Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1865115pxa;
        Sun, 16 Aug 2020 14:03:56 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxcAufnpejF9rpLdvtw1EcKijSSRWMaVvo6IRTPqifpl/qVCblA1dqkAeZD9IFBoHpBNkEr
X-Received: by 2002:a17:906:cc47:: with SMTP id mm7mr11591260ejb.362.1597611836699;
        Sun, 16 Aug 2020 14:03:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597611836; cv=none;
        d=google.com; s=arc-20160816;
        b=uv2volMcrJWyuAsU0bRGBEToM8Y8fZ5nuBk1v4OGNEv/HX5wIqlNMlGSZliWB1bEmP
         ycmZKKIAQi1BHRtDDfHMu8Nw9nGonj+HdUNv2HHg5YBqot8G9OFKtVTTyDAR/NENkP4M
         jtbVY9MIPF03cRr/jHFhhyM+vwJj0lnUwfgW34jdNaet/rKWp/ePIDlhA44fTAFYOYzk
         QorHkGgoNsHDLHQHxEw8k7UzJ0E9nu0o+qm0NNBQqMJmbCYgpoH1B2AaOz9opMxKKw5E
         ypfMLg2mcZ1xCRQO2Hbub/LDcqJZTCSx6qHW9OShK0y4GCP1BZvvjVRrzNWaxeq7APhK
         RtCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=02orff/xitfT1a7j0rdVSyXbwLl/LTZJUmel3rsHuGY=;
        b=aKcR3kI0P48+vTW18KpfJ+6ZgaPKL79D7F4GWyDuTC323ESBCMqbiaq3oOUKq3PZ8B
         OrgmL9VJ7D2y8/++XFi7dT2O7C62tx5xJLTvehzSedzMMHZWedZYu8KL7nbGH2s1uXVi
         HfnOeeo0vUC9t7ftNOKCuizhgnNFIoELHu421ft7+cJJzgbN4/nPibcYiUZIudNrPfEd
         z8aAW6kCt8DrV/qaGMdNepaCaP21XGCuOTpa5FsdBJENKe4ifT4DHmMvsUF6znb9uxGW
         v4Og3rVPyZu3VvAXwDJ/9feYi/lqctEIJBCKn45p+JbQ0rHCTKr0N4d0Dv43un/4P+Bp
         Mfig==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=UokVGw0b;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v19si9702327ejf.83.2020.08.16.14.03.33;
        Sun, 16 Aug 2020 14:03:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=UokVGw0b;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726830AbgHPUop (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Sun, 16 Aug 2020 16:44:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57926 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726288AbgHPUon (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 16 Aug 2020 16:44:43 -0400
Received: from mail-qv1-xf44.google.com (mail-qv1-xf44.google.com [IPv6:2607:f8b0:4864:20::f44])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED827C061786
        for <linux-kernel@vger.kernel.org>; Sun, 16 Aug 2020 13:44:42 -0700 (PDT)
Received: by mail-qv1-xf44.google.com with SMTP id w2so6855185qvh.12
        for <linux-kernel@vger.kernel.org>; Sun, 16 Aug 2020 13:44:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:from:to:cc:subject:message-id:user-agent:mime-version;
        bh=02orff/xitfT1a7j0rdVSyXbwLl/LTZJUmel3rsHuGY=;
        b=UokVGw0bTBJzJAP5mk46z+ZAX1acPHahIvehLKmbkgF3U8E9vy11enHSv+59uhwfC6
         MB3FvyjmlA5NIi013M4LoTlAE9J9fjNT0v/6XkK6XphahSOtUcdZsqAqW/EgonzucWyK
         9kOg+bxovxDslcdtaukP+scTTN7kDSbJr/EVHp35q/ksab+5hv3P3l0hQkRQRNG8aSjn
         BWAIF0kwbmkwpX8S6xylalaoPiqTNvyBSvLVdcEDD8oVCvgQzxYhiwzn206r/LbjTaZh
         8Ng8M+J+/CQNDd4fIRMdy/HCNGmDYlGiHaGeq4mp6V7Uu8CIObegTuWaulCMi+dj+1c6
