From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CC24EB64DA for ; Fri, 7 Jul 2023 18:40:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B66A66B0072; Fri, 7 Jul 2023 14:40:42 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AEFF98D0001; Fri, 7 Jul 2023 14:40:42 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 990316B0075; Fri, 7 Jul 2023 14:40:42 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 86A5F6B0072 for ; Fri, 7 Jul 2023 14:40:42 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 364B1120191 for ; Fri, 7 Jul 2023 18:40:42 +0000 (UTC) X-FDA: 80985681924.24.6E31343 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf10.hostedemail.com (Postfix) with ESMTP id 88A89C0009 for ; Fri, 7 Jul 2023 18:40:40 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=N9zitiD9; dmarc=none; spf=none (imf10.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1688755240; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+PlsjkygUy/NaxzRVXPs1XdCvvqCmcP1CuzrF3FYi78=; b=ctgcV+vx8q91FhKfvMwk9T4abJiT5Ae+uXLjwjlBcTVIeonGdSfG8o7TSOtmQ+q5vB6VIy LzwrftLVHzcsjxKzRWlzRPwlioORErwLBO0xpJbYwRdQVl0KcZM6Qbp47PXmcn5Q9DwXH+ FR1q5H/R/eKzoIllL1AgOXstbE+rbLs= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=N9zitiD9; dmarc=none; spf=none (imf10.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1688755240; a=rsa-sha256; cv=none; b=GfaIQd7lwCVgRlzSKkTPdtOOLuaRTM6L/pnXfuqH7Zo+ZFeIHN7Svd1tnCySAHCSZfiqDy 8QntIKPh1Wf52SEp6CJJh6laTgQeGEjzwqR+3fwHPGsZa4NoXilVCmuqJ5dtqfPHPcCW59 CbDt4a7SIGOEzkg9brfXIGKXlwhlE4o= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=+PlsjkygUy/NaxzRVXPs1XdCvvqCmcP1CuzrF3FYi78=; b=N9zitiD9uhOT4xbkk5LyzIKHYX oMrbk08jA82Cz40fcP3zliWq/SUVTzVrGkNTbfI64T5Pq/aGZg83/qJ31NjmTNPAQbW9ihmPy+4Bz NDHN7KsjjXDoZXpNlaTDsw0Ng6OxNfS6riYufmFDduqttjy1zl4EUtSjenPwizBzCgiZ4scKn3AvY RDaCdpBbV5FKlXZRJICebIvzPv59Ij8Y3A1iB2yXsA/gwIxEiD136/HwOCEFl/Y0dlnzG4D6J47XA bVwW12r4UqbiAs7v/ppdzBM31FENe0bllXM8Oze0HAKyWzwax1MzW5QFef3oJozoBS6poHHz1PNcd f5aQg21g==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1qHqNQ-00CGGh-H0; Fri, 07 Jul 2023 18:40:20 +0000 Date: Fri, 7 Jul 2023 19:40:20 +0100 From: Matthew Wilcox To: Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: David Wysochanski , David Howells , Andrew Morton , Linus Torvalds , Jeff Layton , Christoph Hellwig , linux-afs@lists.infradead.org, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, ceph-devel@vger.kernel.org, v9fs-developer@lists.sourceforge.net, linux-erofs@lists.ozlabs.org, linux-ext4@vger.kernel.org, linux-cachefs@redhat.com, linux-fsdevel@vger.kernel.org, Rohith Surabattula , Steve French , Shyam Prasad N , Dominique Martinet , Ilya Dryomov , linux-mm@kvack.org, Daire Byrne Subject: Re: [BUG mm-unstable] BUG: KASAN: use-after-free in shrink_folio_list+0x9f4/0x1ae0 Message-ID: References: <20230628104852.3391651-1-dhowells@redhat.com> <20230628104852.3391651-3-dhowells@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 88A89C0009 X-Stat-Signature: k57mwmzjd3rnnxfioygfgmdo94ejshyr X-HE-Tag: 1688755240-474862 X-HE-Meta: U2FsdGVkX19q+9sbmrFpSnMTKDteDaEeUTO5FmjG6QSwPgnFfXe2qZXslynonZ8QezdIpqUG47TMg6ipQm/t9VbWsRZxC72G10Kx1JN2PhZX8fPf5p2wbRdl57qd76PvamZX4rNpDFpLmzSHF15hDqTsg6vCrw86fsGIp2ufUeC+j/sZ0pa1NfMl/Haj9m06Aw5ZfZng+zfnCTzVb0VOj14B01vAAZLZfyKx6fwScFJkL0fgu6P9xwXq7oLGijUuGE24Mf4XohykoLqFesbpwHOjbBYO2d+F9Eq+dL9SQ/HBpCnH+psLrOWwOaUcdUKfydPFKK45VEpKXcGi2xmT/U71HZfaMxbYnGTuAbDdgTkXm9O99nH+APRkXLyUwfUOGyR4P3VuTwDjITNr8q2kuyxgd+cksPl9ow8d4DDFAryfxqSFGplfzwRDm/T1JRuk9MmipnItaJqxQwYVEo/qYUEeuH/S4+LOwc280sGStoSZAL5KCRPBcxwQjvPaTZH1U4RJoAnkbtQc5JWhWWPx+3NbkCT+EqusolwCFnaYP5YHnmfvXK46jKGnacQ1fHr9aPQa41TZnnW3YgoGlQsAv2XI+3VvU/jkioYvwg+oSqDZQ2zhP9vL400A08tkBEIZmTR6eYqwLeguw+eiVnq0qWhe6SMEciXHEiSt8zcVd8FSnmG8wSSBtjM31aZbG9lmWHg/8K4TVCRsQoSqTIfosRP0O5CaJVfoy3pjRs/WN8WvND9C1yweonlDToQHojIw2zPt1D/XIJJhZVAuYT3oyBFCHAedQaYccSXwfybv7pyzncsKoT9sT+W8O5oxBKkD42U77jHxNSHiUg2C7ZMcjxNw/20R+3bxkV9zKmA2xaQHxZz867dbLKiHLlxTB92PnUNXiLoYxV0MfJdWLUJKXbawUDyabljK9l50+BrCoBFxlAa2ggUZ5Mi/hKq1xkbgDu82+WdqInzRWO7qwS5 70jF5Y2N qAEZ5Gyjqh9p7U4S1FtNcBL4UAQwstGTs2HBrmnBMt1DDByMg5oIs2K0z2Rwv0R//erSK5ni1NChWWcqJFK0E+9f73Yjgsc07QOeCVtX7Hj1keoA5LL02eteh3YRfVKGaM4WYuXmcyOvw1b3oaQhJh3zD6nl+A6ikVbJIuVc7dCTdCHElmEA72yppa7gE73g53BCp+Cxcggz6lJwsGhwYQQAc7IzWhCKpxmTUE9aZYGAV2+SQB/lw+KJ2LljmXDFNLUIk X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, Jul 08, 2023 at 03:27:42AM +0900, Hyeonggon Yoo wrote: > Hmm, was it UAF because it references wrong field ->mapping, > instead of swapper address space? Ooh, I know this one! When a folio is in use as an anonymous page, ->mapping has the bottom two bits set to 01b. The rest of the pointer is actually a pointer to an anon_vma. It's entirely plausible that an anon page might have had its anon_vma freed by the time the folio is on the inactive list, and on its way to being recycled (eg it was unmapped). I'm not terribly familiar with the lifetime rules of the anon_vma, but I doubt that a folio still being in RAM would pin it if it has been unmapped.