From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F7DEC7115A for ; Thu, 19 Jun 2025 12:29:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C6C596B009A; Thu, 19 Jun 2025 08:29:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C442D6B009B; Thu, 19 Jun 2025 08:29:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B80E06B009C; Thu, 19 Jun 2025 08:29:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id A92646B009A for ; Thu, 19 Jun 2025 08:29:51 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 5256310028F for ; Thu, 19 Jun 2025 12:29:51 +0000 (UTC) X-FDA: 83572081782.16.4EA57AE Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by imf12.hostedemail.com (Postfix) with ESMTP id 3CC9640002 for ; Thu, 19 Jun 2025 12:29:49 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=none; dmarc=pass (policy=none) header.from=arm.com; spf=pass (imf12.hostedemail.com: domain of ryan.roberts@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=ryan.roberts@arm.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750336189; a=rsa-sha256; cv=none; b=XxrZaqtCwBg6OLIKjCfNXwvDwfrUQOHnVxqS1HovMK2XBegdgDMs1AF9FjsrFan1Kqe6vt RG4FeuwD/L3sut+ZyBOpiw3FADtvxHNXJttuauUDBMLop2T6WD6KmR/1curpNjuE2OT+51 gE5UgM4bMUyBPXcWVcNAgls85c4AvAg= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=none; dmarc=pass (policy=none) header.from=arm.com; spf=pass (imf12.hostedemail.com: domain of ryan.roberts@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=ryan.roberts@arm.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750336189; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=o9WWy/O7W9JFX8KKfLwNFgXvSmUfdNuTPRi75jBSjpc=; b=tcI578gOUCXZDDBp6O8A0j0nADuVVNu34sB17LFETA+kZ4L+9wCAvfu5Db5yUAtwNFECsY sov+JTLIsXF+tKCbQ8STCN7AuroWa6W3DEA7xok0To6eIFqmhAa2saptoaLTUvJ1gxEwRi wGjVOjwkhkHeqAs5kBIKN5CoLfyaX6o= Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 423E1106F; Thu, 19 Jun 2025 05:29:28 -0700 (PDT) Received: from [10.57.84.221] (unknown [10.57.84.221]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C432B3F66E; Thu, 19 Jun 2025 05:29:46 -0700 (PDT) Message-ID: <29624f1e-de4f-492d-b54c-bb99f58b582f@arm.com> Date: Thu, 19 Jun 2025 13:29:45 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in do_sync_mmap_readahead Content-Language: en-GB To: Will Deacon Cc: Jan Kara , akpm@linux-foundation.org, david@redhat.com, jgg@ziepe.ca, jhubbard@nvidia.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, peterx@redhat.com, syzkaller-bugs@googlegroups.com References: <6852b77e.a70a0220.79d0a.0214.GAE@google.com> <20250619122157.GB21372@willie-the-truck> From: Ryan Roberts In-Reply-To: <20250619122157.GB21372@willie-the-truck> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspam-User: X-Stat-Signature: bdrkui8wo17ae56b6xcfw17geqh7dx5o X-Rspamd-Queue-Id: 3CC9640002 X-Rspamd-Server: rspam02 X-HE-Tag: 1750336189-980227 X-HE-Meta: U2FsdGVkX1+sJgjGi/2PoEbc8lBffmvybcgc8QESomsgfME+70RD5FLndAmkzETfUPWahBwRkmxpUe4OZ5QUcsyeyEG9zZZvRdFBOGV2A2XGqjB7BeispbWC1EqWA/vaVAKORN296MTfTvfWP/YS88uokBE38hSSd4CKoX8bRMSKZ5loDsal61u50IXjv0aJ/fIuEQRpKyM0+BICGbrMLpi2i5OAFXbuGB80+OjXdEQ7Bcp49X8379YXUcFFd8LJXzw41mYJzYVGtKwqzW6aME/5Lq7yeO8D6LXNJJn0w1JXUeepmfpzA8Wtt0naNnqrFKtWzZZNGqWq1ah01Aw54eKEjenPzxm5JwffAdHJCkyrRkqwJi002Zg0srcXI3frUUG04lWrLmnP2XUjnQ4jIYADcVoVkkH89pxNavmEVd0CU5//a66qkC8si2s9ddleHTTb68cIlp3AAmW0ecKv0ZkrU1PSJlr79zDnBIIVkBLK703S6u9D0836WBb1IdkOvrJpjQ3rEmCP1Rx9rXe5gDip1fSHENffssZ1eH8a1qjS56raLO6+uYZ+96bKRy0svjBrHAsV248cVKTd+Sqd9j/Rlkx1YlauXVQhjteX+DqGm2P87e7v4YNabkr8/tTzExX/BMDW6ByIdtVg1MQmQ6DEpcy2hR0HyZxBz9JQbQhJxVHR7Z0GZxpoNCIUgw72ziEcZEbicBWgIXusOaaMAi+qm+mCpqaafmI5ND0iJR5bHjvwI/sVFsobqY0wsgzDAbYsy3v0gPCv7A2+vp9Myicp86EzoE7gdwKhxCUtbdSJCdeR4DB2iZ90aSgss8mWiAKhvDk5B/mjYOPFHzbojyCN+i1PhTvjlrrY8C8uNGj4ci9jwkm9gASz5b4HTxrbNtdotqSKvL8ks5gmpxfrtIH3aui6OBt2AxM3Kb4a5XDaFHMVmPjHwE53IOwaJhH1WJVbVpS4k+j1I/7ZqtV 5o/1hl5P