From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 490E0C4345F for ; Mon, 15 Apr 2024 22:05:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B29336B0082; Mon, 15 Apr 2024 18:05:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AD81B6B0083; Mon, 15 Apr 2024 18:05:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9A0B06B0085; Mon, 15 Apr 2024 18:05:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 79D7F6B0082 for ; Mon, 15 Apr 2024 18:05:51 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 3ACFEC0795 for ; Mon, 15 Apr 2024 22:05:51 +0000 (UTC) X-FDA: 82013149302.01.89A9E85 Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) by imf02.hostedemail.com (Postfix) with ESMTP id 726A780002 for ; Mon, 15 Apr 2024 22:05:48 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=FWgVCEr5; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf02.hostedemail.com: domain of vishal.moola@gmail.com designates 209.85.128.170 as permitted sender) smtp.mailfrom=vishal.moola@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1713218748; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ssAZ3DyyJxSLg2CIY1KbdXyk9av2RuE+1b4L9bpyewM=; b=F/pxmqWKGds7pIJ0HJPv6niN919uH7BKg7+AlBBD7FnG+cucupL0vKcQLgSDwkVdHU4v8G DSHkPK8UE9QpliKDp6UHgbSeMoyCY/EzR/1UiNScfHCYoJGDSTOm70JLHgRFpau7/d9ROt OdCv1O9X3PfFOsFWToRliJwwwNF8pEo= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=FWgVCEr5; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf02.hostedemail.com: domain of vishal.moola@gmail.com designates 209.85.128.170 as permitted sender) smtp.mailfrom=vishal.moola@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713218748; a=rsa-sha256; cv=none; b=bKVGVEKUzmEQSZs1x3m7Y2Omsnu8xVKE3hemc4SAoXOCFa+xRJoA5FtO+zmVEEH6ygdxgr a8nwjNRzRurRALQ/o2jaSCYQxg8uPax7UVjPAm8iFRAlbXgKDJC7wtusD8ckETA4BIsNLB RCKbpfrN6Mz3f75b8ifJV3wdnzHxUCY= Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-61874a5b8ecso36166657b3.0 for ; Mon, 15 Apr 2024 15:05:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713218747; x=1713823547; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=ssAZ3DyyJxSLg2CIY1KbdXyk9av2RuE+1b4L9bpyewM=; b=FWgVCEr5ekK3aJFKVyNy8ijAY1i9l1aYuGWHon8mCsNn1UmsUIjbSpyDNh/6121Xcx NgtmeI5s2vHyp5mD+FgO8UcFOzbQeiMAWlyhK6ea76tzBpcbR0RA9tUiUnOwCWCB3UXf oWWL9gWK9Wc0e5+XZ5tf7fsiGe0SEAgBnh8g/puUAT5o1nSwsUv9CkoW2yUe0ngh738R 02yXRJgOVl+dUo2Kx/bnUELQhg36j4Gb+r9U7XBE8dGr00Z2I41nhPMbL9mNzvHVRa66 tV081bytIwoshBod5+X28iFKzmI4T37+e3OVa+/F9Hqd7IfcfSWgHLnuZgqphYGrc871 E3wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713218747; x=1713823547; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ssAZ3DyyJxSLg2CIY1KbdXyk9av2RuE+1b4L9bpyewM=; b=HzFGz9JmqYr2w9At98g0SfpoxPRFKmnerfgjvOEr+LXUJxMgYVv7sQCLl1T71kaoZN QSZGIEDvhf9zKP5QvweOUcLB96mBYjxrL70NBkSZuONrJaE21Ck2bJvzmq+oss9bHPfI hmoC86s+Du3bXS54n1eaDrj9zrg8tfBu8SzGgtPOVZL5KQTPjz9Iq9VdgZ/1NJiiyZ6L q9kKACjB01Ul/U4+z98mIOC2IMB+CWh6Vl8Y+2okYaFkTDp/rka0apc8GO6DpIFxeBRJ xoK57CtVKZYsgx4f7RXfGJVlhKfXc/xAC0ig5GOp/nmmUBizjd5ssabFqYnb9UsQ14A6 uC2A== X-Forwarded-Encrypted: i=1; AJvYcCXkH0xVKWJn0NO5yqGrCh0tA/3w3blWsBvjW1t0GYXOXKMk7DaqH4m3v2m/5NeZT4iMM5tK8uusyn2vkPVTJqxJ0Cw= X-Gm-Message-State: AOJu0Ywjpp8I8/j7l4PFGIx7MBG6/v5defTUkwukf6BgRL2OPf69CJYV uy9EKjfnKXvnL/YLQfvJtCmqJQ+YtHlikXi2VN2XGJFH220Ab2su X-Google-Smtp-Source: AGHT+IHDcVWPGZHGgYYhD+XagVKlxDL0u1KvWGhu+T+SfQaSlOltJ6EPfD4ADqnUN/f/CUzxAWuGtQ== X-Received: by 2002:a81:b207:0:b0:61a:d39a:1aa6 with SMTP id q7-20020a81b207000000b0061ad39a1aa6mr3091255ywh.51.1713218747250; Mon, 15 Apr 2024 15:05:47 -0700 (PDT) Received: from fedora ([2600:1700:2f7d:1800::23]) by smtp.gmail.com with ESMTPSA id p206-20020a0de6d7000000b0061ac20feee8sm806636ywe.111.2024.04.15.15.05.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Apr 2024 15:05:46 -0700 (PDT) Date: Mon, 15 Apr 2024 15:05:44 -0700 From: Vishal Moola To: syzbot Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, muchun.song@linux.dev, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in __vma_reservation_common Message-ID: References: <000000000000daf1e10615e64dcb@google.com> <000000000000ae5d410615fea3bf@google.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="nyCCuuGrGXDMVrWo" Content-Disposition: inline In-Reply-To: <000000000000ae5d410615fea3bf@google.com> X-Rspamd-Queue-Id: 726A780002 X-Rspam-User: X-Rspamd-Server: rspam04 X-Stat-Signature: kdmu4mmqao6y1mmyh9jjwchzyhiqo67e X-HE-Tag: 1713218748-949709 X-HE-Meta: U2FsdGVkX1+dqiNQnjsqzfyzEcj2ZxadD1CX7LGQuhx4ppiWwJrc7Mfgtlt8xOS5S1lnkxWzQCTSItF6Dpu93UP94n55m10233SZ0oz+5bZPeXeKOru0oiKVuH172mEgKs5l4LV61NQu38LK9aZbJo8vZzf4lI1ZRgk1KAsZKhzBz+mrTLxD0w9lkXy10JIVVzdJ1+RYo7htAF3J8AeV8gVX7/TbTSvGId2iJtfHQC+Yksj4YybEqfvW9kTjp+WKFWqbYq+2FALJ5W3jAufj9HUB3epHukzgzXRMGdVFwMVFmR9eG8EOtlnkpcsfh9FV5vmNtjXuMdoeFUA3ND0QTiP97anRwwENjsOBNGuUTV+3jo2KDdNTBuM6AbZbMkPNMYlNOIt/J9OEZrPCq6UJv8dx1+eAZ9RgxBFHpQkGmboV4BAUN//XDRne6H1ngpELKRw888psMFcnEOa6zn5Ft1cHVcTjc7MqKThx3+3XJQttPX3JRGq4jxTd6ckx87vFbK3Aj3Eul7Y5WhVvRPkdgIi3wlvLsRzNzMOQK53+RMpvxXEti45ieWLZrPBYhk+HMX9RRJilGLHPD4jStGmLFaXutghiZSQaen3+LlM+9GlX687fG0xojatmmHdWWaSUg6EorDvyWNGb7xmGXOLi1MswRk6jV+CWhKTNKSXvbBWH1qaElWcqz7TinX8BVkiG68MYaFprck8JQaPeZRpWxyvIkOma0hxI6Vtjgl5d06TgktCrqGC6f3pU0cD0Wi317KcKlv6VGb+PsjUH4ErcsbFJNXx4B970oAcoHMW5nlErP6daf+1MD53vfWBUcNO5ufPxmU33HnY0dlj9qpPAPayhNqO5V59eu7E+xeOeBOCVgUY8TF0k7mDMh+Ml/7sM2uPJaZ4fwf8A6PbMrp7YCPTwLWlw9V/KwcRtOzwcSwKfU1yvEHzASyjoVCqWzr0qrvZD77f4OGeMXz8cSHC cPWilaIT ujeJCNx4RHeQ5yl0mBxIifu5z45j/17TDjCZof/4iGnC5S3/Ox/4oTqwXUsdiqAqNzOlZsWSvIxWdvxVaSUZC+oAihMo/KXK2CkszLbo7dk8AqLATYNfKW74NbJSBk7I2KS/tefVlwYwM+T4e7ki+1Il5mkdyPzAyw3w92LtInByPQICKdRIBt5iL1Vm6BsvRy8madWminQ3d0ZEVU/4DdCeL0tScYn/fwMADL6RrlwDAnSzjTdnAszPlUs2vHP2dWeqKCsav6mU+SLp2gQq5vglOWGlu3FopthsAUxXCBVUoGjIVgB/92gxKVwNoLfnBgb4DiyYiqFKbgCqXpjJvL/ryj9+mGtw0xzztuI/Tg7JZo6gWZEGeK/ICIpVrPJaCtDHgyh8SHv4DgXv4fShXW38KLPg6bvQyh2UwqJ5MrPUbtLAS1kSKolufUB/CS6iO1sqiJizcCm6wJKl7IpQAQQdZdfFUrvNRZGeEQpdVr805CPCWtxX5OvtvuwMKPYwDHocw+akWnLCtRgIIgzWCJ1fjq6RlE3FnuzD8IOweHEabgvruOTW47FLD3ZaMxon+HgoVGrWvpqYM6CcJ0JSXHhZfTcSXexQQMeUKnXVy47Fna0pOIKNk67q+68aKyh9C2+rtsH+qo6JnjLXhDhSz+WgGrNg1p7ao85z3I4TS+eH839rn1E6r1hIU+MBdgJc2hUGjbPvrBZcz3zF9F/atHLyjQs/a7IgboAH12T+lRNBCPmNj7HYmSCSTgPy9y8SZGqtn2ICQII7X0c6kwkwQ1ndLOeUifuxoG/dMONxPERu4mZZs9FjCJ3q7R6bjOXoB5ZjlJ1h3PeYkLZqDGooOQPoXCJGRvpa3tO7I2yv938YxdOOiArk+geSFssGZVD2mS6WR6+QKbkeHrmo9GjiHcPq9MSAIFTC2BaAdGvXhsbi4xv6mHQ0/j6d1tbyTWAdr58v+lyoqc+/1W4a3CqG64SwETI5k t2WEGPKw 8hZGjO8v2razltv+rMDMCW5QcFrDejTx X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --nyCCuuGrGXDMVrWo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Apr 13, 2024 at 11:34:32AM -0700, syzbot wrote: > syzbot has found a reproducer for the following issue on: > > HEAD commit: 9ed46da14b9b Add linux-next specific files for 20240412 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=12bd4457180000 > kernel config: https://syzkaller.appspot.com/x/.config?x=7ea0abc478c49859 > dashboard link: https://syzkaller.appspot.com/bug?extid=ad1b592fc4483655438b > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1370ea67180000 #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 9ed46da14b9b --nyCCuuGrGXDMVrWo Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-hugetlb-Check-for-anon_vma-prior-to-folio-allocation.patch" >From fb3415a90a2b2a6fdbe4a5f32370f06141591011 Mon Sep 17 00:00:00 2001 From: "Vishal Moola (Oracle)" Date: Mon, 15 Apr 2024 14:17:47 -0700 Subject: [PATCH] hugetlb: Check for anon_vma prior to folio allocation Commit 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") may bailout after allocating a folio if we do not hold the mmap lock. When this occurs, vmf_anon_prepare() will release the vma lock. Hugetlb then attempts to call restore_reserve_on_error(), which depends on the vma lock being held. We can move vmf_anon_prepare() prior to the folio allocation in order to avoid calling restore_reserve_on_error() without the vma lock. Fixes: 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") Reported-by: syzbot+ad1b592fc4483655438b@syzkaller.appspotmail.com Signed-off-by: Vishal Moola (Oracle) --- mm/hugetlb.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index f826dc681081..fbd278a2e9f6 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -6271,6 +6271,10 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, VM_UFFD_MISSING); } + ret = vmf_anon_prepare(vmf); + if (unlikely(ret)) + goto out; + folio = alloc_hugetlb_folio(vma, vmf->address, 0); if (IS_ERR(folio)) { /* @@ -6310,15 +6314,12 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, restore_reserve_on_error(h, vma, vmf->address, folio); folio_put(folio); + ret = VM_FAULT_SIGBUS; goto out; } new_pagecache_folio = true; } else { folio_lock(folio); - - ret = vmf_anon_prepare(vmf); - if (unlikely(ret)) - goto backout_unlocked; anon_rmap = 1; } } else { -- 2.43.0 --nyCCuuGrGXDMVrWo--