From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD0A6C27C4F for ; Thu, 13 Jun 2024 13:03:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 607CC6B0082; Thu, 13 Jun 2024 09:03:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5B6586B0093; Thu, 13 Jun 2024 09:03:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4A5EC6B008C; Thu, 13 Jun 2024 09:03:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 2CFD06B0093 for ; Thu, 13 Jun 2024 09:03:47 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 8CD6C819FD for ; Thu, 13 Jun 2024 13:03:46 +0000 (UTC) X-FDA: 82225882452.15.EC54D6D Received: from out30-118.freemail.mail.aliyun.com (out30-118.freemail.mail.aliyun.com [115.124.30.118]) by imf30.hostedemail.com (Postfix) with ESMTP id E6B7B8001E for ; Thu, 13 Jun 2024 13:03:41 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=linux.alibaba.com header.s=default header.b=Kdljq+ne; spf=pass (imf30.hostedemail.com: domain of baolin.wang@linux.alibaba.com designates 115.124.30.118 as permitted sender) smtp.mailfrom=baolin.wang@linux.alibaba.com; dmarc=pass (policy=none) header.from=linux.alibaba.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718283823; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ahK598NWCKIbMN4pSV4HjInQjG/PYTNh2ZbeXe9IKmU=; b=J0VVqM7tWBK01W+bYuQr35gQVl4Ej+B7O+pqMnAq7XpYuzaHIhi6Ym8ZpGLPZM6O0ccbIT g3HxNsLd68fghX8rr3H/8g9p8iSj8p6AmQ00egOkcbbYswN1ra7ewEKPRiwiJR2jiX631K dVonjwLTuIr1pApsh2fIoZrZLCw3kbY= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=linux.alibaba.com header.s=default header.b=Kdljq+ne; spf=pass (imf30.hostedemail.com: domain of baolin.wang@linux.alibaba.com designates 115.124.30.118 as permitted sender) smtp.mailfrom=baolin.wang@linux.alibaba.com; dmarc=pass (policy=none) header.from=linux.alibaba.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718283823; a=rsa-sha256; cv=none; b=WOlwRorK9J055TxnDR2aTzuBNEaxcfsecv1fCrsB3SNJ/PEwnD2uqSVCIJePkaqqgLGJCT FUWYiG6TP3tx/Q84rrXPTO6SE9XmV2ZmHM5TU2rn/sEX1Tdkz4DIAmyXg59byfsA6qpSKm 4480OtiLJFkGXu0M0K0iglshZKsG1SM= DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1718283818; h=Message-ID:Date:MIME-Version:Subject:From:To:Content-Type; bh=ahK598NWCKIbMN4pSV4HjInQjG/PYTNh2ZbeXe9IKmU=; b=Kdljq+ney8qigU0gUsF7NZnKHdrQD9YYXLC2NuaHZxty2P7BsqQKSfK9mrXQwm9jp+aNoxun/+PcgVqo+iS20ljdJiO3E9hgUqPgyiRYjqcVpsisd5E4LT2NNc8wehH4Hdz4KdeoWFILUY0ehiOlliM0/xVQSZJGD3/3DMG3mes= X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R871e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam033045046011;MF=baolin.wang@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0W8O9S4d_1718283817; Received: from 30.97.56.57(mailfrom:baolin.wang@linux.alibaba.com fp:SMTPD_---0W8O9S4d_1718283817) by smtp.aliyun-inc.com; Thu, 13 Jun 2024 21:03:38 +0800 Message-ID: Date: Thu, 13 Jun 2024 21:03:36 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in finish_fault From: Baolin Wang To: syzbot , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com References: <000000000000e21956061ac3eff0@google.com> <4e578713-c907-4bec-b2c2-f585772eae13@linux.alibaba.com> In-Reply-To: <4e578713-c907-4bec-b2c2-f585772eae13@linux.alibaba.