYcCWclvaxP3jhD5zi1XD2nzg4LLy4+n+HC7izxt19j3mZNfCVISJp6MkAYijjclVQHbaU8l6agctSILtsVpFfFaOBO2Q= X-Gm-Message-State: AOJu0YxlxYFxgumJ2ITEpmAI6S+KsE6V9RDTPs3c6xmt+LLEEjVh7vpy ZeoBMRx1oNGdirQF+pwOX/6FgKqo6ozmhZoy55zkPdgStokbdj+URZn1H5HPeeoEE40dsInhMZp HBYyjeaO1aFxr3JtnPKDVTAm/xNgxNtkq+Qpy X-Google-Smtp-Source: AGHT+IHEJYW9btAxJlFZwTEwgi6lSq+MyoaQR3zPqdN7fqmKx+jYCgqfJVax8uuyuwp2beK5Tnha6wBy5+UlK8FV394= X-Received: by 2002:a81:8b50:0:b0:62f:67b4:790c with SMTP id 00721157ae682-666a1c1ca30mr28650117b3.14.1721320973534; Thu, 18 Jul 2024 09:42:53 -0700 (PDT) MIME-Version: 1.0 References: <00000000000037cdb0061d5924b3@google.com> <46f44064-255b-4a1e-9317-f4b168706d65@kernel.org> In-Reply-To: From: Suren Baghdasaryan Date: Thu, 18 Jul 2024 16:42:39 +0000 Message-ID: Subject: Re: [syzbot] [crypto?] KASAN: slab-use-after-free Read in handle_mm_fault To: "Jason A. Donenfeld" Cc: "Liam R. Howlett" , "Vlastimil Babka (SUSE)" , syzbot , akpm@linux-foundation.org, davem@davemloft.net, herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Lorenzo Stoakes Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: E6FC018001B X-Stat-Signature: n87n4uqtcendzns19n7kxziqimxhf4fw X-HE-Tag: 1721320974-41905 X-HE-Meta: U2FsdGVkX19zvbhqbu81g6kVu6+jvQXXJHU/NDUpctMCqNEEC5zs6AKP32qAG10UBMjJyKtSQymUUT+sMqp1rmDBIFr4n+syL+KetQzJ3XV+XMAyPwedie3nIxmL6wBh3gH1E5HrSeZu++6eSNv5c6hxZ55LpON6cKoFdNShqRJbzT3I5kG4N1rfzE6cvec4u/6b7/PjTJu7rx31/Jf8hLyxgjdlEp8sqHtmRu+2G5unNl6OmY2vXaveS+wTelmuKR4Sba/pZ4QV5A2TszWCL6cHMbDq/AtYQIAhfTvZnvao+mflWYWMk2KNVsOGpZmPf3t34umfs6/YdX/Ye849+lfAyMqr6T2tiJ8LYzH8fDf0Knb/ZH1qQORdkadIX7PFDb4KZ8IuKaa+p0AUjVbAEmcNG+yi9gRgNhBEssYzZGlvp4gliO9chOwSAnjy1Juk432mj6WegqHB3vI/Qge75qfONCIiqf6eC10EhQEOcGIJnc81ml7QqGtwpzBrgqbXqfzr2F33V25KOE6FHvm+VfVHlNrYf+ReYfD1/+Ucr5lldef/SmRaOQ/qDUOWKaOWh45f52d10f7UTYk1Qlu7lwhM2KI0E1qm9XBF6HTYW+VCMuSZiKzATUCmmEmAVw2oCbSjerXkEqXNQSe0d8mE7V9miPYUCwzbVUVvEKHKoFI0BkFCEeNiUQ2KxxtawuQT6aqeOFgdTk3NvF9rXqzwRgtJ2wQN5VxfqtCXjA1R4WkocfsEXheHBvlp++irs7M8mnqM+coBLyGeNkDZSFMxrLCbNFEJDTvwqOmu/82LxiXVRg/ev2x9qDU0T57oKpt8VvxTj7raiKOW+NxcvjFSw4B1+4C/JcNgFFaIXGPgPnPob/BEBIkkWufZRzZtzWFTSxApDZpaOy40tJHFgYhf525sTryCNtRfY5iFWHF+5O/6QfYau34RSiHHxKUwTUc6ZjvrH0zETCPPI9D7HeL TnVDBQ/E 3BND36AvZLHUNyJvX4jPeW8jXJ1a0TWFwyw2uOukP6n+c4Npec+UeVu8GubnrBmsku4xrOMZOKxA7cM0jKwHPG/skqEsrwrGmwwBvMIloCf/MjjGMpnA9dzEObqCw0xousrktDp8IWz8WizD37ZH4VMP3AKAl7P7Z+puK7F0GpePbwCKAvxvkeQrHDLtOLue26N6rh7vc5zgR4e7ONlHOmIapdOJlgYx0GnkfzxXH6Qy6DZ3dT2ipr+tYM91dlt1ypALz2agTrqvSF5fi2UnMuTqB0/f8kcxPRC53J1VfaMPD3bafWKBoMZzYuLFC64qllre9sTaWmm8YmlNKlsfpmUB4ZFyKMjm2mHY/4RRJxinB6SxQHgV+a6Q5lQ7v8zTdO1faYraUD27r6Q31/bq7VJy6YMmijjbJSn99J1umsmpv54PX9sk7qYAYnPXcEDGxYKJkGNhfwEUuh6LKf+OLfKMHP6GWn6n9E4de9tf4hsjKK9zRQnEowe6YpHV/Or0xcNjkQ3mCkcvFOi8Xr1Eds1sNdwaxyudxoySgfdU0W9g5zB0zUZPLT5zdbqmgje07yeUJ7DA0lYRGfSmQjGCXL5qPXwSiqpaaHrBVGTz6yFeDXXZBohMg+pI+YZ0aVsebWnCoHYzfCcwV6yVEXnRUbGX1C+heVzLasaspfht/Zg0pUiUENph+naG15fuE2rERUwcqsWYjbODSrdKKLwuAblV3VFmI+onHeaQgcVgmpwzNbW+4ZzPQCScmgEXqYiR4oiUvi4mVd+kSAiFTWzgaDTwBTpMbIOnJA5B9WFIuPG2ha2pGvazV1aa9dmzJR8WB326/kPQoOPlpYHB3FxSAhGWh2Flb6m0+K5WK8Jltm3dqQHoVKwxAbC/fqUxtPZ5Ejp6CV1PnvgFkeemu8IAmhvAoRoNubED/8hu1wvHKRbeuuc9GH5ZQVLNOjI01WEBbuO1aZFXdioD8MkE= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jul 