From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A198E77173 for ; Mon, 9 Dec 2024 08:09:55 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C1C378D002C; Mon, 9 Dec 2024 03:09:54 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id BCBE58D0029; Mon, 9 Dec 2024 03:09:54 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A93A28D002C; Mon, 9 Dec 2024 03:09:54 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 8BF6E8D0029 for ; Mon, 9 Dec 2024 03:09:54 -0500 (EST) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 0A002408F2 for ; Mon, 9 Dec 2024 08:09:54 +0000 (UTC) X-FDA: 82874696436.21.DEEBD01 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by imf22.hostedemail.com (Postfix) with ESMTP id 9C3BAC0002 for ; Mon, 9 Dec 2024 08:09:29 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=A7emA+yM; spf=pass (imf22.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.214.180 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733731773; a=rsa-sha256; cv=none; b=YmqiwasSSBQj5qjbse9OfbF17aFdXoPdYexg/q5/aw7OZuXVQ58ulR6RKJ74RozECydzBi M//BJ7pWcoAp9Nw8mvWRxX5GXi+zd1fYe8dPFo0NFy5tR0K0xvkvfYoilwF6LbvveBjCj0 3Zm2xjRW3nRd3nKG+MnaXRNgAxQnayE= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=A7emA+yM; spf=pass (imf22.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.214.180 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733731773; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=3NdQ5O2vQonQclvkjtZYysDW46zSLw/q1gwazzsyZ6s=; b=IHRXQaH/L+hHdcVU1d5Cwdx26AYh315eixtjhLljHX7lcLwrBlhfKluN0ieqeaPI0ciYqa amKrs8HfqxhBexP+DhUxRRjFh7V64MnbO+Fhjd7Wqr2RYHNKjTMtyrWwpwyhjutHg/tVjS i4+Vo1ZPlEHBfsGswIGn0ZD8XUssTyU= Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-21634338cfdso14525445ad.2 for ; Mon, 09 Dec 2024 00:09:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1733731790; x=1734336590; darn=kvack.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=3NdQ5O2vQonQclvkjtZYysDW46zSLw/q1gwazzsyZ6s=; b=A7emA+yMIT5EvYgrQ+OBx7l7qcrszE7ogUnNItJL1JhF+wFNPyvAgBnj+P1Rkh+8fz HDZExfDE4a6MsViElSBgBgcbvFq+59uipIV7sLyCyfxs1OD4cWLzU1+HXYg6mDJTCsZg PAmJpwv93zSTf7/qYZkFV7DV3Hfte/Tp2bixU/NJXiJb5iQDp6jxjbNnbq06mJj0pbyh GjF83t56yPeUNwtHpgjOK0/xdXVcD4pIPqV1q3wuww3gwSl788vegpaBH2GsXG512oEx uWeXv6PgnTYx18yStV4ZFxa9Pb7srW/Z7p70KDA/w7wVgHUOtiJqAZzwfzHfGCjItWNB R/HQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733731790; x=1734336590; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3NdQ5O2vQonQclvkjtZYysDW46zSLw/q1gwazzsyZ6s=; b=nD/7TRycdVMpVD28oZgy7e1tVnB2D+hY1u+LOJIBBLgybhq2/0EA5Sq0yJOUvZsZnC