From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB1DAC4345F for ; Thu, 18 Apr 2024 18:45:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 69D5C6B0095; Thu, 18 Apr 2024 14:45:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 64D6D6B0096; Thu, 18 Apr 2024 14:45:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4EE376B0098; Thu, 18 Apr 2024 14:45:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 312CB6B0095 for ; Thu, 18 Apr 2024 14:45:36 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id C7A75C1346 for ; Thu, 18 Apr 2024 18:45:35 +0000 (UTC) X-FDA: 82023531030.20.07A9A3F Received: from mail-yw1-f171.google.com (mail-yw1-f171.google.com [209.85.128.171]) by imf16.hostedemail.com (Postfix) with ESMTP id EFCDE18001B for ; Thu, 18 Apr 2024 18:45:33 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=HtbUCrZQ; spf=pass (imf16.hostedemail.com: domain of vishal.moola@gmail.com designates 209.85.128.171 as permitted sender) smtp.mailfrom=vishal.moola@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713465934; a=rsa-sha256; cv=none; b=OHTYVQ2ksgOo5mWtbbwtTN4xxjKRkswiWX2I2bKUyImOfDj7tvVmI7OaPc6RCcGItL7DCC 4nTFccSEZM6z5/6IQtrlDaGfkBPaDfacmqVn9dUL1+RVhVatduyy4wL4g5N5m+r32/4jD7 DyXfuDa1D7mfo/r/NOkxgYZbjfABL5Q= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=HtbUCrZQ; spf=pass (imf16.hostedemail.com: domain of vishal.moola@gmail.com designates 209.85.128.171 as permitted sender) smtp.mailfrom=vishal.moola@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1713465934; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=pWlPuQVrcxAJuHxDJ7v28B9q4SkzWJBaWW1iwjmpTDA=; b=1tTGls0BX/2wjnlsdGMNvvyblWFlhUTkY/K7px8D68nmrfHOwa7mLnMuK7fQYE3ZeiZ3pJ Qjc/ChdVxwDJ2UhD9ZIV6NkG2WLwJipBXonloJor1cyJ87tWKd7lUVb+8WfGx7chpv7uMQ gCQ6B+UaUbsigVXQX0nHoR0lrc1B6V8= Received: by mail-yw1-f171.google.com with SMTP id 00721157ae682-61acfd3fd3fso13197727b3.1 for ; Thu, 18 Apr 2024 11:45:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713465933; x=1714070733; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=pWlPuQVrcxAJuHxDJ7v28B9q4SkzWJBaWW1iwjmpTDA=; b=HtbUCrZQzsEsuJut7IiJUs6bQ0ytgboS2s1eBJ2PouH5uZj2JAAUby7++vo1f2PGnT J9AFjmeRb/9Pb21wq1r9aibZqpjztdc2vdsiuuRGhs1UNSomLx0C4xSUS76AeSlFOInI YP6di69J1tZnn9WNCQy63QAAXIIga2CFrDNPIBpm7epe4ZXY0X0VHVQ8YOo3wdwk9knI S94F7hsKB0VAI6LSIYLvJbGPaIT/2QJufjZMmlqNU7KNa5jeK8YvBs72Ov8ONKP8yWuV Ai2zIp72Wz2RPc7mFFJ5/mqQAZfIX9EOp8//HVPlFyF/+pQCXlkfZ2+bcw/7qR3FcDGY fe9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713465933; x=1714070733; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=pWlPuQVrcxAJuHxDJ7v28B9q4SkzWJBaWW1iwjmpTDA=; b=tynhKz+67b2fu7sb8varkNQwHHddEPDo6yoTmyvIo3pKMm4vfRaNQrgNUw17sS0a0U eVwg/fXskEJvdchkWSl5W9lpW0wSKgYtXfNkt2aQZZ/Gm/nDk6PDO/KugfGXbLFTYFlZ Eg/ccTLwj6fa/DNL66cWUbyu/YfIFRxyTKmXFUdClyjfk2G64cs3ZCpCFFwRzUhW5Dpi g81k5XghlucLUHzsrsTkmdBENMJSFdRqc45i4G254zBMdVdLTKyV1qCt1C5CFGmt60mr 8nhr3Z/DhhV0ElYMoTLs8yaCo/jKopwyWipmmLZJEL24FfyaF/pjyT/jHML9rA730zB7 4WIQ== X-Forwarded-Encrypted: i=1; AJvYcCXiEgp3+duC4XCypOOxa5k6CVGRmhYNjSgBzChcmi9LX9rWOuTPpJmNHbm5RCSnDOJ+9XJUzMzlEtf3zH9dP6gkgPc= X-Gm-Message-State: AOJu0YzUCflrYUE5Pv9Pg5gOFQ3D+o35BLunISAPwWvhg8a5UOVGpcaJ qnIQlGVA0PJpJSA3ge7PRLnQVqE2A7SPOEMXnUXVIIvNGbLhH7ts X-Google-Smtp-Source: AGHT+IFO+kNrI9k7Cra9Jq3XFbz0xX1GmY19DZ7QvNt2iATqWVXjtsHLq4Kk20/pt+zm+ooQHqCUbg== X-Received: by 2002:a05:690c:88f:b0:61b:123e:7210 with SMTP id cd15-20020a05690c088f00b0061b123e7210mr3736512ywb.40.1713465933077; Thu, 18 Apr 2024 11:45:33 -0700 (PDT) Received: from fedora ([2600:1700:2f7d:1800::49]) by smtp.gmail.com with ESMTPSA id w66-20020a817b45000000b0061521b0bb33sm443127ywc.63.2024.04.18.11.45.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Apr 2024 11:45:32 -0700 (PDT) Date: Thu, 18 Apr 2024 11:45:30 -0700 From: Vishal Moola To: syzbot Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, muchun.song@linux.dev, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in __vma_reservation_common Message-ID: References: <000000000000daf1e10615e64dcb@google.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="p+haZl/smbkDZq3d" Content-Disposition: inline In-Reply-To: <000000000000daf1e10615e64dcb@google.com> X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: EFCDE18001B X-Stat-Signature: i99e7mp88xgpnzbzjdxne9mzjpsqpgz9 X-Rspam-User: X-HE-Tag: 1713465933-908308 X-HE-Meta: U2FsdGVkX1+qc3X/F/jgQ0I8lDUslg0xG2IG09qfJjPJqMof2OcaiP7deiBJM9qsuIGBzpuGoOg2YhTeAnwDEa0rb7r/bycyzUuIM72DSdaeGYZ94zn4iONNZ+G6vyECxE07xvKwx8iMSc2TVKQUaXAzV4Vp/4NKlHS5Q5Oe2h8vD4PlrEOcf5SVCBJtCnMscNVXjmFKbGDngbqYcfAhHTsSU9yXtBAk7mFQ6eA3CTep7N0vDP9OP7bGXO1YyiMcV+eUvnGzQIto5ORXN127dlNOshROPy2RmuVagJPjzaqhCtfeHpc5v0jgedrnoQ3ghPD+m/dtr1X0pPYizbEum38gjscequzD9eiLQj4WURNBD9gjc4qRrLBjMjUW7Rv1AfJ4aoihQOEWVmx0TLA6lj89RhSOA/Z6Y48ztN3Hm9aV7yuvlQ+8OhzNJEl2GaaIVKfT0xkG002kUiMlSRGgSjctqF/AD+OosuPuClAHzShbZIl2iCadIxX9kWtMftBZR5YFt6Ct8fM1Q28/C2nyMCuZc2XhVHqN5gWL5RpYuWk9Kfq1/kHNm28RRekmRbcMann58OOS59jfBXJu34kIlSUIQ7YxfQeolSkjx0rCHC+8uWmKxwOxS3X9gNS9mqre74eHfxRfcEFys9PK1otQQV68aOMtY8K1DcLZBE6T6CCyy3qpy/7/qqCXJQ1PNcQjsOEUoL0qcuVToSR5UyuQt5Fs4aTMUA8ldz96s0M1lyGauzkggqnOysL9xI7nFOg3jj+ajrK9TE4WHH9Z3YfwTqwsnZ4TPX9/iMsKUldoLiB+sUuO8Uf2Yfhx+tWHLVHykuFabDYdbOd+YeXws0dGstbbAry9fmdagHf0sm147V1v5qYHhI/qkP6xXaY/KUYQgLL14I7jyLSTCEpX/FgBLvhUo4SKb+N68IQxUcMU+swBrvUoDhWDV7I5+RFk/kdWL6CzAPCEM1+4hvTvWtR ONdz/t/v 9hWkmNqV0uh+dRfQYVggP29eOesiL//+3qa+w1/om1HUS3D/Wi2J/8l9+jwmPhGdcBUIMKcPU1qw54Gq9lVbOeUqu8YkLJ7W/8bwl4qygMkUaw4YYFrUG+8zyVUJfEBGj3s5rv+KGqf45yqQNQAHfQ/nG8fS+GErEPMBt8FBQFvBFf9Sphb/t0kD7fFkipj2f5Kc3RmSGv2bDHbz3r0GT7JowKecAPtnLvILG2eI6cDXNGSFjlI02o48B75qp7JMFUmj0HEYAxiQRC/7s3VVklj2Ix0mDVfgsRHB4Xjp/rbCqO31RMpMI9PnjESuHy4BijMik3yyKMyU3lQyWa8d18T7A4QjbqbhXkHPEKanGwnFBrDCV7xvLzocSI9O4N1DS65OTmIlMKcBzXfacA+9+/5IMyRrKcVYX94sPNI4iBJa3SbrQfEeQwSlauK3K7uT8EI/Z9pBrrzwddXnq0275dStw4V7dZfOfOdliqUS11IHak9nnM3oTR6W+7hjOUmBPX+b4NtZsC93M2bSDAxgRJraCzgSgUS4gheZt9/dUViFpJL/NWbTaOeAH8Hu5RidTIj6iIVfxGJN7ApFCJ7DxzESeEonE14brBwm/a9D//4olwmlDdkyX/x4N6kVVHP+QR7zyaHe1RjtjMW31hGGDOHEtSpXnyI7CNhKqePGUnNmkWoFKeekarMDJjy8k10H5vxhwwv+d5P0MqvRpqghSikJl4mziluPg5VEPKHFGXg49CbE5ULhHv4QF71SmGbK6+mTciuhVGI7zLZnEPSh6FnE8mhdhDXAUpW5K2x14trFFPIo7J6doAiuR1TUAlJtCglNpYHEkWp/V9vODT1yslRGm7NriaswCMTIC1pEhhteY8ayAq6SrV87UV/i7xSQdXOMNrEIMbs2XqMRpREItIJeEIt4PM+XzlefO3sLZbDLGSsUrfJqXIbKe4yceBOjP2XH8cwwmLwAgrRH8TG32/lkUUyoH