18, 2024 at 4:36=E2=80=AFPM Jason A. Donenfeld wrote: > > On Thu, Jul 18, 2024 at 04:23:47PM +0000, Suren Baghdasaryan wrote: > > On Thu, Jul 18, 2024 at 4:20=E2=80=AFPM Suren Baghdasaryan wrote: > > > > > > On Thu, Jul 18, 2024 at 3:43=E2=80=AFPM Liam R. Howlett wrote: > > > > > > > > * Vlastimil Babka (SUSE) [240718 07:00]: > > > > > On 7/16/24 10:29 AM, syzbot wrote: > > > > > > Hello, > > > > > > > > > > dunno about the [crypto?] parts, sounds rather something for Sure= n or Liam > > > > > or maybe it's due to some changes to gup? > > > > > > > > Yes, that crypto part is very odd. > > > > > > > > > > > > > > > syzbot found the following issue on: > > > > > > > > > > > > HEAD commit: 3fe121b62282 Add linux-next specific files for = 20240712 > > > > > > git tree: linux-next > > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D109= 7ebed980000 > > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D98d= d8c4bab5cdce > > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3D4c882= a4a0697c4a25364 > > > > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binuti= ls for Debian) 2.40 > > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D1= 1d611a5980000 > > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D13c= e3259980000 > > > > > > > > > > > > Downloadable assets: > > > > > > disk image: https://storage.googleapis.com/syzbot-assets/8c6fbf= 69718d/disk-3fe121b6.raw.xz > > > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/39fc7e43d= fc1/vmlinux-3fe121b6.xz > > > > > > kernel image: https://storage.googleapis.com/syzbot-assets/0a78= e70e4b4e/bzImage-3fe121b6.xz > > > > > > mounted in repro: https://storage.googleapis.com/syzbot-assets/= 66cfe5a679f2/mount_0.gz > > > > > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag t= o the commit: > > > > > > Reported-by: syzbot+4c882a4a0697c4a25364@syzkaller.appspotmail.= com > > > > > > > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > > > BUG: KASAN: slab-use-after-free in handle_mm_fault+0x14f0/0x19a= 0 mm/memory.c:5842 > > > > > > Read of size 8 at addr ffff88802c4719d0 by task syz-executor125= /5235 > > > > > > > > > > > > CPU: 1 UID: 0 PID: 5235 Comm: syz-executor125 Not tainted 6.10.= 0-rc7-next-20240712-syzkaller #0 > > > > > > Hardware name: Google Google Compute Engine/Google Compute Engi= ne, BIOS Google 06/07/2024 > > > > > > Call Trace: > > > > > > > > > > > > __dump_stack lib/dump_stack.c:94 [inline] > > > > > > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > > > > > > print_address_description mm/kasan/report.c:377 [inline] > > > > > > print_report+0x169/0x550 mm/kasan/report.c:488 > > > > > > kasan_report+0x143/0x180 