ZvBhdBpBOJTJxHc5lZxxJnT1CZxqKqctHnnuXWdD/j+1pogD2QjEqBOj6nf2ocD9SjjV aX8gsHh+a6sM4K3QerLrClIvuBqyaMi83qMwG7HY8O2OoXiwrarfq357kroAzoArxHQG dU4KzRsTzr2xmMaeR9G9ceDTHbZZkltqejgo3ROxuM6Cwna7QhuDIBVK4yk0GwJlKWUh s1z+wtGrQylmGAxsh8e1LANYiG3636q/HgtT/1ySRA6shgm36CHqPcSqX9oNwx+mefy5 AhXg== X-Forwarded-Encrypted: i=1; AJvYcCVToYPDQdpJ22n/AMLn2iJLeMWqPy5i1g8QvPqXO8GHgLfiO0EkR2esRI3t2WGf7ctesgeD3hPhPA==@kvack.org X-Gm-Message-State: AOJu0YzODySjthtB/OaCTAxwQmz15jDsVBHlhMILo6sLOgHUmSSo9muA SMMIXWorrT3URjynHpXLCkQ96FA+QC4jcFJ6rA1HKqJSaGupZfPQMSe3Zu3l+fuluoUBD+KKgD6 8 X-Gm-Gg: ASbGncsE2trxXBlijK+EXYh/+OX+b0BgFNorxDXmOIOpVxn6G7rTKuIXZKK77mfD5jX 2W6Ou9LUJiKSeN7loIQeiP6ZAikUuPvCfo+0Wblhytq9ElwpOzEZcllm0y4R+ZDCs7X3T7JZopP sGL0P/7ZAoBEfO40exneyHl6kt5Z2pG9OO/ZtvKgbNv2EDTX3hyiNeFmGn+ZDTE13d5LpUCU87t BqUujm60N1b7Wcjr5uTVoN5hI/xtRfOkAh9BMO5gaGQgqY76QhONgcnHwwV6UgpMPuF1CE8zAU= X-Google-Smtp-Source: AGHT+IHLCoaTt3If3YcXuwHtYWReORVoIyan6nGF09oVg5MCbEhq0REgi++8LMxzHzGkNtjK3fEi0Q== X-Received: by 2002:a17:902:c405:b0:212:996:353a with SMTP id d9443c01a7336-21614d53f0dmr188429125ad.12.1733731789995; Mon, 09 Dec 2024 00:09:49 -0800 (PST) Received: from [10.84.148.23] ([203.208.167.149]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-215f8f0b587sm66633025ad.211.2024.12.09.00.09.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 09 Dec 2024 00:09:49 -0800 (PST) Message-ID: <70f78ae0-481f-4096-af82-fe5a9f131eb3@bytedance.com> Date: Mon, 9 Dec 2024 16:09:40 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in move_pages_pte Content-Language: en-US To: Yu Zhao Cc: syzbot , David Hildenbrand , Jann Horn , Hugh Dickins , Muchun Song , akpm@linux-foundation.org, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mingo@redhat.com, syzkaller-bugs@googlegroups.com, tglx@linutronix.de, x86@kernel.org References: <67548279.050a0220.a30f1.015b.GAE@google.com> <51849c40-1bd5-49bb-ba2f-15cd06f45f48@bytedance.com> From: Qi Zheng In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 9C3BAC0002 X-Stat-Signature: 9nj69moq8qmf33iwei7fj9wsgrm7hceb X-Rspam-User: X-Rspamd-Server: rspam09 X-HE-Tag: 1733731769-957218 X-HE-Meta: U2FsdGVkX1+DJn7QHUcOT/18HXVmvdkcMg5Q+EUYCyCkYRMO2iVgGd0YTgBU89LL7ZoCweeRdyo00spSsGQ1QGiCytmdpyGL58MeZoajY1Ik0QRZjahzj+G4mEeVGaBK4IdnblSbqYROiTxEq+JSYuNQEY4aSxrsED6sqzeUBcXXbmVMe4al3JadgePgD+oG9k5k/FDwpEpxhEXOP/tSXNpvffMarziABjXHHfpt+TKYUF2ILsjlZA5TMXSJmHrdaqsx53oU5+VomZgP/T4gdsDZFOyF9JEJXy5VWAo/LooFqIOrvOwLCDfWPpwLr2CNSLoZek7Doq4zJbGXM+BWV3sGjaOO+bRH227+rQ+gXEkVXjTlTAcAE2TuDJGJnS/FQdFy0eTfNGimFcSUn+tpqI8QoUAYLOUD33D3fSz/dgPSqKUIffJfdutkn/kgVHl/XQHKGUKRlatTLlxAtNo4KHijkK8NHTE6zjPodpccuriqShDJH8A2ALo/ZdUUOMCcFa1pKWKS3QtyONfW6Yv7wsC/CX+guiElH4vC26jqs6ux/ILlFG+3mqbdqYWDEVmxYfS5F4a5gXOvtaihkiMr/Vr5+e76Cs6Eqf+mabQXzGDkLfyPVeLrzOjoM6tCAHbRrYIYG+4iktod1ynNkEeABBtoQdzf1CyPxSMRK8qnEUoQkFbxy8ALlMmgpYpRCGKYMuTXbVOFErZfKaz4LdcVkK6k0pPieCOIi5x5WHktz8WKT5MUiInNRdQH+RB8Ccg6Ak0b4suujWwByNU8cGMiLg6ImR1OtSPbq+yY/IkE+K8o2oJ+Ec+bTIVyD5FP9HFffAu7iMOLpntKUTDqGzh4aughwmA4b2eq5GaB9AgpUsoQPo8m3odhMjBr3NMMNoR7AEslIpU6XxUYIKFp5A5SPnu3zd7i0f8qSp9o9MZhFUJRYvqba3JUsVaAx6KhqQhZRFdsCtOqI/oCQRSmllR VL6aK6tW W4ccP5NejCs2SyX61svIseClGH3mSvw9IbIyqvBH/uoKv6r4O70fUYeOoAhucTq9ViyRj6rbD5AvY6mDHk9pbAny3TbDHz6rYoRStRJDMHG+S3xDv9/ooLuxz4QlAdRgnp2EPeG2PnUm8vcNs5ooW3nX9Ra3DoeQS83a1EiD6XYMx1oe3uyzDcZE/pfZRSQeGdbIlUnuXgN9JaDj2FK1Y8LUSKBlgTQ1YivxyLkj+c1Bzux4ahRayJ/4tR69uK/oQEocNQ2WcwJAp0kpP6eSwTgiIzV7jZERAmU3tyillLcXc+EWMFKVkz+H3gurwjYuQ2Wt4lTy8l+3CqCm92cT8dzuCMNsH5qW2N82oNiIc+KMo3loODbpela5kKdX0NOPCOIa2HjKmnN3MUMEXo09oQ5/n0FiqI9fSCNt0m22yzknNwQsE7UQgC5csxFVi+ygB5dlwZIa3rqqg3X9Z0W3AeuoLFMGt995CEiTfovVwpJ6v74m1s36QHkJB5PQF1kMM8eE4vSPoWBN23ISgKvmWpwoPLoRgMyyeGiwIEELjGPfmHvsOS12QLRPmFhAqoAo1ejujZLJbDICtBRbizf8Yj+U+7w== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000036, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/12/9 15:56, Yu Zhao wrote: > On Mon, Dec 9, 2024 at 12:00 AM Qi Zheng wrote: [...] >>>> >>>> If you want syzbot to run the reproducer, reply with: >>>> #syz test: git://repo/address.git branch-or-commit-hash >>>> If you attach or paste a git patch, syzbot will apply it before testing. >> >> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git >> mm-unstable >> >> diff --git a/mm/memory.c b/mm/memory.c >> index 83fd35c034d7a..28526a4205d1b 100644 >> --- a/mm/memory.c >> +++ b/mm/memory.c >> @@ -7023,7 +7023,7 @@ static struct kmem_cache *page_ptl_cachep; >> void __init ptlock_cache_init(void) >> { >> page_ptl_cachep = kmem_cache_create("page->ptl", >> sizeof(spinlock_t), 0, >> - SLAB_PANIC, NULL); >> + SLAB_PANIC|SLAB_TYPESAFE_BY_RCU, NULL); > > Note that `SLAB_TYPESAFE_BY_RCU` works by freeing the entire slab (the > page containing the objects) with RCU, not individual objects. > > So I don't think this would work. A PTL object can be re-allocated to > someone else, and that new user can re-initialize it. So trying to > concurrently lock it under RCU read lock would also be use-after-free. > Got it. Thanks for pointing this out! So we should put ptlock_free() into the RCU callback instead of enabling SLAB_TYPESAFE_BY_RCU for page_ptl_cachep. >>