From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B866C433F5 for ; Tue, 15 Feb 2022 20:30:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E4E8D6B0078; Tue, 15 Feb 2022 15:30:24 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id DFD576B007B; Tue, 15 Feb 2022 15:30:24 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CC5696B007D; Tue, 15 Feb 2022 15:30:24 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0045.hostedemail.com [216.40.44.45]) by kanga.kvack.org (Postfix) with ESMTP id BD2586B0078 for ; Tue, 15 Feb 2022 15:30:24 -0500 (EST) Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 77AA018128AFA for ; Tue, 15 Feb 2022 20:30:24 +0000 (UTC) X-FDA: 79146156768.27.8A1A5D6 Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) by imf14.hostedemail.com (Postfix) with ESMTP id 03DF910000F for ; Tue, 15 Feb 2022 20:30:23 +0000 (UTC) Received: by mail-yb1-f179.google.com with SMTP id bt13so59898073ybb.2 for ; Tue, 15 Feb 2022 12:30:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HRjg0qk9vV87dyI9lyCi9FXx3ENAAnG458Hs0Q58UVg=; b=pxuEh8vUdbhQf1LELZsY0LeBJcvY+4zvlI9aChylje5FbF034p/fi3aL/X769/DMyE M+9j6uAVGQYhUtlbmvOWTaCvagb38iu2vWuD6OBL4nMepE8mVnbLSPi/ap8RF2zVvu0g 2jTgy7h3a51suONhrViTHnTagzVNAl/KNw026jfHNgVoGn5aI70Hp/kQd2/TUbElPnT/ f6r/9o1TjKKqh1o5a6eJctb5FuPI3kbTgh6oL9UsikNZLrvfot4fGgTRKncHPBi92TGI kJItxxZmK7ELEFkMvovx2wMTrZnP+4EHgCus7gHDQZ15HbxCRIZatBX7/NP4bRda7/ab AX/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HRjg0qk9vV87dyI9lyCi9FXx3ENAAnG458Hs0Q58UVg=; b=UiXzA3bnewwwJTqVaxWMj8UQ6cASVc5F+l3Pk0HyNYoSgHf4hO+MTP2IE5g4vWeRY3 uubLAdGx9HeXBih4sYXHvnEgQNN3njf+h0PvMJgfIodtEZcqLmkSOzoJleuquAsWKRAn E+qvyMg52qS32C+2Bv1cZdQ50i1IOYExoeGTXUFAg4lxNn25z7fMHL1LCUcoY1MKsmD2 /nEjfNkTHESDCuKAkxNQl/RozgFmf/bt36a3eBZF0Z3gvWyzWWMxU7e6UyruSw2cVLNC J/YBGSyl5kM9WfKEEU1Fi7mDIPY/kJZ+iukeRtI0NVmyCuJgWzbO9R2lmUzYeAcHLQ6s MA0Q== X-Gm-Message-State: AOAM532+7lT1Zjenu94r6FA7l4ypA4+vMcj7oCsXLYxgVM97CANoxP52 aqCS/lt3jyCwHZN0p74B6cKi21oLNLP2UHZaHD02kA== X-Google-Smtp-Source: ABdhPJw7EkF1pN4PINiRbGc7VCCCm0fFXLN5PUwYlG+x3zRIffiAhWddyBvAph0kkRdZoyR8vuO62gRAyp1M3kuqe0s= X-Received: by 2002:a81:c541:: with SMTP id o1mr587836ywj.507.1644957023067; Tue, 15 Feb 2022 12:30:23 -0800 (PST) MIME-Version: 1.0 References: <00000000000072ef2c05d7f81950@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Tue, 15 Feb 2022 12:30:12 -0800 Message-ID: Subject: Re: [syzbot] KASAN: use-after-free Read in __oom_reap_task_mm To: Michal Hocko Cc: Yang Shi , syzbot , Andrew Morton , Christian Brauner , Linux Kernel Mailing List , Linux MM , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: 38kshndbou6riw8ejqwu8an997u1i1g5 X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 03DF910000F Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=pxuEh8vU; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf14.hostedemail.com: domain of surenb@google.com designates 209.85.219.179 as permitted sender) smtp.mailfrom=surenb@google.com X-Rspam-User: X-HE-Tag: 1644957023-858914 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000004, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Feb 15, 2022 at 11:43 AM Suren Baghdasaryan wrote: > > On Tue, Feb 15, 2022 at 11:36 AM Michal Hocko wrote: > > > > On Tue 15-02-22 10:10:53, Suren Baghdasaryan wrote: > > > On Tue, Feb 15, 2022 at 9:53 AM Yang Shi wrote: > > [...] > > > > Isn't the below race possible? > > > > > > > > CPU A CPU B > > > > exiting: > > > > mmap_write_lock > > > > remove_vma() > > > > mmap_write_unlock > > > > process_mrelease: > > > > mmap_read_lock > > > > __oom_reap_task_mm > > > > mmap_read_unlock > > > > > > > > > > Sure, that sequence (would not call it a race) is possible but in this > > > case __oom_reap_task_mm will find no vmas in the mm because exit_mmap > > > freed and removed all of them. > > > > I didn't really have chance to have a closer look but I do not see > > exit_mmap doing mm->mmap = NULL so the pointer can be a freed vma unless > > I am missing something. I thought we've had it in your patches? Has this > > got lost somewhere in the process? > > Doh! Yes, it looks like I completely missed the actual pointer. That > must be it since I don't see any other possibility. Will post a patch > shortly. Fix posted at https://lore.kernel.org/all/20220215201922.1908156-1-surenb@google.com/ > Thanks! > > > -- > > Michal Hocko > > SUSE Labs