mm/kasan/report.c:601 > > > > > > handle_mm_fault+0x14f0/0x19a0 mm/memory.c:5842 > > > > > > > > /* > > > > * By the time we get here, we already hold the mm semaphore > > > > * > > > > * The mmap_lock may have been released depending on flags and our > > > > * return value. See filemap_fault() and __folio_lock_or_retry(). > > > > */ > > > > > > > > Somehow we are here without an RCU or mmap_lock held? > > > > > > I'm guessing we did enter handle_mm_fault() with mmap_lock held but > > > __handle_mm_fault() dropped it before returning, see the comment for > > > __handle_mm_fault(): > > > > > > /* > > > * On entry, we hold either the VMA lock or the mmap_lock > > > * (FAULT_FLAG_VMA_LOCK tells you which). If VM_FAULT_RETRY is set i= n > > > * the result, the mmap_lock is not held on exit. See filemap_fault(= ) > > > * and __folio_lock_or_retry(). > > > */ > > > > > > So after that there is nothing that guarantees VMA is not destroyed > > > from under us and if (vma->vm_flags & VM_DROPPABLE) check is unsafe. > > > Hillf's suggestion should fix this issue but we need to figure out ho= w > > > to make this path more robust. Currently it's very easy to make a > > > similar mistake. Maybe a WARNING comment after __handle_mm_fault() > > > that VMA might be unstable after that function and should not be used= ? > > > > CC'ing Jason. > > Thanks for bringing this to my attention. I'll incorporate Hillf's patch > and also add a comment as you suggested. Something like the below? > > diff --git a/mm/memory.c b/mm/memory.c > index 18fe893ce96d..f596a8d508ef 100644 > --- a/mm/memory.c > +++ b/mm/memory.c > @@ -5660,6 +5660,7 @@ vm_fault_t handle_mm_fault(struct vm_area_struct *v= ma, unsigned long address, > /* If the fault handler drops the mmap_lock, vma may be freed */ > struct mm_struct *mm =3D vma->vm_mm; > vm_fault_t ret; > + bool is_droppable; > > __set_current_state(TASK_RUNNING); > > @@ -5674,6 +5675,8 @@ vm_fault_t handle_mm_fault(struct vm_area_struct *v= ma, unsigned long address, > goto out; > } > > + is_droppable =3D !!(vma->vm_flags & VM_DROPPABLE); > + > /* > * Enable the memcg OOM handling for faults triggered in user > * space. Kernel faults are handled more gracefully. > @@ -5688,10 +5691,15 @@ vm_fault_t handle_mm_fault(struct vm_area_struct = *vma, unsigned long address, > else > ret =3D __handle_mm_fault(vma, address, flags); > > + /* > + * It is no longer safe to dereference vma-> after this point, as > + * __handle_mm_fault may have already destroyed it. __handle_mm_fault does not really destroy the vma. It might drop mmap_lock and another task might destroy it from under us. > + */ > + > lru_gen_exit_fault(); > > - /* If the mapping is droppable, then errors due to OOM aren't fat= al. */ > - if (vma->vm_flags & VM_DROPPABLE) > + /* If the mapping is is_droppable, then errors due to OOM aren't = fatal. */ > + if (is_droppable) > ret &=3D ~VM_FAULT_OOM; > > if (flags & FAULT_FLAG_USER) { >