From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CEEBE77173 for ; Mon, 9 Dec 2024 09:20:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DFCCA6B00DE; Mon, 9 Dec 2024 04:20:33 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id DAC8E6B00DF; Mon, 9 Dec 2024 04:20:33 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C745E6B00E2; Mon, 9 Dec 2024 04:20:33 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id AAE436B00DE for ; Mon, 9 Dec 2024 04:20:33 -0500 (EST) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 677311A02EA for ; Mon, 9 Dec 2024 09:20:33 +0000 (UTC) X-FDA: 82874874222.01.62A4B0E Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by imf05.hostedemail.com (Postfix) with ESMTP id 9308C10000D for ; Mon, 9 Dec 2024 09:19:51 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=K7BupulR; spf=pass (imf05.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.210.176 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733736012; a=rsa-sha256; cv=none; b=xGzX0WOE9L47dx4gCdGEQ9CGpYfdgekEUppEwbYRhR0PengOKlfchliyFxuE8PNqdU4WwR EYlIFea+pHfofC4Pfw1sLW+SAI1gYD6q0zQwJak9dqaAtgKRDX2i2IXy7AbPykSMTpSDD8 ic+rs24l11T7W7i8oV+cpxQR7u2CpqU= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=K7BupulR; spf=pass (imf05.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.210.176 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733736012; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Coh2zmmNmuTEsqin3Jv9vo298M32EsWvVV+XXNrQur4=; b=l8enZXa6e1CoceNeiScFdtfCrwWFC5xft05eFTmN05z8fPh46cAibUAHYQCqKare+N/xtf uCfxxaJYvNRlff6Hd53NKCG2ysjAIhEa8JQ6oRoLfYCSkZG/+fufZRlwsK7thkZzYeOzL+ R/HYNX99zHxNNMQI6se42T+8kymlQCI= Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7258bce5289so3130930b3a.0 for ; Mon, 09 Dec 2024 01:20:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1733736029; x=1734340829; darn=kvack.org; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=Coh2zmmNmuTEsqin3Jv9vo298M32EsWvVV+XXNrQur4=; b=K7BupulR5CL6gJav7Qf6mmjLRwwcplbPoLiz+TtSZdHR4GnmSi0vYZR3SMab11xPKg m5AmTnTGPONVXJZSzx22F5D38wd52BNmo5HfK2pfuvQe7Y9fZCsamtOKlrtSmqEe5bid qycncU5+SDr7vnJr906TRzQEbqC2xop9nWdu9xzb9rXkqpmtu36w07jU99cOoCFnEQBH 8L0vyssmJJRxDlflzB2T5zczfW5NSrAUNnpvHbcm1Cfbk4299Qjf8z8H7W9zrzJtEwzH FTiEC1D/oJnJZckOMKwOPQPIEabuOnHGsjEbedbT8Fl+uAP5VrNUQfCIbTJuEtvOlr1y ckNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733736029; x=1734340829; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Coh2zmmNmuTEsqin3Jv9vo298M32EsWvVV+XXNrQur4=; b=ROAi/hi7UUZM7uBz9JsWelltMRUteX0qEk8A1FyU9eJW7arG3o7Fm83kFhulBhuicS M+hJG9vOR2uVFVeAkia/4hIqppiMlws1YGYeSWeHghrLH1ObbBiZIZ4uNovwORfGTSLr