Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp1734933lqp; Mon, 15 Apr 2024 16:03:08 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUpuaFk/K9ZBJimMlWt4Teb9/3Zt5cPGvamV4KaNIhDZfZoUsuvaLQlmqYLNVyQvvA8vLdhMse+wmDXOVuMojCYa33x/QSr3/HIpnfWuQ== X-Google-Smtp-Source: AGHT+IGdbFyOduW2BM4BXUm1r1obKgUih8ibZKVqDEl3CbTW16T0KmSW1Wpr/bvPLHYrT5fOckRp X-Received: by 2002:a17:90b:350e:b0:29f:e772:61c3 with SMTP id ls14-20020a17090b350e00b0029fe77261c3mr10608007pjb.27.1713222188613; Mon, 15 Apr 2024 16:03:08 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713222188; cv=pass; d=google.com; s=arc-20160816; b=RHoU+OMdIp67hpCDK2SzEmqqRxUfk9KccgxdCjKWyLbleK7Ds76hhuS+J0iMR8swUc K/Vl2Cpn4cexK+xEHz0TrlHOUpB2UgmwLcgIrX/4GOD/1K8GF1GjFGuIPTYMDfD4dqmN vv8hx2mltL1ulgFK09YkVFakjwl33MM29Urx6GnbhzzX2usNQgYkslHkDDd2/Jagf462 MOIuAp8pZgUUJH12SHGvT207o5OJtf6EkG+UAut/JTrfExVHtqiRfXXN+sjC6Ko1lL0O LdsuXVOvpuUbTBbmz3ck8a18qOwFEWkDqSdp5fy2P/qLHeE/EZfMEuLlEIXSwFyo4Z9o 4gIg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=zixM8fcSFTGU7EoKEyJyngzis3PHUKVx8GoIuPBbUXk=; fh=8wFPL9LffLuMwy/QOhPWaWT41n+TkuilPlj1b/Q1BGI=; b=KKdZCArIRnJqrQzS2plHXwuAb3VSPZxwGRz1MQD2NotRdcAH+AM2d39xHKTV6mfUHp sRPaPCMW7EZrsuY+GJXHTvpCqjeANqDcitVmEAxv+UA8IAPisZY2w7U155j6qK/UouYM 6nrATjXMxNx0Wu9tHmbwnhpHbR0RvS2nSn0G8Z0Zvxv7sLIjaP2pEZZ0Vjwu04g0YyzD nqxVrv15nPuJLSZD/jDf+WqozRWHoeBupWY+LJx30amqXqfBu+qrVm89j09lFYI0pXH1 AzS6ieHY3BRH9lxWuBd4WE72VkP8urStqRkLjXf8+dQTH73u+CwL+Ac2rhh+0Q3yBWuL xlaA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HN2w1seY; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-145992-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-145992-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id w23-20020a17090a029700b002a24fd29f92si10828161pja.117.2024.04.15.16.03.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Apr 2024 16:03:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-145992-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HN2w1seY; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-145992-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-145992-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 3D908282EA2 for ; Mon, 15 Apr 2024 23:03:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 282FB15887C; Mon, 15 Apr 2024 23:03:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HN2w1seY" Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED51D1B80F for ; Mon, 15 Apr 2024 23:03:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713222182; cv=none; b=Qjv6sZ9FJSxImq4IsrelM53zaLV5I6lIstciKkkSIpYMu1g6Qi/sX9MSO4QlM0dxJenR8ku4xX63Mi19MzRkY1UYIOyMy8RVCW4STJLAiSFcuK+Pol68Ab4FuYSDrvofzahG+ckOw1x65dnSkSC0RzxM2WRmTeilhmWFE18rptU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713222182; c=relaxed/simple; bh=xr3YKTFSvnIyYP9LT3OaZuprPOkhA8clQOk5AXEN1/A=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=dfyJzqc4NPOikJbIo/kaIE4TtrCry1WKwMBk5LV7/1ZWCFgwU8oCWW92BAwWkFWYhFyDqkggyh6QQ5iPkcNRcNsYL7eEgaHCVP2C96Hfaz4RFMNdk62YWG26q6q0m8H0PhyWAOo9IrHor+no5vyqKXLrv7CwT37pWa1YV0Xc0GI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HN2w1seY; arc=none smtp.client-ip=209.85.128.