From: Andrew Morton <akpm@linux-foundation.org>
To: linmiaohe <linmiaohe@huawei.com>
Cc: "linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma()
Date: Thu, 8 Oct 2020 21:23:04 -0700 [thread overview]
Message-ID: <20201008212304.e631c002648525a5ce54a102@linux-foundation.org> (raw)
In-Reply-To: <8d3d451883a44f608173fe651b7e6718@huawei.com>
On Thu, 8 Oct 2020 07:17:18 +0000 linmiaohe <linmiaohe@huawei.com> wrote:
> Andrew Morton <akpm@linux-foundation.org> wrote:
> > On Wed, 16 Sep 2020 05:07:33 -0400 Miaohe Lin <linmiaohe@huawei.com> wrote:
> >
> >> The syzbot reported the below general protection fault:
> >>
> >> general protection fault, probably for non-canonical address
> >> 0xe00eeaee0000003b: 0000 [#1] PREEMPT SMP KASAN
> >> KASAN: maybe wild-memory-access in range
> >> [0x00777770000001d8-0x00777770000001df]
> >> CPU: 1 PID: 10488 Comm: syz-executor721 Not tainted
> >> 5.9.0-rc3-syzkaller #0
> >> Trace:
> >> free_pgtables+0x1b3/0x2f0 mm/memory.c:415
> >> exit_mmap+0x2c0/0x530 mm/mmap.c:3184
> >> __mmput+0x122/0x470 kernel/fork.c:1076
> >>
> >> It's because the ->mmap() callback can change vma->vm_file and fput
> >> the original file. But the commit d70cec898324 ("mm: mmap: merge vma
> >> after
> >> call_mmap() if possible") failed to catch this case and always fput()
> >> the original file, hence add an extra fput().
> >>
>
> ...
>
> >
> >is this using the correct file? I think it is, but please do check.
> >
>
> Many thanks for your reply.
>
> Yes, I think so too. We do deny_write_access and mapping_map_writable on @file, so we should undo all of this on @file.
> Since @file is unchanged over the second vma_merge() time, we'are using the correct @file to undo our temporary denial count.
>
> But how should I check this explicitly ? I can't find out a way to do this. Could you please figure it out for me?
I meant "please check (review) the code as it now is", not "please add
a check" ;)
next prev parent reply other threads:[~2020-10-09 4:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-08 7:17 [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma() linmiaohe
2020-10-09 4:23 ` Andrew Morton [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-10-09 6:39 linmiaohe
2020-10-07 2:51 linmiaohe
2020-09-16 9:07 Miaohe Lin
2020-10-07 19:04 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201008212304.e631c002648525a5ce54a102@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=linmiaohe@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.