From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1E2BC04FF8 for ; Thu, 18 Apr 2024 18:41:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0D12F6B0088; Thu, 18 Apr 2024 14:41:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 0805C6B0092; Thu, 18 Apr 2024 14:40:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D03616B0095; Thu, 18 Apr 2024 14:40:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id AEB5B6B0088 for ; Thu, 18 Apr 2024 14:40:59 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 472301410A9 for ; Thu, 18 Apr 2024 18:40:59 +0000 (UTC) X-FDA: 82023519438.21.1241EA9 Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com [209.85.128.173]) by imf14.hostedemail.com (Postfix) with ESMTP id EE364100007 for ; Thu, 18 Apr 2024 18:40:55 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=crUuFCSv; spf=pass (imf14.hostedemail.com: domain of vishal.moola@gmail.com designates 209.85.128.173 as permitted sender) smtp.mailfrom=vishal.moola@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1713465656; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=seetPE2KeK1CN68gUAJv0CtvB48Q+mJYrWnip+JEkok=; b=6yPzcfK2+lKatY6WlA/0U/MYP2c4syTmaW36sfJ+wErJhxfjvItOfl/1U5Znh+eNmz0/uU GUGnTCI7n+Vpy1AItogfQJwi39OP95OM0JOICGKBJoa67s5hIovkal29i6UfRytvQFVKDt vjYjsNlMCZ1lFZxkrMNE/tCjk5/3B+k= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=crUuFCSv; spf=pass (imf14.hostedemail.com: domain of vishal.moola@gmail.com designates 209.85.128.173 as permitted sender) smtp.mailfrom=vishal.moola@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713465656; a=rsa-sha256; cv=none; b=yptobYNoGc/8VFB4EHkVMfTTZJQF555ShM8zbnWlTN9A7C8/BRvUM7uDJX1pCt4L05Lawk XRxNmDHuYfo507/FcXN6PfboDDDSJB4+JgeH9FnXTVlY8Lrxiz482rXVFDTuRLM8fYdoNx 2LXo+7SHvdqFB1EK8nA56SBehDciZEQ= Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-6181d032bf9so11880037b3.3 for ; Thu, 18 Apr 2024 11:40:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713465655; x=1714070455; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=seetPE2KeK1CN68gUAJv0CtvB48Q+mJYrWnip+JEkok=; b=crUuFCSvS8DD7m2+ZION7tN2t49Rlk3oBLtQQfAvUKc1P68RqehVqpEyyLsCN1bB4l PWMGSxwLNvhXDbau7arIGprtKtFLDq+GpWgyhpBU6f3SnijMUnJNxd0LCaHz8hPd3Lzy D23LmsqC8TWwO7JSqWPl3ZqcmFgXIkoBkvXyOgp1hJxgxiJRyZDQVE8kqTl9avJPjKX6 j7xA0qp5Nu/6zPujBvYemc+OjePe3dyDYuehDPC3JAqjgZ216liIJVqoyBCZLi2uvwI0 VQXOcQ/r10k2OAKbduxQnNzGdwhXUdrXYVza5cK+qbXW0KuxZr9JSrXq3llSJzP6Asp4 ZJcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713465655; x=1714070455; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=seetPE2KeK1CN68gUAJv0CtvB48Q+mJYrWnip+JEkok=; b=kGL811FPNPvvZbBKtG/4azV1u5FwAXQLwJ9pRHgdtiYUalZt5DrJovmHfSSPBCFas3 k6bV/5Pa57TjRUzD5gwpc6HcNXBmpQiZeXSGEXEAwBcTfLQIQGAJUo0U3zm6iB+VT90G 0T2Zq3YUfu6976WXzXFOow8Lt+oOb7LHVoYrnsT2nI4dHgpDsyCuiTmtp0Z5IorsHnlX 9XMWJrHnf+Lmpq8EVZJoe4sjrYNv+DNPyMozVepsQ0fbfgpeURXAe6u9S9aY6t4yYj4O 3nSTBAq3XCKMilMYFu13NOazIurlKYYRFktpGzSSTEwS2ZXrF5QCCmeznTkFOGVNMgiF j/8w== X-Forwarded-Encrypted: i=1; AJvYcCW2PYJHjiGk0KZ9mF9hjxccVL14lN8EZgcFyyHZDNeMUP2C9FBUInOlL3PHYH0fjS4oxU86PKwSlWCCn4UenS3/MgY= X-Gm-Message-State: AOJu0YzXr/BViQ+9DKND0h6Cuwjm8gCEd7SI+gA7Ucp0QlE2AaSe2+r1 d/t7XKklht9evXJKLXEDCov17b97KS7y6T7vgipY6jEN3aR4QreO X-Google-Smtp-Source: AGHT+IE5fN4duDmYMg6UbiT0Fw7fgJewLsU82DJN7GD8qIsmklxjBtedLyGLnPcr4JJ0uHNHGzuvIw== X-Received: by 2002:a05:690c:600c:b0:61a:cd65:3010 with SMTP id hf12-20020a05690c600c00b0061acd653010mr3924705ywb.30.1713465654862; Thu, 18 Apr 2024 11:40:54 -0700 (PDT) Received: from fedora ([2600:1700:2f7d:1800::49]) by smtp.gmail.com with ESMTPSA id j124-20020a819282000000b0061ad87eaf80sm452976ywg.0.2024.04.18.11.40.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Apr 2024 11:40:53 -0700 (PDT) Date: Thu, 18 Apr 2024 11:40:51 -0700 From: Vishal Moola To: syzbot Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, muchun.song@linux.dev, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in __vma_reservation_common Message-ID: References: <000000000000daf1e10615e64dcb@google.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="urpZk1QQExwzJ82G" Content-Disposition: inline In-Reply-To: <000000000000daf1e10615e64dcb@google.com> X-Stat-Signature: tdr9dfhhpzr1363sst77jxyf6ft4c6qd X-Rspamd-Queue-Id: EE364100007 X-Rspamd-Server: rspam10 X-Rspam-User: X-HE-Tag: 1713465655-922795 X-HE-Meta: U2FsdGVkX1+brxtZnn14O3lEsOmu/t4Mk2rMJSzyNCdTGcu4u2mEqi9Gxc8VWWZVLECT9eT3BrWFloktK6o6bsB5RSwgHbr+JvakZEEh69yC8rhB7PXSCoz9m2elUM9QDLzvvtsVgDIhKUMFDONUIymHJXZ9O3VlEP88GImMbPpLh35oErqFC2n1+9zdvZzBCxgQbhO6WUyWO1QZBWMVmQIMyVCxBXqgUnNRDYR9JdiYs3vd0paU60ej2q+oDwstQ3p2iGSwhnLfKZV6aV5SQ51YODjKWNiARM2Hpd8L5ItpDhBC+5a5EXNiqRCueTKmeAlgCWxD8Fve0jhBvxu5L2E1H0qFa3T4GFrL6jGLs2pR0hQQUmnPeteE/BPUV5JtJArlSLLvP8JfC4fci8GLxqzj1iWXH53y3xSNAIxkjzK5+SACZZJTMqhPguoU5Al/dIa40AlSygIdh5M+7ctTpakeYELjNM8YFOP31r25O3rR0rIyRJERGhbB2/BH4a5QtT7MFIgVDAcQ8H1wmtVYmeGv7S0pipfJY7IcRtnMkgi9fchg6D/5zJi4PWCjClx0RbSL1FlZ3V3dgKr4Yt2kOeK8vDz5q+SL6V3m4x4rudfvyuMTuaWAjHIZfZenlJ6Gs5FVJJXrFnyH+g6cF9ofFbPwCl8CN2GCX7VRpO8PYxYgH3WxWL9CjVn9QZDTv1ULiJ6igD81tVjHR09/qsZ9LxA4qFx/kZTAmnHNxZNGrQMuQJExRCjOfbcvowaGU11lgEUn+nb/uMpj2f+ERQuUEiNreL+M5csfAIXjvrVCg3vtHCtrGN10Cx0kpIkhvUXT0TzpUNvUeE2N/QgoqmQIM2x6wgVbzCwhyn1te82toZOlGnSpyVCwXt7xGSJyADe1q8HdH9ikQjztYYHLK671LkEbGzVxVti8AxR3OQsc192prWbT6ypyUf9BSxkEeLcVp7YVscAuN16ZyW0iOlG KxuN/sgA pG0Qav/7hUXH33+UwBUDiWaLPtzEf5NeCNHT2PO1Bl8+uC89c7jqn7tl7R0TG2H76nqKT5FJGmL0UfzGNTh3+0CkZ4b6Gto0pA8HO1poPImJtwc6+FihzZD8Xj4AXcflblKRPtsvagRFZ2YpN1My2Am5YjpXcCMkKv/NxQmoHdU9vlx/C/y5uBgQjFb5gKRXEh3+9unwQSCa/pKKDauGmu+eXrEVti9YUXr7w2yQ7u1wM7EfBiXa94oVT4Re15JMjkfMOfiwo5AN/O6rP4sG7qdenQBEaiwBWv1Jy6utAhHznrYsRvSqPaeFdwXI3J8a9i0KqAvjgJW7GDB+mgv7ARfWwP3/x9j3sA7+a66KQQ9tKa5XCWMFEtu7Evh7eAXPETlY8FNo8zna2iShVfi0wHJMV6okwT43fhTYE/AVdNQdWtkuDeSpjPrbQg/hCMxIJa52oy/bLuKdyWUt3AOAwG4CgwJw2UWwqBWz22o/c/Sj97VnBj6sX51j8xM2A+SVabFETbLZ9XLPRD7jxlt/8ZTalovxr/ab3DxKxvVV8ZRaukX0GLhNp8wkMEpSYzStuxfMnHbnzWRwah6HOJ+TZUAwX+okZK5n7p0K4VGqtMqg6YHM4R84UEBjoSUiV9w3Ji8fBZauXPSIAk6gTbJvB8rWJnW1yqt+50Os6XdrhAELRdsoOWWOzv4Zrkcqtee9517FrERDN2Z7Ft+wOsvtJ4AlPBtTkLMc7WV2Tr6KHjkMH6yoTEfAlf0dgBUMLosGHaJpAc1hv9od7qZDWGsIUVzxERISylBAjDvf868mBZp+gC3YTJCj9itF5SU+25TWLcLbjNSWP0nr8mTUB0ImnEZLSEeNtLkx68IJZi2tnVcVmTCJcPVn/4X0E5vf0BMZqNnGLleQmBgDTXMjJwgOpxKUlAjBBBB8q8AQEeGIq3Ud9rVqAxsKD43NQkmPZzAH/7FD8fQIkeZTRNRMuk4NFJas+GHog 