From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Matthew Wilcox <willy@infradead.org>
Cc: Hillf Danton <hdanton@sina.com>,
syzbot <syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com>,
hughd@google.com, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in shmem_fault (2)
Date: Mon, 9 Sep 2019 18:04:12 +0300 [thread overview]
Message-ID: <20190909150412.ut6fbshii4sohwag@box> (raw)
In-Reply-To: <20190909135521.GD29434@bombadil.infradead.org>
On Mon, Sep 09, 2019 at 06:55:21AM -0700, Matthew Wilcox wrote:
> On Mon, Sep 02, 2019 at 05:20:30PM +0300, Kirill A. Shutemov wrote:
> > On Mon, Sep 02, 2019 at 06:52:54AM -0700, Matthew Wilcox wrote:
> > > On Sat, Aug 31, 2019 at 12:58:26PM +0800, Hillf Danton wrote:
> > > > On Fri, 30 Aug 2019 12:40:06 -0700
> > > > > syzbot found the following crash on:
> > > > >
> > > > > HEAD commit: a55aa89a Linux 5.3-rc6
> > > > > git tree: upstream
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12f4beb6600000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=2a6a2b9826fdadf9
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=03ee87124ee05af991bd
> > > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > > >
> > > > > ==================================================================
> > > > > BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530
> > > > > include/trace/events/lock.h:13
> > > > > Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173
> > > >
> > > > --- a/mm/shmem.c
> > > > +++ b/mm/shmem.c
> > > > @@ -2021,6 +2021,12 @@ static vm_fault_t shmem_fault(struct vm_
> > > > shmem_falloc_waitq = shmem_falloc->waitq;
> > > > prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
> > > > TASK_UNINTERRUPTIBLE);
> > > > + /*
> > > > + * it is not trivial to see what will take place after
> > > > + * releasing i_lock and taking a nap, so hold inode to
> > > > + * be on the safe side.
> > >
> > > I think the comment could be improved. How about:
> > >
> > > * The file could be unmapped by another thread after
> > > * releasing i_lock, and the inode then freed. Hold
> > > * a reference to the inode to prevent this.
> >
> > It only can happen if mmap_sem was released, so it's better to put
> > __iget() to the branch above next to up_read(). I've got confused at first
> > how it is possible from ->fault().
> >
> > This way iput() below should only be called for ret == VM_FAULT_RETRY.
>
> Looking at the rather similar construct in filemap.c, should we solve
> it the same way, where we inc the refcount on the struct file instead
> of the inode before releasing the mmap_sem?
Are you talking about maybe_unlock_mmap_for_io()? Yeah, worth moving it to
mm/internal.h and reuse.
Care to prepare the patch? :P
--
Kirill A. Shutemov
next prev parent reply other threads:[~2019-09-09 15:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-31 4:58 Hillf Danton
2019-09-02 13:52 ` Matthew Wilcox
2019-09-02 14:20 ` Kirill A. Shutemov
2019-09-09 13:55 ` Matthew Wilcox
2019-09-09 15:04 ` Kirill A. Shutemov [this message]
2019-09-17 12:08 ` Kirill A. Shutemov
-- strict thread matches above, loose matches on Subject: below --
2019-08-30 19:40 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190909150412.ut6fbshii4sohwag@box \
--to=kirill@shutemov.name \
--cc=hdanton@sina.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox