From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.9 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78113C433E1 for ; Sun, 16 Aug 2020 20:44:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4FDCA20829 for ; Sun, 16 Aug 2020 20:44:47 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UokVGw0b" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728137AbgHPUop (ORCPT ); Sun, 16 Aug 2020 16:44:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57926 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726288AbgHPUon (ORCPT ); Sun, 16 Aug 2020 16:44:43 -0400 Received: from mail-qv1-xf44.google.com (mail-qv1-xf44.google.com [IPv6:2607:f8b0:4864:20::f44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED827C061786 for ; Sun, 16 Aug 2020 13:44:42 -0700 (PDT) Received: by mail-qv1-xf44.google.com with SMTP id w2so6855185qvh.12 for ; Sun, 16 Aug 2020 13:44:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:user-agent:mime-version; bh=02orff/xitfT1a7j0rdVSyXbwLl/LTZJUmel3rsHuGY=; b=UokVGw0bTBJzJAP5mk46z+ZAX1acPHahIvehLKmbkgF3U8E9vy11enHSv+59uhwfC6 MB3FvyjmlA5NIi013M4LoTlAE9J9fjNT0v/6XkK6XphahSOtUcdZsqAqW/EgonzucWyK 9kOg+bxovxDslcdtaukP+scTTN7kDSbJr/EVHp35q/ksab+5hv3P3l0hQkRQRNG8aSjn BWAIF0kwbmkwpX8S6xylalaoPiqTNvyBSvLVdcEDD8oVCvgQzxYhiwzn206r/LbjTaZh 8Ng8M+J+/CQNDd4fIRMdy/HCNGmDYlGiHaGeq4mp6V7Uu8CIObegTuWaulCMi+dj+1c6 0TsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:user-agent :mime-version; bh=02orff/xitfT1a7j0rdVSyXbwLl/LTZJUmel3rsHuGY=; b=D5aCYRz3jNgRXZGzx/ZkYcNqsnwHjt2GZpn62F55/IBck2mx87dk+eSN/yN0fiYtbL Mdpo+pNPKtiBK57lm9R0AHl8YvCjWxjBLLtonWKwHQFkhtrmCha0eMYsVmhKtsbPIW+F rUh5Z+Injpr2Hs2v1vXbvyb/lb/9UIK6y6SUyYh9gc+sWryYXlWGbzZiqnGCFAM+mhES BNFiZMXGDtTTqGIKXTyU5HY7d4Kied9DLQb9HSdiy3QZR9li0GxfyB2FgqRk8a07BxM0 Lpn8rySN8tUBtpOHxwm2v1GBazo1wNmdIjEcG5FRwLT84wpvE5b1M7nCAmFSjJe9RYGU B49Q== X-Gm-Message-State: AOAM533ta04X61eoELkurUTTeY88a/wjFYHFuLoDttqgieXUgClGrbmj geM2XNAGXrtnsOv+p7FMZ0s6eBgj67iXlA== X-Google-Smtp-Source: ABdhPJwwIEktwhWl//yA7SPQ9oSlYxBhu7RfeU4o4F7Vox9jA9eko+wClGjweWMWErokbEvHa4RSNg== X-Received: by 2002:a0c:e604:: with SMTP id z4mr11941741qvm.222.1597610681263; Sun, 16 Aug 2020 13:44:41 -0700 (PDT) Received: from eggly.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id k48sm18444264qtk.44.2020.08.16.13.44.38 (version=TLS1 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128); Sun, 16 Aug 2020 13:44:39 -0700 (PDT) Date: Sun, 16 Aug 2020 13:44:25 -0700 (PDT) From: Hugh Dickins X-X-Sender: hugh@eggly.anvils To: Andrew Morton cc: Song Liu , "Kirill A. Shutemov" , Srikar Dronamraju , Oleg Nesterov , linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH] uprobes: __replace_page() avoid BUG in munlock_vma_page() Message-ID: User-Agent: Alpine 2.11 (LSU 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org syzbot crashed on the VM_BUG_ON_PAGE(PageTail) in munlock_vma_page(), when called from uprobes __replace_page(). Which of many ways to fix it? Settled on not calling when PageCompound (since Head and Tail are equals in this context, PageCompound the usual check in uprobes.c, and the prior use of FOLL_SPLIT_PMD will have cleared PageMlocked already). Reported-by: syzbot Fixes: 5a52c9df62b4 ("uprobe: use FOLL_SPLIT_PMD instead of FOLL_SPLIT") Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v5.4+ --- This one is not a 5.9-rc regression, but still good to fix. kernel/events/uprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- v5.9-rc/kernel/events/uprobes.c 2020-08-12 19:46:50.851196584 -0700 +++ linux/kernel/events/uprobes.c 2020-08-16 13:18:35.292821674 -0700 @@ -205,7 +205,7 @@ static int __replace_page(struct vm_area try_to_free_swap(old_page); page_vma_mapped_walk_done(&pvmw); - if (vma->vm_flags & VM_LOCKED) + if ((vma->vm_flags & VM_LOCKED) && !PageCompound(old_page)) munlock_vma_page(old_page); put_page(old_page); From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.9 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 499DAC433DF for ; Sun, 16 Aug 2020 20:44:44 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id EA68E20829 for ; Sun, 16 Aug 2020 20:44:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UokVGw0b" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EA68E20829 