From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753490AbcIBMuk (ORCPT <rfc822;w@1wt.eu>);
        Fri, 2 Sep 2016 08:50:40 -0400
Received: from mail-wm0-f45.google.com ([74.125.82.45]:35330 "EHLO
        mail-wm0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752353AbcIBMuj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Sep 2016 08:50:39 -0400
Date: Fri, 2 Sep 2016 15:50:25 +0300
From: Ebru Akagunduz <ebru.akagunduz@gmail.com>
To: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: dvyukov@google.com, akpm@linux-foundation.org, vbabka@suse.cz,
        mgorman@techsingularity.net, hannes@cmpxchg.org, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, vegard.nossum@oracle.com,
        levinsasha928@gmail.com, koct9i@gmail.com, ryabinin.a.a@gmail.com,
        gthelen@google.com, suleiman@google.com, hughd@google.com,
        rientjes@google.com, syzkaller@googlegroups.com, kcc@google.com,
        glider@google.com
Subject: Re: mm: use-after-free in collapse_huge_page
Message-ID: <20160902125025.GA5827@gmail.com>
References: <CACT4Y+Z3gigBvhca9kRJFcjX0G70V_nRhbwKBU+yGoESBDKi9Q@mail.gmail.com>
 <20160829124233.GA40092@black.fi.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160829124233.GA40092@black.fi.intel.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

>  
> @@ -898,13 +899,13 @@ static bool __collapse_huge_page_swapin(struct mm_struct *mm,
>  		/* do_swap_page returns VM_FAULT_RETRY with released mmap_sem */
>  		if (ret & VM_FAULT_RETRY) {
>  			down_read(&mm->mmap_sem);
> -			if (hugepage_vma_revalidate(mm, address)) {
> +			if (hugepage_vma_revalidate(mm, address, &vma)) {
>  				/* vma is no longer available, don't continue to swapin */
>  				trace_mm_collapse_huge_page_swapin(mm, swapped_in, referenced, 0);
>  				return false;
>  			}
>  			/* check if the pmd is still valid */
> -			if (mm_find_pmd(mm, address) != pmd)
> +			if (mm_find_pmd(mm, address) != pmd || vma != fe.vma)
>  				return false;
>  		}
>  		if (ret & VM_FAULT_ERROR) {
> @@ -923,7 +924,6 @@ static bool __collapse_huge_page_swapin(struct mm_struct *mm,
>  static void collapse_huge_page(struct mm_struct *mm,
>  				   unsigned long address,
>  				   struct page **hpage,
> -				   struct vm_area_struct *vma,
>  				   int node, int referenced)
>  {
>  	pmd_t *pmd, _pmd;
> @@ -933,6 +933,7 @@ static void collapse_huge_page(struct mm_struct *mm,
>  	spinlock_t *pmd_ptl, *pte_ptl;
>  	int isolated = 0, result = 0;
>  	struct mem_cgroup *memcg;
> +	struct vm_area_struct *vma;
>  	unsigned long mmun_start;	/* For mmu_notifiers */
I could not realize, why we need to remove vma parameter and recreate it here?
>  	unsigned long mmun_end;		/* For mmu_notifiers */
>  	gfp_t gfp;
> @@ -961,7 +962,7 @@ static void collapse_huge_page(struct mm_struct *mm,
>  	}
>  
>  	down_read(&mm->mmap_sem);
And without fe.vma check, this patch seems work for me.

Andrea, I've just sent a fix patch for leaking mapped ptes.

Kind regards,
Ebru