From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.6 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7472C433E3 for ; Fri, 21 Aug 2020 20:34:38 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 4336B20724 for ; Fri, 21 Aug 2020 20:34:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="O3uOF+Z3" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4336B20724 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 77DCD8D0080; Fri, 21 Aug 2020 16:34:37 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 730648D0002; Fri, 21 Aug 2020 16:34:37 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 66CED8D0080; Fri, 21 Aug 2020 16:34:37 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0157.hostedemail.com [216.40.44.157]) by kanga.kvack.org (Postfix) with ESMTP id 502F28D0002 for ; Fri, 21 Aug 2020 16:34:37 -0400 (EDT) Received: from smtpin26.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 01450B792 for ; Fri, 21 Aug 2020 20:34:37 +0000 (UTC) X-FDA: 77175728994.26.joke65_130650c2703c Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin26.hostedemail.com (Postfix) with ESMTP id 5EF281802973A for ; Fri, 21 Aug 2020 20:34:33 +0000 (UTC) X-HE-Tag: joke65_130650c2703c X-Filterd-Recvd-Size: 3938 Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66]) by imf50.hostedemail.com (Postfix) with ESMTP for ; Fri, 21 Aug 2020 20:34:32 +0000 (UTC) Received: by mail-ed1-f66.google.com with SMTP id ba10so2591977edb.3 for ; Fri, 21 Aug 2020 13:34:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Rl2kaa3w6LmV9LlXdX0qDQsxWMR1VskZDempA7/xnho=; b=O3uOF+Z3g6sMRe45YA0hU6snYHJ/bF6nwj//IDmUjyNvN8ELDhoi7H8HMisEjtMZXi 6y006OmrQxe7UeeTyisEbpEPV4Xe/Qd1qJk0BxSV/SFy7e4Mo7J1wWbQZQnDpzZNobfe o+UcLeTDQrEu8+qDya8qgF8WwIIuy96JBBUX3N24buf1J0dYkT64xzU/uQF8ZDzc00nZ wuq0UuX++9PVEjP5wHchWXCLuEt9YfIvMciXdVmt43DzKZc33lTa3E32eAv9kCw1vkwW DCHC1ftV6DhvP8IfKoQUVbVDMh19KIn6CUq1QEGAIGgbRblUcNgcZL3AFLt5t71iWFxf GIBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Rl2kaa3w6LmV9LlXdX0qDQsxWMR1VskZDempA7/xnho=; b=VVywY2T1N00P4FX9gbt+piLrjgAbRAFIygCzDF9d+v9zw7Z/GX7sWnSJkKfkbjYNPz BTkylyp2DpZYE8I59z4PwJphEIoIWB4INXsaGpTo21HI+7b0uqluaTGMe0mj2VRsXJzN Pfp6WeI0HdsyfJM3wAydYDZmnP38l4EaPjqDx8cAV0GdU5SueP0aOBua+2ur6vPx/seD O9jtbotnorvhX7RwZmY/JyPPCb4zMgKzIpDExFQTtQG/i51z9VjWd3MUErvFSXFV6p9s eKVHJIpadiCBKRMdJ+CRbJ77UR469AHPxra7kKLCyPUExOhzgU9aAby23LE/xXGHXrQc FE+g== X-Gm-Message-State: AOAM5307kMaCxzgw6YwBkbHctr76e+wTqW/XR0msa/GsokHoagui52Z3 0kWUfAwk7/lpD788GcP23TdJSLj/CKb691SSV3A= X-Google-Smtp-Source: ABdhPJzEdQbRXw+tnAj3mroyHaGUXhNpQJ3hwEu1sO4EBldWJaih6xbI6g96eIVUMUHRkiShrKMcmYuvJ93HfVsqMhA= X-Received: by 2002:a05:6402:1c10:: with SMTP id ck16mr4561066edb.151.1598042071476; Fri, 21 Aug 2020 13:34:31 -0700 (PDT) MIME-Version: 1.0 References: <000000000000e44b7d05ad6624df@google.com> <20200821130337.f4d1f5cd665ab149e1f43ed5@linux-foundation.org> In-Reply-To: <20200821130337.f4d1f5cd665ab149e1f43ed5@linux-foundation.org> From: Yang Shi Date: Fri, 21 Aug 2020 13:34:17 -0700 Message-ID: Subject: Re: KASAN: use-after-free Read in do_madvise To: Andrew Morton Cc: syzbot , Linux Kernel Mailing List , Linux MM , syzkaller-bugs@googlegroups.com, Jan Kara Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 5EF281802973A X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam05 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000139, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Aug 21, 2020 at 1:03 PM Andrew Morton wrote: > > On Fri, 21 Aug 2020 10:15:45 -0700 Yang Shi wrote: > > > It looks the vma is gone. The below patch should be able to fix it: > > > > diff --git a/mm/madvise.c b/mm/madvise.c > > index dd1d43cf026d..d4aa5f776543 100644 > > --- a/mm/madvise.c > > +++ b/mm/madvise.c > > @@ -289,9 +289,9 @@ static long madvise_willneed(struct vm_area_struct *vma, > > */ > > *prev = NULL; /* tell sys_madvise we drop mmap_lock */ > > get_file(file); > > - mmap_read_unlock(current->mm); > > offset = (loff_t)(start - vma->vm_start) > > + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); > > + mmap_read_unlock(current->mm); > > vfs_fadvise(file, offset, end - start, POSIX_FADV_WILLNEED); > > fput(file); > > mmap_read_lock(current->mm); > > Oh geeze. Can you please send this along as a real patch, cc:stable, > Fixes: 692fe62433d4c? Please cc Jan! Yes, sure. Working on a real patch now.