From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA1FEC7115B for ; Thu, 19 Jun 2025 12:22:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 77C576B009A; Thu, 19 Jun 2025 08:22:06 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 753966B009B; Thu, 19 Jun 2025 08:22:06 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 690246B009F; Thu, 19 Jun 2025 08:22:06 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 588056B009A for ; Thu, 19 Jun 2025 08:22:06 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 24DF31A0F4E for ; Thu, 19 Jun 2025 12:22:06 +0000 (UTC) X-FDA: 83572062252.23.480B9AF Received: from tor.source.kernel.org (tor.source.kernel.org [172.105.4.254]) by imf06.hostedemail.com (Postfix) with ESMTP id 3BB2A180002 for ; Thu, 19 Jun 2025 12:22:04 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="EIe/f6Os"; spf=pass (imf06.hostedemail.com: domain of will@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=will@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750335724; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=br3hHg5Ir5tst0ymKFApnZb6QtVzVAJEaVHrGeG6z9I=; b=HlutmFHjfT9KTBw4xjyPFAqg4rncOBYxQZmop9P68/8LJqQqRF//9NuIG+bFM5OiQ+Reld 7quhRHWvmZqcp9KekL+KcYjToW2Z8T69mdvHP6aCBTmbaIOGQZ24onoEW7hsVyfox9Z/kt 70XDaYN+RJOAeEL6hiJeiZUvf2az2Qk= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750335724; a=rsa-sha256; cv=none; b=fgi+D1lgKgCl22fv39fPVq65hWzbDvvUbkYXxPqlCabJDoOhYmkHFFPiOwb3W2Pz7uXLnS HyX/dwqJMf1PAdOvdLgEGIzFw8K0VZinE2aEqCqP/Zt/JnQKZHY6S9towkez81VsT227c8 uM2tRoFxRq3Fhq2EC7aYwOFpm2lI5ug= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b="EIe/f6Os"; spf=pass (imf06.hostedemail.com: domain of will@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=will@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id 96CE46115D; Thu, 19 Jun 2025 12:22:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 74DF3C4CEEA; Thu, 19 Jun 2025 12:22:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1750335723; bh=YU9PziL6sKtAJV06z6HBVVgyA+xe68a86IbQ2iDAsjM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=EIe/f6OsXYWbZI/E7VnkwFaf5GrCk89htmhqPYScEI00FWzqqAasHtXNheoV3f4f1 SDhjXOX53sjDDnmVGGOoZkmSkcPFm3YLq8t+VFWGP0KR4c7SNY9HuAYguHe1jPxHfH 8lFtjypVcZSkmUg9LAoyhFR446Deeb1fOSbMttGq/cVsjIzkETOkvyI7H8xIqty+oj aeeK1eMe9cTXGRkVW/Cd7vMLQv5+NTOV4iW356jonxJZ1Z6dRRwFaUTNEc6AjBFk9H BcVtGNIMp+nYt4IpgY0OcVzTW3cPYyLcb7/dvQtjYQdsEYx81gw8JQY9gHeAZ6nFqa jzMIqp0gaF9mw== Date: Thu, 19 Jun 2025 13:21:58 +0100 From: Will Deacon To: Ryan Roberts Cc: Jan Kara , akpm@linux-foundation.org, david@redhat.com, jgg@ziepe.ca, jhubbard@nvidia.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, peterx@redhat.com, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead Message-ID: <20250619122157.GB21372@willie-the-truck> References: <6852b77e.a70a0220.79d0a.0214.GAE@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 3BB2A180002 X-Stat-Signature: pnjeo5cdapg87ugiwwoq8smiog95yy1h X-Rspam-User: X-HE-Tag: 1750335724-530400 X-HE-Meta: U2FsdGVkX1/HbFEFRsoQ0fKWOJA4sIhjOctrovNpc0cITAaHDHDVV//lF8hvWDqnANCE5hdwhQ1en0/rDuplixOx2A9nUVmlUvZu5y9L1qoJdUhG6itruWPtR1hC64M5aS0M1X3Xl7MxRi4fgbP/eDVbFj9arXztU3JZcD+40/jd3Aa/ow+Vp7A7cgmod0E/dqPUcYEKspbA97wdt/W2hp7QqcgoevLRGIuWxbXaFkXPzVKSMzEF/9qfK2sQFC1FUSv3MScqhpetf6NlhgP3bKOFV0AWBrC5yHd45sMztMqEGvpUdB/OjFlfIFTI2faFPhIlixWgkLgkPiJ2CGOC/oC3wXvvzjb2WEMvCbA06rh+TDRfJFkqFVU+KY2uXnz+/ZpLhfLuFuz4WUFizEqpnJQ3awuMetK3Cv1OBRp1qFkzZhFZrltdAJUp9CCKPC0klcpvmrT4yR9MKk5cWEN3McHx06pT5pEolmIMQ/x+z46BcqQRYtYY+4F/f1D3YR1CvCOkP3Bg2ppaBzzUtitUHdC+t/t9UiV1YZ+rGO6jSsCjv8DhMjHYX8ZsWRVpeseYrWD+5+58Il4/zjUbYgt44+YGqtBcwdYtbVOSXB/vujQBfRy9h7DiLcZX1T52WLCtUbcxv9BEmncZotfTb4vH/3Qt59xhjCuwHwAbsyZuBa+JQDoofD6VITriWj5T6UTNQwBMOwe9jWp7YmNj5k227K1acC/eUi+bA7CfL0WPw/87i83usdtMGJCM9xjWQoHmfk/L3PXUrRYs/P2EWR5RPpPgEUnxhIKGH3gwgqkZQUagr5wnn3zdxlaodxJJnGyK53Yw01nBIjdwAoxD63XfwAtSPhPmFs5T3VZTBH75yCAkbMPTrGHdUw2CorA/ZqDNxiuq44kX6ecSV+F2Z4MSeg80y8GLprQFB7ERt6Y3O/r1IaZbwEcaEzJSyC1eWNncKWPljeuYBuirwkf9loS 