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam11 X-Rspamd-Queue-Id: E6B7B8001E X-Stat-Signature: pzdaj98pywwqg8bwwkaaqbq6u9awc7nb X-Rspam-User: X-HE-Tag: 1718283821-537308 X-HE-Meta: U2FsdGVkX1/L/WAVg1um0mjaSc/mEcHzmhIjX+h0HvNwbIUUwIgeVa/Eq2fjAQ/GQFIp1ZWkz5pE5r8lIZJav/WuJmvEuaNWn9l8/QplLzS48gC+sLziZpE/SiJsM8xz3v7qu0iHmfNdAScSw2BH+MN3jGKNIy+KBiT5qSfoMWLx8sNk9bHGO3NeuvvTZyqsuLueqehGhj5XkwdLvuI/khVqRDzkOXtLxvsm6igERGisW5t0zYcZmbAMAHJKk+AZ/kjJ5Vmu9BUQwtoMAO5QucAjiPo6adMJPg5YFA4zpB1M58WMCNrnTtbS4Htg1RtSCPLOhkZAmyX6PzfpxqiHMt0nf8qf62f1x6Yfr5IRBlY4ZdAHRiBf1xFkLxO72dhLH4GuXeb3M0pLCQ+Q/jSyhcSpoLNugAIKeEAZrF9nXymaFioGbzFkW9TFWu38zzOOCPOs+dZy+LbChePCxiYVQP6BharZmJpUgQwOIdKSx+WFED9cggO0A0aF7acpCQ5nUYDVthNxJzTdA2MsPGxGEkIdb1sdrjhpBZMfqxMn186PBX8xke6MDJqy7CbCc2Q2cMzGA7OhGH/nDb7/dqFXIrkgZz3gS2kZnnXlLpDK6jGZl1usfKPituNz5/xnRsokjmLV6aNB0J/vWu5sM8dMVHQD3MWUpjBEnYzpjLc00SqESF4Pez+huW6Yvph8va2rdQTzv5OfXc11dmHgUw+CfYOjSQq7FqvPuFkFQ9YlOZSwsjYJ0QIKkEeIJPS8vGunrNEtdf1Zlw6ceMaJJ6MZOpnoFdElSHOIEs8oqfqs24xKk0wzTjICn7kwBoE5ECC/wW+15ZrhiZ/GAgUuYuQURvkIHNmelQj8JcqNRw17ykvxwrXz87iikaq68b99qY1RPRtqNbKdUWXkzcDB8AjQZKqZVRCrwyfGi86KHg6CgCueN9Xu7yz/w9OrccdeIoCZ/GDvw4BqgBvZTcQ7e0y 4F2+c4Ji xJML83cmhP9OdosxqWr4GwzDP0iP7AIp3oW/wBTw3p28YSN91IzSayrdUNrtvoR8jnOmeyEmbs2R7NtBCf74efdXeaJzkofvbkqtENXnvD2MCOgVxJinR1kSuN0mpOhbF7dYGZ/jTNgtAbnSaIc7UvubxZdqJwytrU5L0MHXabV8hzXilruyiOjbTPRpNjz97zylmkq8fQLC2wra/O+xtHqZjMox1k4HFdDfR4sgwa47x7EMfOoen0CSwnm1QZ//DziMjd+4OKBoK5EdM/+kYWJWAhkDxervVgcY2rNRzF9d7MElJav7qH/zg4F0HiO8K5Y80D8NWzPD8/pyjXvPLyTk3kBAUXed1YPY1D3PO6KoK9L9JRF+hXApVzNDWZbsZOufW1WRKcZn8A1ifYpvgJDpTYq/NaA0jQRZtoDvtdmdI1u2JRlECMrHbT//0SREZ9FnT+cZIFNXIgItYzYc11MDO46KtgfpOj9O9nmYXNQjuEFvm6Z0dMMqfT2XAOvfa/U7YkCn37LIKFqNyCaEmjMWlAkFYOQ80xNje+pWV3Rs/QssyksvOfUO1mcG+6qnDciqO6N5Za21jHqw++oUeYk38SJea5ARETF6Z2xojKp0P1fS3gIED0N0xpZe8qUpWm7zx+brJzJTANQgmQx1vkofMSrm/5j243pPOqxcE6WPnuA5SUyVLlC6gJl+yTfeFxbQYRB95+wrOyZe0gxfPT6IahjxLSZ/F+CirP5a8ZjiTIQwnmZLEnMq71PvNXV4E6zpBjB9+liCiqraq2F5DYbXmdSm+mda8T1Xr0+pyTLqT0x3zagoRvx5wgBrXhiopZZxgyrUMM5eRIR+MQsFYBeWvfp5iRElp0q+W X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/6/13 20:08, Baolin Wang wrote: > > > On 2024/6/13 19:38, syzbot wrote: >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit:    d35b2284e966 Add linux-next specific files for 20240607 >> git tree:       linux-next >> console output: https://syzkaller.appspot.com/x/log.txt?x=178b77ba980000 >> kernel config: >> https://syzkaller.appspot.com/x/.config?x=d8bf5cd6bcca7343 >> dashboard link: >> https://syzkaller.appspot.com/bug?extid=d6e5c328862b5ae6cbfe >> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for >> Debian) 2.40 >> syz repro: >> https://syzkaller.appspot.com/x/repro.syz?x=174c680a980000 >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=111b9696980000 >> >> Downloadable assets: >> disk image: >> https://storage.googleapis.com/syzbot-assets/e0055a00a2cb/disk-d35b2284.raw.xz >> vmlinux: >> https://storage.googleapis.com/syzbot-assets/192cbb8cf833/vmlinux-d35b2284.xz >> kernel image: >> https://storage.googleapis.com/syzbot-assets/57804c9c9319/bzImage-d35b2284.xz >> >> The issue was bisected to: >> >> commit 1c05047ad01693ad92bdf8347fad3b5c2b25e8bb >> Author: Baolin Wang >> Date:   Tue Jun 4 10:17:45 2024 +0000 >> >>      mm: memory: extend finish_fault() to support large folio >> >> bisection log: >> https://syzkaller.appspot.com/x/bisect.txt?x=11267f94980000 >> final oops: >> https://syzkaller.appspot.com/x/report.txt?x=13267f94980000 >> console