From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7108C433EF for ; Wed, 25 May 2022 17:58:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4E45C8D0003; Wed, 25 May 2022 13:58:02 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 493738D0002; Wed, 25 May 2022 13:58:02 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 37ECE8D0003; Wed, 25 May 2022 13:58:02 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 2BE078D0002 for ; Wed, 25 May 2022 13:58:02 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay12.hostedemail.com (Postfix) with ESMTP id CB0B8121440 for ; Wed, 25 May 2022 17:58:01 +0000 (UTC) X-FDA: 79505023962.30.DE4DB22 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf21.hostedemail.com (Postfix) with ESMTP id 287D81C002D for ; Wed, 25 May 2022 17:57:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=1xWCZXrCC3SsN1KQJaC2N7l7n1E1rs7j0k9r7unv6E8=; b=S36lzpqTN9jl/FT8S8Qg2vnXii oU2B7rpvWI1T5ZkKh38ekJGvG7sNJhnmV3eS3mHuHvYUFe6eCfo+dBqM6DazuwIr7P3/TQZ3N6w1F HHFK7ANdz8wgKEHzsxPt6rsL5W7tALbwgaLzPOuK4R+Vgs4wcHczr/QBSEqQr4GoJwtBiWj9uBMNB SnW11xlTF+zx/N6ICcZfBrrtS26stnos9BdKuAtgShOfMz1brI0BYEpRJ/om6WRZ3Zr9UYWOu3iua AqQW2/DVdYAMonWDT/nvXcTj+N90CP3ZDatxp4JhidISEZ589i3sZIbD90srI+a8Yw8XeCx7h2zKN h00uxvbA==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1ntvGd-000Zaw-W2; Wed, 25 May 2022 17:57:56 +0000 Date: Wed, 25 May 2022 18:57:55 +0100 From: Matthew Wilcox To: Andrew Morton Cc: syzbot , linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] KASAN: use-after-free Read in do_sync_mmap_readahead Message-ID: References: <0000000000008cfbca05dfd6db81@google.com> <20220525095842.f97b64de9cbcc0e15d1257a6@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220525095842.f97b64de9cbcc0e15d1257a6@linux-foundation.org> Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=S36lzpqT; dmarc=none; spf=none (imf21.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 287D81C002D X-Stat-Signature: rxr4u7akffmkonwh35bcjw5mcu37co7a X-HE-Tag: 1653501469-22328 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, May 25, 2022 at 09:58:42AM -0700, Andrew Morton wrote: > On Wed, 25 May 2022 07:26:22 -0700 syzbot wrote: > > BUG: KASAN: use-after-free in do_sync_mmap_readahead+0x465/0x9f0 mm/filemap.c:3006 > > Read of size 8 at addr ffff88801fedb050 by task syz-executor.5/1755 > > A race? > > #ifdef CONFIG_TRANSPARENT_HUGEPAGE > /* Use the readahead code, even if readahead is disabled */ > if (vmf->vma->vm_flags & VM_HUGEPAGE) { > fpin = maybe_unlock_mmap_for_io(vmf, fpin); > ractl._index &= ~((unsigned long)HPAGE_PMD_NR - 1); > ra->size = HPAGE_PMD_NR; > /* > * Fetch two PMD folios, so we get the chance to actually > * readahead, unless we've been told not to. > */ > --> if (!(vmf->vma->vm_flags & VM_RAND_READ)) > ra->size *= 2; > ra->async_size = HPAGE_PMD_NR; > page_cache_ra_order(&ractl, ra, HPAGE_PMD_ORDER); > return fpin; > } > #endif > > Reading from vmf->vma->vm_flags was OK, then it suddenly wasn't. Ohh, that makes sense. We unlocked the mmap_sem, so the file is pinned, but the VMA isn't. I'll whip up a patch.