         0TsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:user-agent
         :mime-version;
        bh=02orff/xitfT1a7j0rdVSyXbwLl/LTZJUmel3rsHuGY=;
        b=D5aCYRz3jNgRXZGzx/ZkYcNqsnwHjt2GZpn62F55/IBck2mx87dk+eSN/yN0fiYtbL
         Mdpo+pNPKtiBK57lm9R0AHl8YvCjWxjBLLtonWKwHQFkhtrmCha0eMYsVmhKtsbPIW+F
         rUh5Z+Injpr2Hs2v1vXbvyb/lb/9UIK6y6SUyYh9gc+sWryYXlWGbzZiqnGCFAM+mhES
         BNFiZMXGDtTTqGIKXTyU5HY7d4Kied9DLQb9HSdiy3QZR9li0GxfyB2FgqRk8a07BxM0
         Lpn8rySN8tUBtpOHxwm2v1GBazo1wNmdIjEcG5FRwLT84wpvE5b1M7nCAmFSjJe9RYGU
         B49Q==
X-Gm-Message-State: AOAM533ta04X61eoELkurUTTeY88a/wjFYHFuLoDttqgieXUgClGrbmj
        geM2XNAGXrtnsOv+p7FMZ0s6eBgj67iXlA==
X-Received: by 2002:a0c:e604:: with SMTP id z4mr11941741qvm.222.1597610681263;
        Sun, 16 Aug 2020 13:44:41 -0700 (PDT)
Received: from eggly.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147])
        by smtp.gmail.com with ESMTPSA id k48sm18444264qtk.44.2020.08.16.13.44.38
        (version=TLS1 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128);
        Sun, 16 Aug 2020 13:44:39 -0700 (PDT)
Date:   Sun, 16 Aug 2020 13:44:25 -0700 (PDT)
From:   Hugh Dickins <hughd@google.com>
X-X-Sender: hugh@eggly.anvils
To:     Andrew Morton <akpm@linux-foundation.org>
cc:     Song Liu <songliubraving@fb.com>,
        "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
        Srikar Dronamraju <srikar@linux.vnet.ibm.com>,
        Oleg Nesterov <oleg@redhat.com>, linux-kernel@vger.kernel.org,
        linux-mm@kvack.org
Subject: [PATCH] uprobes: __replace_page() avoid BUG in munlock_vma_page()
Message-ID: <alpine.LSU.2.11.2008161338360.20413@eggly.anvils>
User-Agent: Alpine 2.11 (LSU 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

syzbot crashed on the VM_BUG_ON_PAGE(PageTail) in munlock_vma_page(),
when called from uprobes __replace_page().  Which of many ways to fix it?
Settled on not calling when PageCompound (since Head and Tail are equals
in this context, PageCompound the usual check in uprobes.c, and the prior
use of FOLL_SPLIT_PMD will have cleared PageMlocked already).

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 5a52c9df62b4 ("uprobe: use FOLL_SPLIT_PMD instead of FOLL_SPLIT")
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: stable@vger.kernel.org # v5.4+
---
This one is not a 5.9-rc regression, but still good to fix.

 kernel/events/uprobes.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- v5.9-rc/kernel/events/uprobes.c	2020-08-12 19:46:50.851196584 -0700
+++ linux/kernel/events/uprobes.c	2020-08-16 13:18:35.292821674 -0700
@@ -205,7 +205,7 @@ static int __replace_page(struct vm_area
 		try_to_free_swap(old_page);
 	page_vma_mapped_walk_done(&pvmw);
 
-	if (vma->vm_flags & VM_LOCKED)
+	if ((vma->vm_flags & VM_LOCKED) && !PageCompound(old_page))
 		munlock_vma_page(old_page);
 	put_page(old_page);