owiFX1Rz yAXmu1HcJQHKL/ELaT8XBwHFvTUEjTMw4fp1ELt1fwim3cMohBsPmm27iIK/6V2H49LdNdjfibTOLc05Njdji4VcDubk3xuzFR19Ip7yllpzqzrW671hUSCRytBpsRSHD4JmTwqxXe62EQdq5fxqNzf7Rwks2FA8ZE6oWjhHXQL5wd5W4Zx9wZtdyThUBD29M9cldkkUXvrmLzNvqlZcM1J2Gk2T1+Pn0Nbsh4DrfuI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --p+haZl/smbkDZq3d Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 12, 2024 at 06:32:33AM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 11cb68ad52ac Add linux-next specific files for 20240408 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=13a6f483180000 > kernel config: https://syzkaller.appspot.com/x/.config?x=727d5608101b5d77 > dashboard link: https://syzkaller.appspot.com/bug?extid=ad1b592fc4483655438b > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/4e90f2d3b1ef/disk-11cb68ad.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/d886b454e2cc/vmlinux-11cb68ad.xz > kernel image: https://storage.googleapis.com/syzbot-assets/ed94857c6f92/bzImage-11cb68ad.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+ad1b592fc4483655438b@syzkaller.appspotmail.com #syz test https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git linus --p+haZl/smbkDZq3d Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-hugetlb-Check-for-anon_vma-prior-to-folio-allocation.patch" >From 8973cb789bbf64c35ca898541acf3aa6ee8ea2a4 Mon Sep 17 00:00:00 2001 From: "Vishal Moola (Oracle)" Date: Mon, 15 Apr 2024 14:17:47 -0700 Subject: [PATCH] hugetlb: Check for anon_vma prior to folio allocation Commit 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") may bailout after allocating a folio if we do not hold the mmap lock. When this occurs, vmf_anon_prepare() will release the vma lock. Hugetlb then attempts to call restore_reserve_on_error(), which depends on the vma lock being held. We can move vmf_anon_prepare() prior to the folio allocation in order to avoid calling restore_reserve_on_error() without the vma lock. Fixes: 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") CC: stable@vger.kernel.org Reported-by: syzbot+ad1b592fc4483655438b@syzkaller.appspotmail.com Signed-off-by: Vishal Moola (Oracle) --- mm/hugetlb.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 23ef240ba48a..948d197cd88f 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -6274,6 +6274,12 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, VM_UFFD_MISSING); } + if (!(vma->vm_flags & VM_MAYSHARE)) { + ret = vmf_anon_prepare(vmf); + if (unlikely(ret)) + goto out; + } + folio = alloc_hugetlb_folio(vma, haddr, 0); if (IS_ERR(folio)) { /* @@ -6310,15 +6316,12 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, */ restore_reserve_on_error(h, vma, haddr, folio); folio_put(folio); + ret = VM_FAULT_SIGBUS; goto out; } new_pagecache_folio = true; } else { folio_lock(folio); - - ret = vmf_anon_prepare(vmf); - if (unlikely(ret)) - goto backout_unlocked; anon_rmap = 1; } } else { -- 2.43.0 --p+haZl/smbkDZq3d--