search

yshigeru / linux-devel

Linux kernel source tree
Other
0 stars 0 forks source link

WARNING in vma_merge #7

Closed yshigeru closed 7 months ago

yshigeru commented 9 months ago 
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2806 at mm/mmap.c:912 vma_merge+0x27e/0x39b0 mm/mmap.c:912
Modules linked in:

CPU: 0 PID: 2806 Comm: syz-executor.5 Not tainted 6.5.0-11704-g3f86ed6ec0b3 #250
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:vma_merge+0x27e/0x39b0 mm/mmap.c:912
Code: 48 c1 ea 03 80 3c 02 00 0f 85 47 2f 00 00 4d 8b 37 48 89 ee 4c 89 f7 e8 b0 82 bc ff 49 39 ee 0f 84 46 1b 00 00 e8 92 87 bc ff <0f> 0b e8 8b 87 bc ff 4c 8b 74 24 08 48 89 ef 4c 89 f6 e8 8b 82 bc
RSP: 0018:ffffc90005787c08 EFLAGS: 00010283

RAX: 00000000000003b9 RBX: ffff88801f059800 RCX: ffffc90010b2f000
RDX: 0000000000040000 RSI: ffffffff81cb1ebe RDI: 0000000000000006
RBP: 0000000020ffe000 R08: 0000000000000006 R09: 0000000020ffb000
R10: 0000000020ffe000 R11: ffffc90005787ea0 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000020ffb000 R15: ffff88801f059300
FS:  00007f5fc96d96c0(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000050ce80 CR3: 0000000021a76000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 mbind_range+0x29e/0x530 mm/mempolicy.c:834
 __do_sys_set_mempolicy_home_node+0x4e1/0x840 mm/mempolicy.c:1561
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x4448cd
Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5fc96d90c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001c2
RAX: ffffffffffffffda RBX: 000000000057bf80 RCX: 00000000004448cd
RDX: 0000000000000001 RSI: 0000000000004000 RDI: 0000000020ffc000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000057bf8c
R13: ffffffffffffffb8 R14: 000000000057bf80 R15: 00007fffcd5fa760
 </TASK>
yshigeru commented 9 months ago

repro.c.gz

yshigeru commented 9 months ago

類似事象:https://lore.kernel.org/all/BL0PR11MB3106699B27BB7C5FA07198BFE1EEA@BL0PR11MB3106.namprd11.prod.outlook.com/

yshigeru commented 9 months ago

git bisectの結果:

f4e9e0e69468583c2c6d9d5c7bfc975e292bf188 is the first bad commit
commit f4e9e0e69468583c2c6d9d5c7bfc975e292bf188
Author: Liam R. Howlett <Liam.Howlett@oracle.com>
Date:   Mon Apr 10 11:22:05 2023 -0400

    mm/mempolicy: fix use-after-free of VMA iterator

    set_mempolicy_home_node() iterates over a list of VMAs and calls
    mbind_range() on each VMA, which also iterates over the singular list of
    the VMA passed in and potentially splits the VMA.  Since the VMA iterator
    is not passed through, set_mempolicy_home_node() may now point to a stale
    node in the VMA tree.  This can result in a UAF as reported by syzbot.

    Avoid the stale maple tree node by passing the VMA iterator through to the
    underlying call to split_vma().

    mbind_range() is also overly complicated, since there are two calling
    functions and one already handles iterating over the VMAs.  Simplify
    mbind_range() to only handle merging and splitting of the VMAs.

    Align the new loop in do_mbind() and existing loop in
    set_mempolicy_home_node() to use the reduced mbind_range() function.  This
    allows for a single location of the range calculation and avoids
    constantly looking up the previous VMA (since this is a loop over the
    VMAs).

    Link: https://lore.kernel.org/linux-mm/000000000000c93feb05f87e24ad@google.com/
    Fixes: 66850be55e8e ("mm/mempolicy: use vma iterator & maple state instead of vma linked list")
    Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
    Reported-by: syzbot+a7c1ec5b1d71ceaa5186@syzkaller.appspotmail.com
      Link: https://lkml.kernel.org/r/20230410152205.2294819-1-Liam.Howlett@oracle.com
    Tested-by: syzbot+a7c1ec5b1d71ceaa5186@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

 mm/mempolicy.c | 104 +++++++++++++++++++++++++++------------------------------
 1 file changed, 49 insertions(+), 55 deletions(-)
yshigeru commented 7 months ago

Gave up.