LzCTXfVbtK9gmU/cojPqClyrq6Ticu7qtFxhTuSPTxz/nfjxNy1PMJ0EtqHlK07SqRvD4I/BM/IU2IFRUrJsfL7B7KzU3eX7RcGVdOlK+Q6R5MskM7DNFHS1Gk4mZD7Y2eiX7615+lcfiBR1KilAx5bX5F2cyQQJuw2rX+pDc2UJj0wjw866azEMeKWLDJj8LjopElh1IRFMoAZFNyaeFy6Lt1lGQ5Q38GqKtVsaql2EIHI4PqfTFXf4Lyu74lxYVPVmVduOEhlBIwMrf5NXl/8EpEWNm4Mh//kfW3ZmILBVT0q+ESnokBgriN7YQY4AujIM3JxpMcS7MZR/3vzNboe2qgztPKS6wM1D65kVeHxnHX67N4ZMCB4nM2Zs41PGPQvjO5gORyvhi+ZxDBM5hjJ9vnVKdesRVMi7aNttpeYKMDHEi13jt5+0Dmo+CPx8cQXiu4AH7r8MoZBHDzc22ltmKex/ytrhJms/CoL9EiBGno/wukugRinOFH6odjoT0U62ubTd7RLkaT/foh1AR0YQgKlaRc5ZMSYJbsxwW2UgFVox7B/4btzY18wzIg5pHz4AvyqVjnEEyvoT35SwIpHeDdBQWndL3x+B0pdhWK+dHG07iduGCEj6zcmnCPmMfgf2ca1O+jmHaMH96W3iu90z/o16n6E5R3hu0ghovBT9Jq4xtyOVO9UVvE4RdD3g18bInDrUwLp19Q+b3wf5IvD+fxomE79z29fa4AgxQRGczUrKS3vusyujgRM/0/dZfKJW9Y4GFbZpqMUBvBcel3jXlXw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 19/06/2025 13:21, Will Deacon wrote: > On Thu, Jun 19, 2025 at 11:57:05AM +0100, Ryan Roberts wrote: >> On 19/06/2025 10:52, Jan Kara wrote: >>> Hi, >>> >>> On Wed 18-06-25 05:56:30, syzbot wrote: >>>> Hello, >>>> >>>> syzbot found the following issue on: >>>> >>>> HEAD commit: bc6e0ba6c9ba Add linux-next specific files for 20250613 >>>> git tree: linux-next >>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=108c710c580000 >>>> kernel config: https://syzkaller.appspot.com/x/.config?x=2f7a2e4d17ed458f >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=8e4be574cb8c40140a2a >>>> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 >>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=148c710c580000 >>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179025d4580000 >>>> >>>> Downloadable assets: >>>> disk image: https://storage.googleapis.com/syzbot-assets/2430bb0465cc/disk-bc6e0ba6.raw.xz >>>> vmlinux: https://storage.googleapis.com/syzbot-assets/436a39deef0a/vmlinux-bc6e0ba6.xz >>>> kernel image: https://storage.googleapis.com/syzbot-assets/e314ca5b1eb3/bzImage-bc6e0ba6.xz >>>> >>>> The issue was bisected to: >>>> >>>> commit 3b61a3f08949297815b2c77ae2696f54cd339419 >>>> Author: Ryan Roberts >>>> Date: Mon Jun 9 09:27:27 2025 +0000 >>>> >>>> mm/filemap: allow arch to request folio size for exec memory >>> >>> Indeed. The crash is in: >>> >>> fpin = maybe_unlock_mmap_for_io(vmf, fpin); >>> if (vm_flags & VM_EXEC) { >>> /* >>> * Allow arch to request a preferred minimum folio order for >>> * executable memory. This can often be beneficial to >>> * performance if (e.g.) arm64 can contpte-map the folio. >>> * Executable memory rarely benefits from readahead, due to its >>> * random access nature, so set async_size to 0. >>> * >>> * Limit to the boundaries of the VMA to avoid reading in any >>> * pad that might exist between sections, which would be a waste >>> * of memory. >>> */ >>> struct vm_area_struct *vma = vmf->vma; >>> unsigned long start = vma->vm_pgoff; >>> ^^^^ here >>> which is not surprising because we've unlocked mmap_sem (or vma lock) just >>> above this if and thus vma could have been released before we got here. The >>> easiest fix is to move maybe_unlock_mmap_for_io() below this if. There's >>> nothing in there that would be problematic with the locks still held. >> >> Thanks for the quick analysis, Jan! Ouch... >> >> This is still in mm-unstable I believe, so I'll send a fix-up patch to Andrew to >> move the unlock as you suggest. >> >> By the way, I don't think I was included on the original report; Is there a way >> I can sign up to be included on patched I authored in future? > > Your address looks like it's on To: > > https://lore.kernel.org/r/6852b77e.a70a0220.79d0a.0214.GAE@google.com > > but maybe you redirect syzbot reports to the SP^H^HIMPORTANT folder? Hmm... Another email fail from me I guess. I don't have any rule that I'm aware of and I don't see it in any of the folders that I do redirect to, nor in the trash. Anyway, it's almost certainly my error. Thanks for pointing it out. > > Will