From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F81DC3DA63 for ; Thu, 18 Jul 2024 16:36:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EBED96B0092; Thu, 18 Jul 2024 12:36:32 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E6F256B0093; Thu, 18 Jul 2024 12:36:32 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D0FC36B0095; Thu, 18 Jul 2024 12:36:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id B33916B0092 for ; Thu, 18 Jul 2024 12:36:32 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 4EEBB80115 for ; Thu, 18 Jul 2024 16:36:32 +0000 (UTC) X-FDA: 82353426624.16.A8813A7 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf06.hostedemail.com (Postfix) with ESMTP id 56FA7180012 for ; Thu, 18 Jul 2024 16:36:29 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=zx2c4.com header.s=20210105 header.b=b+lOCet0; spf=pass (imf06.hostedemail.com: domain of "SRS0=lxjs=OS=zx2c4.com=Jason@kernel.org" designates 139.178.84.217 as permitted sender) smtp.mailfrom="SRS0=lxjs=OS=zx2c4.com=Jason@kernel.org"; dmarc=pass (policy=quarantine) header.from=zx2c4.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1721320548; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bix84t35gXtRPYkty3QSaB5g/cT04qbn9fpRULI+1f0=; b=5ZtP9AKAM47PigcFzdHC3I21G2DiZzaYuMhMZ1dbVRJVPyIIhFeuj5yo31H54DTQT2f7eU 0qBfgO3SiNPnrHs7xjwBWFNwHr+wM2ppYoM7O92D3qlOD2xUGA0Q4sfyeTUucPDPwhKp+G l69LD3jggIx+7HczmNAclKuBxXxDbO0= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721320548; a=rsa-sha256; cv=none; b=YJuNTmW/8DhEZCY+cepE2ibVp8hSsihA/yghX4XTd/VrDJ32OpQmou1ef0A5cTAJyE3Pwi kpQS0SykQhAQU+2nQoWs/GIWbBBC8GLOHNKDmA3y4FEFh1TQQNeH4akrUvzZsGlfzwg8xL +/F05UE8XhcHQQLwk2D+L7UumpHeVLg= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=zx2c4.com header.s=20210105 header.b=b+lOCet0; spf=pass (imf06.hostedemail.com: domain of "SRS0=lxjs=OS=zx2c4.com=Jason@kernel.org" designates 139.178.84.217 as permitted sender) smtp.mailfrom="SRS0=lxjs=OS=zx2c4.com=Jason@kernel.org"; dmarc=pass (policy=quarantine) header.from=zx2c4.com Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 4924761B9C; Thu, 18 Jul 2024 16:36:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A802FC116B1; Thu, 18 Jul 2024 16:36:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1721320584; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bix84t35gXtRPYkty3QSaB5g/cT04qbn9fpRULI+1f0=; b=b+lOCet0lIq3w4Oyk5bxv+krjhI3wODYAsyh39cH4X//DeNImfSsa3mIixA88UMTL608qJ nSCPGRJPP2rIrMAIZNCzX7Pf8kF1MapKBrRwYXPI+eeYFTfUaF+sGtzCAY/RKUMqLzcseI mxc1guzbyWiBeSwT+Kfu/AbodPwoF1o= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id ff761e3f (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 18 Jul 2024 16:36:22 +0000 (UTC) Date: Thu, 18 Jul 2024 18:36:19 +0200 From: "Jason A. Donenfeld" To: Suren Baghdasaryan Cc: "Liam R. Howlett" , "Vlastimil Babka (SUSE)" , syzbot , akpm@linux-foundation.org, davem@davemloft.net, herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Lorenzo Stoakes Subject: Re: [syzbot] [crypto?] KASAN: slab-use-after-free Read in handle_mm_fault Message-ID: References: <00000000000037cdb0061d5924b3@google.com> <46f44064-255b-4a1e-9317-f4b168706d65@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Stat-Signature: fa6qhwckb9exumtp9za93mp1rbujtsru X-Rspamd-Queue-Id: 56FA7180012 X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1721320589-246255 X-HE-Meta: U2FsdGVkX1/THlRiZNdBY47ICo0mWSHFf3FE/OpYr6IECP04QcKqBhMtawtvPxX2RWwEE6e4UmYASizQzcbBwYRQVYfZlgOPq+nHzMydgaPgS3mo++WMnyNSoU6CtfGn3AaG3UIFSlCc7fQSAHBJHytDRYGNMkDWuLCZ46M7UZcaCyzD/c+U33SgNCRb22ltamf304w1xeCj3JRuQ/B20QLXJStKtWUN6JNmMJTU3E5nYdNNyizJt6dFtysA0Z2D+iAFaGrOCBSfL66DGloYVvQnuUgLnelKguPtrBGGvaAjGGt76bI/DO2dxSQ+8u7OmLaje+4vcj/zLzO5Ymx4shu7RD5Ec5Bd9UDtnSQv5quG2z6GpBLWKf/VcT4hANAX0NUGeZsCpka1MwGPmv0oiNTNOCKWg08EuBNn85kcxugS9V1oZ9LMBBXF6aj7p6oI3/9fvv7y+7iVloOeGidNKV4dYKIi72nnQ6k1zBrcD2pdfti6Q7lJEx+QYAc4ykgTHtZkwacrN2NHfspcI14v4RBma2Gu/xo2cu87i8485KAwq4QRyzp1AQrp+iM5CCGhptvKE87NzXK3rEUDPs1oS7zVID2UON44k7wksfrnd5H4WzaQ/mbxrXgPLO1ZPPJNd21A9E4ENsWJtfjgRZdT04c7pK28m1q5rUuBtbK28QhIc4Ci5QoxOMX5qxpftLo7xRSSUvrVYkXX8ySuxow1Mjk/OT9RQPAno4x8WOb3omCITQ0sp3TqoKjpROCGFHP/3iuQO4aD5NnioMHmJ5A0txYtV4FXZAQqDNlgBcQ/tLP8HK0aeR43zveW6Mm0UYUiilrXRAyysrnYgsHGnxA/AUtc+RUpcxs6wdDJP+Zj6rqIzFKdUn9UFECtqC1GoakiFXT3NJYJbVZAodMk50HI6VKk97buXYIKX6A3U74GMoy++0aKQ2Kej/jaXHCYFbgNL7tKoX3FwW622I6PEYW bmsogQ9W zdprZhrsBf4SKoTMu7+7cIZnNwUgQKwH08tbyz8ZLks0DRBynGTnkbi9vLQwC4t3pMOZSVkYZLD/RDJzChNpAUfR3gk6EALIaMIEJgs/wsIFXHYNXtP7X6c11VmCQijcku4hu5Ft+NLZjoJjwtCRQLVTZ8pTPj/0jLkFVeDDk75obAtbcG8HQcommRNlqJBCG6z8ETxU8zedHuC7TRZhoee2Iw9d7bvlugBjSED6dIPQz7IdMoJKH0z5i4H7qhMXVjUqHzxfea0UGUnBhm6G8ZQOVJz32m+LOHetfmUW2eY2yM2msLXD0OVWJ7QlnLpvUgBYWwA/6/lHU9hQTGE/zZOPy8LVexI6DLE0NJKsLHaWbkshds5QFCfmiplu6RRF+P+K5KWbb8Ef9HU3Z2Gm6Zuhjy3RkreeowDcnfroiIOSTUCbINkRUiyZuBSfIv3m55j9pUOakFXBGGSjo+KxVRs6Tg2k1+Km95GibEWetlxLIFOifvD7lslyvBQMygSxzgzNQkmJ2StFPEJZEwdgZjnBcjoxRO/V+iegoVxLkLRRBFgcApE4EoPYIUhndOILvXDyKPO1DPt7gARTbwjstnropG14pfZ+fLxLiglULpjc44eRvlV1N3Q7ht6yUwjDIWFSEDbEHwbWEJceWFZqnoYicF9NbgTnsoCjJ2rit9ibMHPh1qRk25pgqf2kKitN39Fe9mnC3I4TD14nzRhyJhSH3JAoDPB31ptfPWmSw0XsRML96uaqMld1q7CJy/mH9lwNy1u6mcHAUU/JfMkwJawXVxyQ0Qq3KOfK+YpfEaXILfPfyY0T4b0R4zHnJ+UjRQic4Lr95SWxofV2G1lH+NIh/UUD+4m6Qc87hfcsiBCbStPYE4xe7Jn1Yh+e6YK4gWkOyeyPPmws7JUchQ9hXP2Zz0yi21jZcb1zvpOkrJvNeCyIbZQyc/2X2E1Aa+VuoRgYZenvGjWvySOCLO+D9X+sSBTGQ eFYcFerq G70/lDzcT/AO+VSFRb3fFb4YVVpmOF4AG9NN0anFyffxxrUeo//QPxmzJSQqXjvb+XxqzmFX+7T1vmZKxhMZ/8M7ZEZqPjlnlxaI14wcAlCenHedHZq+V9lH866iJtYW/YwzHyOd/WmesevLIgfMVTcsKodsqJWZ4JTYlF44lfHeE9SG5cJGvA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jul 18, 2024 at 04:23:47PM +0000, Suren Baghdasaryan wrote: > On Thu, Jul 18, 2024 at 4:20 PM Suren Baghdasaryan wrote: > > > > On Thu, Jul 18, 2024 at 3:43 PM Liam R. Howlett wrote: > > > > > > * Vlastimil Babka (SUSE) [240718 07:00]: > > > > On 7/16/24 10:29 AM, syzbot wrote: > > > > > Hello, > > > > > > > > dunno about the [crypto?] parts, sounds rather something for Suren or Liam > > > > or maybe it's due to some changes to gup? > > > > > > Yes, that crypto part is very odd. > > > > > > > > > > > > syzbot found the following issue on: > > > > > > > > > > HEAD commit: 3fe121b62282 Add linux-next specific files for 20240712 > > > > > git tree: linux-next > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=1097ebed980000 > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=98dd8c4bab5cdce > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=4c882a4a0697c4a25364 > > > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11d611a5980000 > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13ce3259980000 > > > > > > > > > > Downloadable assets: > > > > > disk image: https://storage.googleapis.com/syzbot-assets/8c6fbf69718d/disk-3fe121b6.raw.xz > > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/39fc7e43dfc1/vmlinux-3fe121b6.xz > > > > > kernel image: https://storage.googleapis.com/syzbot-assets/0a78e70e4b4e/bzImage-3fe121b6.xz > > > > > mounted in repro: https://storage.googleapis.com/syzbot-assets/66cfe5a679f2/mount_0.gz > > > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > > > Reported-by: syzbot+4c882a4a0697c4a25364@syzkaller.appspotmail.com > > > > > > > > > > ================================================================== > > > > > BUG: KASAN: slab-use-after-free in handle_mm_fault+0x14f0/0x19a0 mm/memory.c:5842 > > > > > Read of size 8 at addr ffff88802c4719d0 by task syz-executor125/5235 > > > > > > > > > > CPU: 1 UID: 0 PID: 5235 Comm: syz-executor125 Not tainted 6.10.0-rc7-next-20240712-syzkaller #0 > > > > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 > > > > > Call Trace: > > > > > > > > > > __dump_stack lib/dump_stack.c:94 [inline] > > > > > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > > > > > print_address_description mm/kasan/report.c:377 [inline] > > > > > print_report+0x169/0x550 mm/kasan/report.c:488 > > > > > kasan_report+0x143/0x180 mm/kasan/report.c:601 > > > > > handle_mm_fault+0x14f0/0x19a0 mm/memory.c:5842 > > > > > > /* > > > * By the time we get here, we already hold the mm semaphore > > > * > > > * The mmap_lock may have been released depending on flags and our > > > * return value. See filemap_fault() and __folio_lock_or_retry(). > > > */ > > > > > > Somehow we are here without an RCU or mmap_lock held? > > > > I'm guessing we did enter handle_mm_fault() with mmap_lock held but > > __handle_mm_fault() dropped it before returning, see the comment for > > __handle_mm_fault(): > > > > /* > > * On entry, we hold either the VMA lock or the mmap_lock > > * (FAULT_FLAG_VMA_LOCK tells you which). If VM_FAULT_RETRY is set in > > * the result, the mmap_lock is not held on exit. See filemap_fault() > > * and __folio_lock_or_retry(). > > */ > > > > So after that there is nothing that guarantees VMA is not destroyed > > from under us and if (vma->vm_flags & VM_DROPPABLE) check is unsafe. > > Hillf's suggestion should fix this issue but we need to figure out how > > to make this path more robust. Currently it's very easy to make a > > similar mistake. Maybe a WARNING comment after __handle_mm_fault() > > that VMA might be unstable after that function and should not be used? > > CC'ing Jason. Thanks for bringing this to my attention. I'll incorporate Hillf's patch and also add a comment as you suggested. Something like the below? diff --git a/mm/memory.c b/mm/memory.c index 18fe893ce96d..f596a8d508ef 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -5660,6 +5660,7 @@ vm_fault_t handle_mm_fault(struct vm_area_struct *vma, unsigned long address, /* If the fault handler drops the mmap_lock, vma may be freed */ struct mm_struct *mm = vma->vm_mm; vm_fault_t ret; + bool is_droppable; __set_current_state(TASK_RUNNING); @@ -5674,6 +5675,8 @@ vm_fault_t handle_mm_fault(struct vm_area_struct *vma, unsigned long address, goto out; } + is_droppable = !!(vma->vm_flags & VM_DROPPABLE); + /* * Enable the memcg OOM handling for faults triggered in user * space. Kernel faults are handled more gracefully. @@ -5688,10 +5691,15 @@ vm_fault_t handle_mm_fault(struct vm_area_struct *vma, unsigned long address, else ret = __handle_mm_fault(vma, address, flags); + /* + * It is no longer safe to dereference vma-> after this point, as + * __handle_mm_fault may have already destroyed it. + */ + lru_gen_exit_fault(); - /* If the mapping is droppable, then errors due to OOM aren't fatal. */ - if (vma->vm_flags & VM_DROPPABLE) + /* If the mapping is is_droppable, then errors due to OOM aren't fatal. */ + if (is_droppable) ret &= ~VM_FAULT_OOM; if (flags & FAULT_FLAG_USER) {