output: https://syzkaller.appspot.com/x/log.txt?x=15267f94980000 >> >> IMPORTANT: if you fix the issue, please add the following tag to the >> commit: >> Reported-by: syzbot+d6e5c328862b5ae6cbfe@syzkaller.appspotmail.com >> Fixes: 1c05047ad016 ("mm: memory: extend finish_fault() to support >> large folio") >> >> ================================================================== >> BUG: KASAN: use-after-free in ptep_get include/linux/pgtable.h:317 >> [inline] >> BUG: KASAN: use-after-free in ptep_get_lockless >> include/linux/pgtable.h:581 [inline] >> BUG: KASAN: use-after-free in pte_range_none mm/memory.c:4409 [inline] >> BUG: KASAN: use-after-free in finish_fault+0xf87/0x1460 mm/memory.c:4905 >> Read of size 8 at addr ffff88807bfb7000 by task syz-executor149/5117 >> >> CPU: 0 PID: 5117 Comm: syz-executor149 Not tainted >> 6.10.0-rc2-next-20240607-syzkaller #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, >> BIOS Google 04/02/2024 >> Call Trace: >>   >>   __dump_stack lib/dump_stack.c:91 [inline] >>   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:117 >>   print_address_description mm/kasan/report.c:377 [inline] >>   print_report+0x169/0x550 mm/kasan/report.c:488 >>   kasan_report+0x143/0x180 mm/kasan/report.c:601 >>   ptep_get include/linux/pgtable.h:317 [inline] >>   ptep_get_lockless include/linux/pgtable.h:581 [inline] >>   pte_range_none mm/memory.c:4409 [inline] >>   finish_fault+0xf87/0x1460 mm/memory.c:4905 >>   do_read_fault mm/memory.c:5052 [inline] >>   do_fault mm/memory.c:5178 [inline] >>   do_pte_missing mm/memory.c:3948 [inline] >>   handle_pte_fault+0x3db5/0x7130 mm/memory.c:5502 >>   __handle_mm_fault mm/memory.c:5645 [inline] >>   handle_mm_fault+0x10df/0x1ba0 mm/memory.c:5810 >>   faultin_page mm/gup.c:1339 [inline] >>   __get_user_pages+0x6ef/0x1590 mm/gup.c:1638 >>   populate_vma_page_range+0x264/0x330 mm/gup.c:2078 >>   __mm_populate+0x27a/0x460 mm/gup.c:2181 >>   mm_populate include/linux/mm.h:3442 [inline] >>   __do_sys_remap_file_pages mm/mmap.c:3177 [inline] >>   __se_sys_remap_file_pages+0x7a1/0x9a0 mm/mmap.c:3103 >>   do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 >>   entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Thanks for reporting. I think the problem is I should also consider the > pagetable of PMD size in case the pte entry overflows. I will fix this > issue ASAP. I create following fix to avoid beyonding the PMD pagetable size. diff --git a/mm/memory.c b/mm/memory.c index 54d7d2acdf39..92c61800dfb4 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -4878,13 +4878,16 @@ vm_fault_t finish_fault(struct vm_fault *vmf) pgoff_t idx = folio_page_idx(folio, page); /* The page offset of vmf->address within the VMA. */ pgoff_t vma_off = vmf->pgoff - vmf->vma->vm_pgoff; + /* The index of the entry in the pagetable for fault page. */ + pgoff_t pte_off = pte_index(vmf->address); /* * Fallback to per-page fault in case the folio size in page - * cache beyond the VMA limits. + * cache beyond the VMA limits and PMD pagetable limits. */ if (unlikely(vma_off < idx || - vma_off + (nr_pages - idx) > vma_pages(vma))) { + vma_off + (nr_pages - idx) > vma_pages(vma) || + pte_off < idx || pte_off + (nr_pages - idx) > PTRS_PER_PTE - 1)) { nr_pages = 1; } else { /* Now we can set mappings for the whole large folio. */