8DHECrji WpiT50oGPJ9eSRIr0UsylLnMbJQooziNwDQP6LfckiFRGDEPt1hru/4wxiQgVRKms1Z0YADHqv2ckw1vNy/x5181ACxR2lQkcoj18qdS7Te3ZRseJ3C/sw0EmIFR1t3QitwW3K4o1S6GtYOWhIHomBdj84JstPP+02hQQp8OKy6Py7NOQ2dh5PH+etFNM9emsuYKwTEa1GRuGrgzCsqrTwObAkgsZRSjTSOBGDBeNWJxgn29OtWPA7YzQlPj6/rcJARkrHmeMDt3syUxmfkg76VkxHp+spnRoaA6ruSfai6mJWheVBFL5T7sxPTKsIGKW4FoM5sfJoVSBu4y8zpJbCQNfqK/ak6FfsXVbKdveyimHK9lEXeoGxP5imkCnowOTAhpL6EEaLBbCBJR22LkUJyPBkCEnUzcTfIY669wu7+OvCLMkpLD4JK0x8WkibYPR7sNV+Du2W33871b4z/tpTY6fXzUkvwrWQR57Ner6wG0tYpQQ5qZc34EZh6drENdW+kVKM6sj3zdMstjQAX5AvI7kcTQcRT1VevwTjSzyovVWpFrFhuBXSOt8fv5tmCn6GdpY0urUEA+IUsOQhZF3bILbJX3h2U21f15M6mEeQfUHMofF1pahye3skO+dOY0PF0hNrzLe4U4XMuTDmwXK7qQR28SkomdDKCKeDKgLT6IgoWWiw8UMwc7hK2KQjLUvE0wkuoVCKQ0+19JoPCc6gOPp8wxGXI/xWHAQC1dMuOEKsZYovnl/a1P+Z9qe3JhrJpJWDAMzozmRAuNzZDvhE+pWYQVAMGwc/9BPGbd59NZCLj/EW+0lNBkHqTIWbY/EegQeJxz3cFcY156UGFPL/lsHiL2XijnOGRWR X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jun 19, 2025 at 11:57:05AM +0100, Ryan Roberts wrote: > On 19/06/2025 10:52, Jan Kara wrote: > > Hi, > > > > On Wed 18-06-25 05:56:30, syzbot wrote: > >> Hello, > >> > >> syzbot found the following issue on: > >> > >> HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613 > >> git tree: linux-next > >> console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000 > >> kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f > >> dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a > >> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 > >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000 > >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000 > >> > >> Downloadable assets: > >> disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz > >> vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz > >> kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz > >> > >> The issue was bisected to: > >> > >> commit 3b61a3f08949297815b2c77ae2696f54cd339419 > >> Author: Ryan Roberts > >> Date: Mon Jun 9 09:27:27 2025 +0000 > >> > >> mm/filemap: allow arch to request folio size for exec memory > > > > Indeed. The crash is in: > > > > fpin = maybe_unlock_mmap_for_io(vmf, fpin); > > if (vm_flags & VM_EXEC) { > > /* > > * Allow arch to request a preferred minimum folio order for > > * executable memory. This can often be beneficial to > > * performance if (e.g.) arm64 can contpte-map the folio. > > * Executable memory rarely benefits from readahead, due to its > > * random access nature, so set async_size to 0. > > * > > * Limit to the boundaries of the VMA to avoid reading in any > > * pad that might exist between sections, which would be a waste > > * of memory. > > */ > > struct vm_area_struct *vma = vmf->vma; > > unsigned long start = vma->vm_pgoff; > > ^^^^ here > > which is not surprising because we've unlocked mmap_sem (or vma lock) just > > above this if and thus vma could have been released before we got here. The > > easiest fix is to move maybe_unlock_mmap_for_io() below this if. There's > > nothing in there that would be problematic with the locks still held. > > Thanks for the quick analysis, Jan! Ouch... > > This is still in mm-unstable I believe, so I'll send a fix-up patch to Andrew to > move the unlock as you suggest. > > By the way, I don't think I was included on the original report; Is there a way > I can sign up to be included on patched I authored in future? Your address looks like it's on To: https://lore.kernel.org/r/6852b77e.a70a0220.79d0a.0214.GAE@google.com but maybe you redirect syzbot reports to the SP^H^HIMPORTANT folder? Will