From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FDFCC433F5 for ; Thu, 10 Feb 2022 15:22:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E77456B0071; Thu, 10 Feb 2022 10:22:04 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id DFE9F6B0073; Thu, 10 Feb 2022 10:22:04 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C77F46B0075; Thu, 10 Feb 2022 10:22:04 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0077.hostedemail.com [216.40.44.77]) by kanga.kvack.org (Postfix) with ESMTP id B27786B0071 for ; Thu, 10 Feb 2022 10:22:04 -0500 (EST) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 629DE90F4C for ; Thu, 10 Feb 2022 15:22:04 +0000 (UTC) X-FDA: 79127235768.09.C1068E6 Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178]) by imf10.hostedemail.com (Postfix) with ESMTP id 24802C0005 for ; Thu, 10 Feb 2022 15:22:03 +0000 (UTC) Received: by mail-yb1-f178.google.com with SMTP id v186so16511941ybg.1 for ; Thu, 10 Feb 2022 07:22:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VAdcwDfaAP/WLJZqmjr4eWqfOgNEvTj6OZjQubGMIBs=; b=h1zipEqirLbmEMLa8HgqTL+E50cFo/1oq/rNwRelbfsMfp60fc28fqw9c32ZyoBg9h YwOL1W7qlfNLaA7LZnd+UTZ3MOsOIgZr04A2TI2183dSajsAQiFsfwcsTr1GzkvoMDxs FK+9CE4HN6ZMzfb4hGch5cdQyXRgjr5VETPa9Qy7zsKUSgOcf6lm0nZWYPK1zAG3XhXm kDpYEdD5RLAtkgPrQS4WYYhH0k+EQm1dWlKdOLGz7qJlZ2xr1n61DTDDdhd3PKIlQ8Ft WhhDb0Cb3ZOBu9/s7V/rTeDv3kPWb0/wWVoNg0TjJACJbiAWCt21IYxL6QOXodbgGZyT fJyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VAdcwDfaAP/WLJZqmjr4eWqfOgNEvTj6OZjQubGMIBs=; b=u6xMTXrO8+lRVbN3sGMTYXZxfidabA+DFEEkiG3U8U7A5zjsRHFeCiA68JtZ4EW4s8 sL+loLgvH5vYgs1kjaW2f4KbD/pYS1q2hPA9HLI145lJUPS1llvSOZ2x3Pi/V0xx1lxR vyoB9qt6HWCI5EZP/15PEPy1iTvBDPQImVSNXrlrr/LFIgjGcvx7ugKLdgeTEn7uGRYG opHGvsDTwyvA94XE2XM3zgfLHmCLTGMIJCd6cnKXG6gwcOsjxFTp66zrCwuw27urheou KpFQSglzPSmuuq8XBzpQ+ysJpwAsu+rlIApr3R7gp4fKWKtZeFv4HfFhEYqnaLoilRKZ GrWQ== X-Gm-Message-State: AOAM532W6RK2TBG0XsrkeNl60H82bzj81PQGOUpQA7j0IvdYXZdaftkM yjk+ZQZjE0/74rlF+FZEBFXq0JnfoHDEpVNUge8t8Q== X-Google-Smtp-Source: ABdhPJyoX9LD2NLB7m9aiVLXsKWN3CQDcio86Xhxkvd1HKhFlhrQxfzl9DNb9oLp/q3x2dPaGvk8E/kORKY5BWqvGKg= X-Received: by 2002:a81:56c4:: with SMTP id k187mr7450919ywb.237.1644506523094; Thu, 10 Feb 2022 07:22:03 -0800 (PST) MIME-Version: 1.0 References: <20220210043215.42794-1-surenb@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Thu, 10 Feb 2022 07:21:52 -0800 Message-ID: Subject: Re: [PATCH v2 1/1] mm: fix use-after-free when anon vma name is used after vma is freed To: Matthew Wilcox Cc: Andrew Morton , Colin Cross , Sumit Semwal , Michal Hocko , Dave Hansen , Kees Cook , "Kirill A . Shutemov" , Vlastimil Babka , Johannes Weiner , "Eric W. Biederman" , brauner@kernel.org, legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, Chris Hyser , Davidlohr Bueso , Peter Collingbourne , caoxiaofeng@yulong.com, David Hildenbrand , Cyrill Gorcunov , linux-mm , LKML , kernel-team , syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=h1zipEqi; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf10.hostedemail.com: domain of surenb@google.com designates 209.85.219.178 as permitted sender) smtp.mailfrom=surenb@google.com X-Rspam-User: X-Rspamd-Queue-Id: 24802C0005 X-Stat-Signature: c4yyxky4iopzouz64j4ndbafttpz7haz X-Rspamd-Server: rspam07 X-HE-Tag: 1644506523-436300 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Feb 10, 2022 at 5:27 AM Matthew Wilcox wrote: > > On Wed, Feb 09, 2022 at 08:32:15PM -0800, Suren Baghdasaryan wrote: > > +void vma_anon_name_put(struct anon_vma_name *anon_name) > > +{ > > + kref_put(&anon_name->kref, vma_anon_name_free); > > +} > > To agree with Michal, make this: > > if (anon_name) > kref_put(&anon_name->kref, vma_anon_name_free); Ack. > > > > > - error = madvise_update_vma(vma, prev, start, end, new_flags, > > - vma_anon_name(vma)); > > + anon_name = vma_anon_name_get(vma); > > + if (anon_name) { > > + error = madvise_update_vma(vma, prev, start, end, new_flags, > > + anon_name->name); > > + vma_anon_name_put(anon_name); > > + } else { > > + error = madvise_update_vma(vma, prev, start, end, new_flags, > > + NULL); > > + } > > And then this becomes: > > anon_name = vma_anon_name_get(vma); > error = madvise_update_vma(vma, prev, start, end, new_flags, anon_name); > vma_anon_name_put(anon_name); As I indicated in the other reply, there is another madvise_update_vma user which has only the name string, not the anon_vma_name struct. So this can become: anon_name = vma_anon_name_get(vma); error = madvise_update_vma(vma, prev, start, end, new_flags, anon_name ? anon_name->name : NULL); vma_anon_name_put(anon_name);