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-61ab6faf179so24055827b3.1 for ; Mon, 15 Apr 2024 16:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713222180; x=1713826980; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=zixM8fcSFTGU7EoKEyJyngzis3PHUKVx8GoIuPBbUXk=; b=HN2w1seYeUBJGiFZtFWcAp1qSeU3xpr7G1bDhRRTNKhfXwpFM0WEXixNKDk4I+g0+/ 8cu1uKBXJUnWjRSpm/uvka3O49sX4nHuQAGZUqqDXXIulRYpUcDLW8NAYGpAI4ndwa8X aKzIj67dY02bqxo9TgkItxE6SWYsnvYnToXK+DAKrfoXeK5Suj5oev0IED/VXZ0rh7ie vXItcRqN2qUoDH7sedjEHHWcAqFw2oUku5tgBnxy7CIF4rqKHD/NlC/w93OgtvthDwPi B1eHd2yzLDLXfj/wSLydcBcYxL5g91iq+qAlsDyN62Uy8p2Ck3drSXoELVJUhDmRfdEh hi6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713222180; x=1713826980; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zixM8fcSFTGU7EoKEyJyngzis3PHUKVx8GoIuPBbUXk=; b=V+qBVtObwnYhxh4RJxxroroCOHgY8Rb+5DPtijQo9M+uQSg3847PS/fxQnfA4R2yF4 3kLp8AxncXMtJe5kJvOoi20OVgxhgy/2yQ2y3Hqyzm7xF5Cq9JG91P7P+USn0kE/KKeS gaen9/UZhRTlZt9kvNzdbztbWrgUg+ekN+1/VRvHg+IeiQDLwG5qcfuzZvwTo6BJGYwg g7gzqeAdiPQrpu8Nfjhh+yZVtw4HbNSNWztf110toA8gE2nLsMz6A7SB+wuFPvWmPj7w 5TNeeX1fUCul1M7tAk1diYbKEY3NORhNmEG2rD+ma4as+atfSNanAGU6T+gh0u8dJlrg +FHg== X-Forwarded-Encrypted: i=1; AJvYcCUiIlC1EzUKOtZfnfG5BQJYYsi/3/PDnRwnGSekjMr3Lm4Ae8RYmzT1qba7hXG5vCx8+1wGIH+nRaVs312c8IIcQv4E9eBinMXpp3+h X-Gm-Message-State: AOJu0Yz5jq65OVsKtXxtwhb+UXO1ZF4mHiCCHypBcdwns/g1qR07s5e0 5eYC8An3AUYRRXpy7LYrVZ+pfbhj7Nfu0Y1HgVAvqb/aRNrhc+wqx3M7/4JbTTAicc5TBw3J2Tu UatxJ59/JwuMQBxDY2NfSeutjnpuKCYFe X-Received: by 2002:a25:ac24:0:b0:dc7:6f13:61e2 with SMTP id w36-20020a25ac24000000b00dc76f1361e2mr11247143ybi.58.1713222179867; Mon, 15 Apr 2024 16:02:59 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <000000000000daf1e10615e64dcb@google.com> <000000000000ae5d410615fea3bf@google.com> In-Reply-To: From: Vishal Moola Date: Mon, 15 Apr 2024 16:02:48 -0700 Message-ID: Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in __vma_reservation_common To: Matthew Wilcox Cc: syzbot , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, muchun.song@linux.dev, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Apr 15, 2024 at 3:15=E2=80=AFPM Matthew Wilcox wrote: > > On Mon, Apr 15, 2024 at 03:05:44PM -0700, Vishal Moola wrote: > > Commit 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of > > anon_vma_prepare()") may bailout after allocating a folio if we do not > > hold the mmap lock. When this occurs, vmf_anon_prepare() will release t= he > > vma lock. Hugetlb then attempts to call restore_reserve_on_error(), > > which depends on the vma lock being held. > > > > We can move vmf_anon_prepare() prior to the folio allocation in order t= o > > avoid calling restore_reserve_on_error() without the vma lock. > > But now you're calling vmf_anon_prepare() in the wrong place -- before > we've determined that we need an anon folio. So we'll create an > anon_vma even when we don't need one for this vma. That's true. Though that can be addressed through something like: if (!(vma->vm_flags & VM_MAYSHARE)) { ret =3D vmf_anon_prepare(vmf); if (unlikely(ret)) goto out; } > This is definitely a pre-existing bug which you've exposed by making it > happen more easily. Needs a different fix though. I interpreted the bug report to showcase how restore_reserve_on_error() depends on the vma lock being held - and vmf_anon_prepare() drops that lock by the time we get to restore_reserve_on_error(). In this case, this would address it without reworking restore_reserve_on_error(). There very well could be something completely different going on, however I have no ideas as to what that may be.