pK8C64HuRXqlwAhFSW8LDvw33OWrkCh9XdVQQa3ZmD9d9J2kwX4EieHbzKNqxS4S4TPe C7vlzBojz73hENFClxNfONk7PIT9EZQWAO6Vjs8m9lTAr8hEafkBGTE0He7XrJ51r/TI G7xWrsp3lrgVCubmeV+1ldbbk/eyokimONmm71KNsWauderpb/lscXt90WYyvNv2h1du hTUQ== X-Forwarded-Encrypted: i=1; AJvYcCUaKnp+5zxwUO59/SzU//qCmHzZRba3Y1UdkLWBLbPbR9VxfSa9kIv42hjzyFiFw2GOadCS9Z+jDQ==@kvack.org X-Gm-Message-State: AOJu0YwC3/yGd+5pUD+AEWX3dQQLpi1WKLwCGMSBiPkAdzCRaOrThlXF JjTEOwahefOEAXuWOn2K+AEgfAl2Ln+8jegHFRGdrUJBTGgu4nC+OcKsUmSyU0g= X-Gm-Gg: ASbGncsKkA9PqnQJBwKghjh7PUIJPFjY4xmyrwOwdirsLZG6i2tH564d4Y47P+A+BPn KdGFmZPVHKSXA0SIS6c8Ez8iixQ7FZi6xjaCjuCeOpV3rntK3TPoxPEJq//GjggyFjuYAacTXH+ +9/hwRUt7QYAIcUTKzMGpJIFeoJfPq8cPpgwdnHNezNxCHYfZdbv3LhNejx5/ywWmLMMgV4M+bB qfQIsecKb5BbRbMKsEttPSGDrODqqAUEZXiyo66lgPpIyfxVsUav4UGYYZIUH+NxspE4RAS3A== X-Google-Smtp-Source: AGHT+IF0IduZ3YsQekgl0rzDs+wSloR1nEW2/DCb/MYGN5EuKg7ZHg9EKZY8ow/xM7MpHD+O5e2MWA== X-Received: by 2002:a05:6a00:802:b0:71e:7174:3ae with SMTP id d2e1a72fcca58-725b8125b44mr18627507b3a.11.1733736028964; Mon, 09 Dec 2024 01:20:28 -0800 (PST) Received: from [10.84.148.23] ([63.216.146.178]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-725d3dd4cbasm3669620b3a.142.2024.12.09.01.20.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 09 Dec 2024 01:20:28 -0800 (PST) Message-ID: <8dbb0f16-6e35-4c26-a63b-29b65c819fea@bytedance.com> Date: Mon, 9 Dec 2024 17:20:20 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in move_pages_pte Content-Language: en-US From: Qi Zheng To: Yu Zhao Cc: syzbot , David Hildenbrand , Jann Horn , Hugh Dickins , Muchun Song , akpm@linux-foundation.org, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mingo@redhat.com, syzkaller-bugs@googlegroups.com, tglx@linutronix.de, x86@kernel.org References: <67548279.050a0220.a30f1.015b.GAE@google.com> <51849c40-1bd5-49bb-ba2f-15cd06f45f48@bytedance.com> <70f78ae0-481f-4096-af82-fe5a9f131eb3@bytedance.com> In-Reply-To: <70f78ae0-481f-4096-af82-fe5a9f131eb3@bytedance.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 9308C10000D X-Stat-Signature: ckciboi8yfn3kdmimksuzcx3ptjnhwhi X-Rspam-User: X-Rspamd-Server: rspam09 X-HE-Tag: 1733735991-796185 X-HE-Meta: U2FsdGVkX1+zL/CbcNdgQczUcqxN4fE2C86mOPZ7M5kssjZxiGexLACJ+B6BM8F3zqAChbhqQw9IdLzL3B8Yi6WZm3sYhFAhYrqoewA2y+bQU06AKKdUQE6uie0kTKjO6YcIpz1q5Ysw1vB0185i/Dg4Zc+XEWOCO9HvMDEUK2WktMRMl3FtjSHz8s85xgpjIAda/mtvFYguOzstpOVZsTCFOgERClEl2h/TEtdgEytRKbAfoq9RwBXnmeqUDVqXh4vE7cSrA3a0aET5GJy1xbkrWyz/9ROOb9xbnwho/s4/FGYCyU7HspEAF3+6wNzChn9sS6Vly9ig6ggrmIKehphm5SLed/gS+i06pC0oitTnl3144H+WesS/G/25ZzYYWmj6ZK2wy7wJrppcGEA036LIpoaNcurdjpDNQXC2PqvjrnxL77LjTrfj/BiiPFSEkgUSXQfvLgmrwy4b1Z0bJgAhunSsDPcfnKTP6R/pL036DA9gRHAbF7eaZVs8fWnt55epUznlI+2Y6TlCSTPrvjlwT03W95tLiqSu/ckVYcZyNZEsVxaao/tM0amnakyqgBtuxxT2mKznN2E6v6n5LKK5n1JuUCubrejkA/G44Dp4JmkUXidVs4D18o+fSj8BMlsi8imOBSKpeBmL03CujpMLMvQ9CnPaUm6WV0hWHACOwfWtUT/tguqTe1l+NE4nOyaRKFcOQe5fXUGIlYkQyrkxQgokBmxLjY6pAI/O1+ZoSISF7qLvOZFVPfXckQVCrHH9htnswHzk4qFbKkoy2Hhtfr+vNStJxb+BEyiyPNNfSalAPHu919a6Qjh6GIu4GfsxjYZUKG0snZ2fUG2Z6Vpi/8pxutu1XbW8hCJOsvZmjzVCJ4bpCfa/REujjy+129NGE+QSgBG4ZhPwtgBVfNtijkDejcUjhP3uRZkmm6tFtK8oLfmWoquq0UN7+9eVjCKwmJWGXqjciJ0C5fF RftPiDbQ VPjjlZ/N6rnoaLKwahCYf5lrDnRHO8pEXecLHjuDU4PswFgfpItl1MD8harj29VaRtSehh2SkH99MmHZdXN4+Z9nI1yjXhPZkYHjqakZCWpjF7gX/u8aa6iVCxneng3fU4sKOLLXg5JAjzUaAfe8SOrG/c5VaJvxEbtEd3A4hVZQ9BOwojEeYZDbm4MfOPnlh2ix+rnwe/bjoYrPxx+TZOG+4KvH8wdj6fySY0KixrIelYWaaZ4d2BjpEyhiO/dQMI9KFIzpi04hLo9/18VR1K+GXbkW0I49LC1PeXBduHTmssIEv39A4AarCR8Ido9B/kjrO9ciFwe563DrIAcfoHEOzmaH8NogBI4JNlgc93JcDhuGhllwIolicmG4ynjgkv0MAqbF+L3/LOxOizMnGv5N3BxlfnX6ugoSHq9J+LBMWKcKoTF31WHPVy/6VOipSLzblJsDnyHIKSleMLI4JjovTxhagDxbTtk+le5eCvHUAb3GSlPMz/h4AI0Ow2HUNiw3xNUw2YdryegIiG91OQa3YGY5YF2eDudXeyKRa5VlzjFpExIVFZCxNOPG5wOvsLgVGTI11Tc3wKNS2vsA4LiXZl6Vp89AmNixp X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/12/9 16:09, Qi Zheng wrote: > > > On 2024/12/9 15:56, Yu Zhao wrote: >> On Mon, Dec 9, 2024 at 12:00 AM Qi Zheng >> wrote: > > [...] > >>>>> >>>>> If you want syzbot to run the reproducer, reply with: >>>>> #syz test: git://repo/address.git branch-or-commit-hash >>>>> If you attach or paste a git patch, syzbot will apply it before >>>>> testing. >>> >>> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git >>> mm-unstable >>> >>> diff --git a/mm/memory.c b/mm/memory.c >>> index 83fd35c034d7a..28526a4205d1b 100644 >>> --- a/mm/memory.c >>> +++ b/mm/memory.c >>> @@ -7023,7 +7023,7 @@ static struct kmem_cache *page_ptl_cachep; >>>    void __init ptlock_cache_init(void) >>>    { >>>           page_ptl_cachep = kmem_cache_create("page->ptl", >>> sizeof(spinlock_t), 0, >>> -                       SLAB_PANIC, NULL); >>> +                       SLAB_PANIC|SLAB_TYPESAFE_BY_RCU, NULL); >> >> Note that `SLAB_TYPESAFE_BY_RCU` works by freeing the entire slab (the >> page containing the objects) with RCU, not individual objects. >> >> So I don't think this would work. A PTL object can be re-allocated to >> someone else, and that new user can re-initialize it. So trying to >> concurrently lock it under RCU read lock would also be use-after-free. >> > > Got it. Thanks for pointing this out! So we should put ptlock_free() > into the RCU callback instead of enabling SLAB_TYPESAFE_BY_RCU