5rorAM25 Bs2eNXTf+fOPXVeyNQnxmaQYkE0WE8ECtvNkXiiZdif9lrGHflkDxzdNKQK2AvmvzHcp2yaRipJQOQUd2DdBZK+qllPXVWZs7qxR7ZAtpC9K+jtDKEfojMHkhWw1z1vtpo+MaGh72QdCLNV9Z/sgyu3plE/dpyVU6DtiPpnuvKz9NsHWxFGGXk0sCeGrz+fGLwnCk4RVCBcXZBgwZeS7+E5+To1wpWVr2UZFwKmiwJo= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --urpZk1QQExwzJ82G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 12, 2024 at 06:32:33AM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 11cb68ad52ac Add linux-next specific files for 20240408 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=13a6f483180000 > kernel config: https://syzkaller.appspot.com/x/.config?x=727d5608101b5d77 > dashboard link: https://syzkaller.appspot.com/bug?extid=ad1b592fc4483655438b > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/4e90f2d3b1ef/disk-11cb68ad.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/d886b454e2cc/vmlinux-11cb68ad.xz > kernel image: https://storage.googleapis.com/syzbot-assets/ed94857c6f92/bzImage-11cb68ad.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+ad1b592fc4483655438b@syzkaller.appspotmail.com #syz test https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git linus --urpZk1QQExwzJ82G Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-hugetlb-Check-for-anon_vma-prior-to-folio-allocation.patch" >From 8973cb789bbf64c35ca898541acf3aa6ee8ea2a4 Mon Sep 17 00:00:00 2001 From: "Vishal Moola (Oracle)" Date: Mon, 15 Apr 2024 14:17:47 -0700 Subject: [PATCH] hugetlb: Check for anon_vma prior to folio allocation Commit 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") may bailout after allocating a folio if we do not hold the mmap lock. When this occurs, vmf_anon_prepare() will release the vma lock. Hugetlb then attempts to call restore_reserve_on_error(), which depends on the vma lock being held. We can move vmf_anon_prepare() prior to the folio allocation in order to avoid calling restore_reserve_on_error() without the vma lock. Fixes: 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") CC: stable@vger.kernel.org Reported-by: syzbot+ad1b592fc4483655438b@syzkaller.appspotmail.com Signed-off-by: Vishal Moola (Oracle) --- mm/hugetlb.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 23ef240ba48a..948d197cd88f 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -6274,6 +6274,12 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, VM_UFFD_MISSING); } + if (!(vma->vm_flags & VM_MAYSHARE)) { + ret = vmf_anon_prepare(vmf); + if (unlikely(ret)) + goto out; + } + folio = alloc_hugetlb_folio(vma, haddr, 0); if (IS_ERR(folio)) { /* @@ -6310,15 +6316,12 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, */ restore_reserve_on_error(h, vma, haddr, folio); folio_put(folio); + ret = VM_FAULT_SIGBUS; goto out; } new_pagecache_folio = true; } else { folio_lock(folio); - - ret = vmf_anon_prepare(vmf); - if (unlikely(ret)) - goto backout_unlocked; anon_rmap = 1; } } else { -- 2.43.0 --urpZk1QQExwzJ82G--