From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15124C433F5 for ; Tue, 15 Feb 2022 19:43:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2EB546B0078; Tue, 15 Feb 2022 14:43:27 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 29A396B007B; Tue, 15 Feb 2022 14:43:27 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 161296B007D; Tue, 15 Feb 2022 14:43:27 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0223.hostedemail.com [216.40.44.223]) by kanga.kvack.org (Postfix) with ESMTP id 07D2C6B0078 for ; Tue, 15 Feb 2022 14:43:27 -0500 (EST) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id BF264181AC9C6 for ; Tue, 15 Feb 2022 19:43:26 +0000 (UTC) X-FDA: 79146038412.20.A15EDA4 Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) by imf22.hostedemail.com (Postfix) with ESMTP id 4B670C0003 for ; Tue, 15 Feb 2022 19:43:26 +0000 (UTC) Received: by mail-yb1-f179.google.com with SMTP id l125so26318473ybl.4 for ; Tue, 15 Feb 2022 11:43:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fcf+8o+t6+WnOwFW3ZI0zrWbIEyxTwbnoswnCVbg8F8=; b=QOKtYm93Mb7Nl3MP7JzAntRwnrHs7RWLTU/tCeRP+GM/Jn80ebbb/qwZx5QaX+mewI WUUZuU6nr/9iu5TGPVJhCtVn0+ucVo4HNyV16DQluiaDXFfXynO0wi9IfmRHfy7AMV3Y enPQ2mNYTsv5GfwrdbeHMtTUFex+HrNNLZn/CaLxvTvNAGfSnEUEJgzfZM3ql+B1fRKf Uwxdzq5t7P7l8ohDBs6ISXllYWkYeAtu9rlf3JopT8ubliFCWgGa3QyOd8tlZIIshh/Y beOdvGoM6IwF8SWPlasZQrI4HbcRDD404mYq2HSLETqVVrh8cL4W5EAGq8C3ZQiYQQS/ VPoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fcf+8o+t6+WnOwFW3ZI0zrWbIEyxTwbnoswnCVbg8F8=; b=AFolLsH/jMDAHgWnGoYPVIGTSJSxxPw5sss2fMtid6GS0RYhUHKJj8W/5Ppe4xMrYZ fhQr6XTSPwei3UOZQ99qI8kIMJ8lwHbVU4HEU2wTqdvc99M83SYOdEaojeydCAC82pzC vkhKdpZq27dV+e4FvNvAfZW9TXu5xk8o6OH/Z6kwk1D95EaulalgdMPMuwmtUbR08XYe AqGr582Oc/ugrmKvh6k8lgPzK+33sp7NSjDMivRd8d+mI9YwW/Korab7bDutz4yd0KNe MaK0T73bnQkhTeLMFF/pK8ZBJhMH9SRyVSHKzaZZBZ/AU//8/wJCvR5oC4s1Ht+cFeom aJnw== X-Gm-Message-State: AOAM532FlqmyB5bVJyYmzfUOVJubQhv5zwXXfxDpTOzSiRJGCClQzOsA qX3SaPQp/UwvR+LO3C+KpCxSHW1zN9e/ojgts2BAnA== X-Google-Smtp-Source: ABdhPJw0Ygn9sW+6D5SxaOXJ0cWbKOO0bYs2UrcFSKQtZHUxCfSP7Ewfx33QU+tl0IwKHKZnRZl9PCxf9unHvYZcJTE= X-Received: by 2002:a25:7a47:: with SMTP id v68mr519462ybc.488.1644954205145; Tue, 15 Feb 2022 11:43:25 -0800 (PST) MIME-Version: 1.0 References: <00000000000072ef2c05d7f81950@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Tue, 15 Feb 2022 11:43:14 -0800 Message-ID: Subject: Re: [syzbot] KASAN: use-after-free Read in __oom_reap_task_mm To: Michal Hocko Cc: Yang Shi , syzbot , Andrew Morton , Christian Brauner , Linux Kernel Mailing List , Linux MM , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 4B670C0003 X-Rspam-User: Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=QOKtYm93; spf=pass (imf22.hostedemail.com: domain of surenb@google.com designates 209.85.219.179 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com X-Stat-Signature: gpeybz6qz1rjwdo73ytsb17jbdif44df X-HE-Tag: 1644954206-190588 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000013, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Feb 15, 2022 at 11:36 AM Michal Hocko wrote: > > On Tue 15-02-22 10:10:53, Suren Baghdasaryan wrote: > > On Tue, Feb 15, 2022 at 9:53 AM Yang Shi wrote: > [...] > > > Isn't the below race possible? > > > > > > CPU A CPU B > > > exiting: > > > mmap_write_lock > > > remove_vma() > > > mmap_write_unlock > > > process_mrelease: > > > mmap_read_lock > > > __oom_reap_task_mm > > > mmap_read_unlock > > > > > > > Sure, that sequence (would not call it a race) is possible but in this > > case __oom_reap_task_mm will find no vmas in the mm because exit_mmap > > freed and removed all of them. > > I didn't really have chance to have a closer look but I do not see > exit_mmap doing mm->mmap = NULL so the pointer can be a freed vma unless > I am missing something. I thought we've had it in your patches? Has this > got lost somewhere in the process? Doh! Yes, it looks like I completely missed the actual pointer. That must be it since I don't see any other possibility. Will post a patch shortly. Thanks! > -- > Michal Hocko > SUSE Labs