for > page_ptl_cachep. Like the following: diff --git a/include/linux/mm.h b/include/linux/mm.h index 95bfaf5b85d90..b532415ef5841 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -2988,7 +2988,7 @@ void ptlock_free(struct ptdesc *ptdesc); static inline spinlock_t *ptlock_ptr(struct ptdesc *ptdesc) { - return ptdesc->ptl; + return &(ptdesc->ptl->ptl); } #else /* ALLOC_SPLIT_PTLOCKS */ static inline void ptlock_cache_init(void) diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index d0e720ccecd71..7b94ea4d0d26a 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -434,6 +434,13 @@ FOLIO_MATCH(flags, _flags_2a); FOLIO_MATCH(compound_head, _head_2a); #undef FOLIO_MATCH +#if ALLOC_SPLIT_PTLOCKS +struct pt_lock { + spinlock_t ptl; + struct rcu_head rcu; +}; +#endif + /** * struct ptdesc - Memory descriptor for page tables. * @__page_flags: Same as page flags. Powerpc only. @@ -478,7 +485,7 @@ struct ptdesc { union { unsigned long _pt_pad_2; #if ALLOC_SPLIT_PTLOCKS - spinlock_t *ptl; + struct pt_lock *ptl; #else spinlock_t ptl; #endif diff --git a/include/linux/mm_types_task.h b/include/linux/mm_types_task.h index a82aa80c0ba46..774ef2a128104 100644 --- a/include/linux/mm_types_task.h +++ b/include/linux/mm_types_task.h @@ -17,7 +17,8 @@ #include #endif -#define ALLOC_SPLIT_PTLOCKS (SPINLOCK_SIZE > BITS_PER_LONG/8) +/*#define ALLOC_SPLIT_PTLOCKS (SPINLOCK_SIZE > BITS_PER_LONG/8)*/ +#define ALLOC_SPLIT_PTLOCKS 1 /* * When updating this, please also update struct resident_page_types[] in diff --git a/mm/memory.c b/mm/memory.c index 83fd35c034d7a..802dae0602b32 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -7022,24 +7022,34 @@ static struct kmem_cache *page_ptl_cachep; void __init ptlock_cache_init(void) { - page_ptl_cachep = kmem_cache_create("page->ptl", sizeof(spinlock_t), 0, + page_ptl_cachep = kmem_cache_create("page->ptl", sizeof(struct pt_lock), 0, SLAB_PANIC, NULL); } bool ptlock_alloc(struct ptdesc *ptdesc) { - spinlock_t *ptl; + struct pt_lock *pt_lock; - ptl = kmem_cache_alloc(page_ptl_cachep, GFP_KERNEL); - if (!ptl) + pt_lock = kmem_cache_alloc(page_ptl_cachep, GFP_KERNEL); + if (!pt_lock) return false; - ptdesc->ptl = ptl; + ptdesc->ptl = pt_lock; return true; } +static void ptlock_free_rcu(struct rcu_head *head) +{ + struct pt_lock *pt_lock; + + pt_lock = container_of(head, struct pt_lock, rcu); + kmem_cache_free(page_ptl_cachep, pt_lock); +} + void ptlock_free(struct ptdesc *ptdesc) { - kmem_cache_free(page_ptl_cachep, ptdesc->ptl); + struct pt_lock *pt_lock = ptdesc->ptl; + + call_rcu(&pt_lock->rcu, ptlock_free_rcu); } #endif > >>>