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 6C11C6B0002; Sun, 16 Aug 2020 16:44:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 64A376B0005; Sun, 16 Aug 2020 16:44:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5117C6B0006; Sun, 16 Aug 2020 16:44:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0180.hostedemail.com [216.40.44.180]) by kanga.kvack.org (Postfix) with ESMTP id 37FF16B0002 for ; Sun, 16 Aug 2020 16:44:43 -0400 (EDT) Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id DCDC3824556B for ; Sun, 16 Aug 2020 20:44:42 +0000 (UTC) X-FDA: 77157610404.25.crook94_1300ebb27011 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin25.hostedemail.com (Postfix) with ESMTP id A189F1804E3B4 for ; Sun, 16 Aug 2020 20:44:42 +0000 (UTC) X-HE-Tag: crook94_1300ebb27011 X-Filterd-Recvd-Size: 4125 Received: from mail-qv1-f67.google.com (mail-qv1-f67.google.com [209.85.219.67]) by imf09.hostedemail.com (Postfix) with ESMTP for ; Sun, 16 Aug 2020 20:44:42 +0000 (UTC) Received: by mail-qv1-f67.google.com with SMTP id r19so6855147qvw.11 for ; Sun, 16 Aug 2020 13:44:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:user-agent:mime-version; bh=02orff/xitfT1a7j0rdVSyXbwLl/LTZJUmel3rsHuGY=; b=UokVGw0bTBJzJAP5mk46z+ZAX1acPHahIvehLKmbkgF3U8E9vy11enHSv+59uhwfC6 MB3FvyjmlA5NIi013M4LoTlAE9J9fjNT0v/6XkK6XphahSOtUcdZsqAqW/EgonzucWyK 9kOg+bxovxDslcdtaukP+scTTN7kDSbJr/EVHp35q/ksab+5hv3P3l0hQkRQRNG8aSjn BWAIF0kwbmkwpX8S6xylalaoPiqTNvyBSvLVdcEDD8oVCvgQzxYhiwzn206r/LbjTaZh 8Ng8M+J+/CQNDd4fIRMdy/HCNGmDYlGiHaGeq4mp6V7Uu8CIObegTuWaulCMi+dj+1c6 0TsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:user-agent :mime-version; bh=02orff/xitfT1a7j0rdVSyXbwLl/LTZJUmel3rsHuGY=; b=cZZGO8Hxl7tTzOKfCbs+HPtaz3wPd+vSX9+TBlnQM7RdHfRsTsDuzmmwzOBlg9wiVj S21A4LCq8ZbwgRv3ldqftPPwo2C3OH5aaKixiC4vEL9kwZwmMdbIYIYiPHtqrzvBZjl9 YV29dlBI7sOddlC60oBPcS8UaVojBzLDXpLfJ6ESReTAt+k6PM5NjPeM7ewkpp7SMAjj 53w29b1dxEaVfXHwThPldAF2rn0Y7MUmwBlBYn0311RYug9q+rFBFsSkwHQMYPJe9rI6 C523UmSm7xpaNWs2M12w23GIPblvgYW5xIrcXAyrC+78d0BPzwZeL1QC9knM1XcqQgyw DYWQ== X-Gm-Message-State: AOAM533ZLtWoOTrS7CwcLfZP8k5i/bg/M6YDDvRjSNZCS2VRKk1UVPj5 +siQWaBi2U39kpfhFIe89lEZ+g== X-Google-Smtp-Source: ABdhPJwwIEktwhWl//yA7SPQ9oSlYxBhu7RfeU4o4F7Vox9jA9eko+wClGjweWMWErokbEvHa4RSNg== X-Received: by 2002:a0c:e604:: with SMTP id z4mr11941741qvm.222.1597610681263; Sun, 16 Aug 2020 13:44:41 -0700 (PDT) Received: from eggly.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id k48sm18444264qtk.44.2020.08.16.13.44.38 (version=TLS1 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128); Sun, 16 Aug 2020 13:44:39 -0700 (PDT) Date: Sun, 16 Aug 2020 13:44:25 -0700 (PDT) From: Hugh Dickins X-X-Sender: hugh@eggly.anvils To: Andrew Morton cc: Song Liu , "Kirill A. Shutemov" , Srikar Dronamraju , Oleg Nesterov , linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH] uprobes: __replace_page() avoid BUG in munlock_vma_page() Message-ID: User-Agent: Alpine 2.11 (LSU 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Rspamd-Queue-Id: A189F1804E3B4 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam02 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: syzbot crashed on the VM_BUG_ON_PAGE(PageTail) in munlock_vma_page(), when called from uprobes __replace_page(). Which of many ways to fix it? Settled on not calling when PageCompound (since Head and Tail are equals in this context, PageCompound the usual check in uprobes.c, and the prior use of FOLL_SPLIT_PMD will have cleared PageMlocked already). Reported-by: syzbot Fixes: 5a52c9df62b4 ("uprobe: use FOLL_SPLIT_PMD instead of FOLL_SPLIT") Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v5.4+ --- This one is not a 5.9-rc regression, but still good to fix. kernel/events/uprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- v5.9-rc/kernel/events/uprobes.c 2020-08-12 19:46:50.851196584 -0700 +++ linux/kernel/events/uprobes.c 2020-08-16 13:18:35.292821674 -0700 @@ -205,7 +205,7 @@ static int __replace_page(struct vm_area try_to_free_swap(old_page); page_vma_mapped_walk_done(&pvmw); - if (vma->vm_flags & VM_LOCKED) + if ((vma->vm_flags & VM_LOCKED) && !PageCompound(old_page)) munlock_vma_page(old_page); put_page(old_page);