iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Kirill A. Shutemov bfd40eaff5 mm: fix vma_is_anonymous() false-positives 
vma_is_anonymous() relies on ->vm_ops being NULL to detect anonymous
VMA.  This is unreliable as ->mmap may not set ->vm_ops.

False-positive vma_is_anonymous() may lead to crashes:

	next ffff8801ce5e7040 prev ffff8801d20eca50 mm ffff88019c1e13c0
	prot 27 anon_vma ffff88019680cdd8 vm_ops 0000000000000000
	pgoff 0 file ffff8801b2ec2d00 private_data 0000000000000000
	flags: 0xff(read|write|exec|shared|mayread|maywrite|mayexec|mayshare)
	------------[ cut here ]------------
	kernel BUG at mm/memory.c:1422!
	invalid opcode: 0000 [#1] SMP KASAN
	CPU: 0 PID: 18486 Comm: syz-executor3 Not tainted 4.18.0-rc3+ #136
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
	01/01/2011
	RIP: 0010:zap_pmd_range mm/memory.c:1421 [inline]
	RIP: 0010:zap_pud_range mm/memory.c:1466 [inline]
	RIP: 0010:zap_p4d_range mm/memory.c:1487 [inline]
	RIP: 0010:unmap_page_range+0x1c18/0x2220 mm/memory.c:1508
	Call Trace:
	 unmap_single_vma+0x1a0/0x310 mm/memory.c:1553
	 zap_page_range_single+0x3cc/0x580 mm/memory.c:1644
	 unmap_mapping_range_vma mm/memory.c:2792 [inline]
	 unmap_mapping_range_tree mm/memory.c:2813 [inline]
	 unmap_mapping_pages+0x3a7/0x5b0 mm/memory.c:2845
	 unmap_mapping_range+0x48/0x60 mm/memory.c:2880
	 truncate_pagecache+0x54/0x90 mm/truncate.c:800
	 truncate_setsize+0x70/0xb0 mm/truncate.c:826
	 simple_setattr+0xe9/0x110 fs/libfs.c:409
	 notify_change+0xf13/0x10f0 fs/attr.c:335
	 do_truncate+0x1ac/0x2b0 fs/open.c:63
	 do_sys_ftruncate+0x492/0x560 fs/open.c:205
	 __do_sys_ftruncate fs/open.c:215 [inline]
	 __se_sys_ftruncate fs/open.c:213 [inline]
	 __x64_sys_ftruncate+0x59/0x80 fs/open.c:213
	 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
	 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Reproducer:

	#include <stdio.h>
	#include <stddef.h>
	#include <stdint.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <sys/ioctl.h>
	#include <sys/mman.h>
	#include <unistd.h>
	#include <fcntl.h>

	#define KCOV_INIT_TRACE			_IOR('c', 1, unsigned long)
	#define KCOV_ENABLE			_IO('c', 100)
	#define KCOV_DISABLE			_IO('c', 101)
	#define COVER_SIZE			(1024<<10)

	#define KCOV_TRACE_PC  0
	#define KCOV_TRACE_CMP 1

	int main(int argc, char **argv)
	{
		int fd;
		unsigned long *cover;

		system("mount -t debugfs none /sys/kernel/debug");
		fd = open("/sys/kernel/debug/kcov", O_RDWR);
		ioctl(fd, KCOV_INIT_TRACE, COVER_SIZE);
		cover = mmap(NULL, COVER_SIZE * sizeof(unsigned long),
				PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
		munmap(cover, COVER_SIZE * sizeof(unsigned long));
		cover = mmap(NULL, COVER_SIZE * sizeof(unsigned long),
				PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
		memset(cover, 0, COVER_SIZE * sizeof(unsigned long));
		ftruncate(fd, 3UL << 20);
		return 0;
	}

This can be fixed by assigning anonymous VMAs own vm_ops and not relying
on it being NULL.

If ->mmap() failed to set ->vm_ops, mmap_region() will set it to
dummy_vm_ops.  This way we will have non-NULL ->vm_ops for all VMAs.

Link: http://lkml.kernel.org/r/20180724121139.62570-4-kirill.shutemov@linux.intel.com
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: syzbot+3f84280d52be9b7083cc@syzkaller.appspotmail.com
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-07-26 19:38:03 -07:00
..
9p
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
adfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
affs
affs: fix potential memory leak when parsing option 'prefix'
2018-05-28 12:36:41 +02:00
afs
Merge branch 'afs-proc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:32:04 +09:00
autofs
autofs: fix slab out of bounds read in getname_kernel()
2018-07-14 11:11:09 -07:00
befs
fix a series of Documentation/ broken file name references
2018-06-15 18:10:01 -03:00
bfs
bfs_add_entry: pass name/len as qstr pointer
2018-05-22 14:27:50 -04:00
btrfs
for-4.18-rc5-tag
2018-07-21 16:42:03 -07:00
cachefiles
cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
2018-07-25 14:49:00 +01:00
ceph
ceph: fix dentry leak in splice_dentry()
2018-06-26 18:42:44 +02:00
cifs
cifs: Fix stack out-of-bounds in smb{2,3}_create_lease_buf()
2018-07-05 13:48:25 -05:00
coda
vfs: change inode times to use struct timespec64
2018-06-05 16:57:31 -07:00
configfs
vfs: change inode times to use struct timespec64
2018-06-05 16:57:31 -07:00
cramfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
crypto
f2fs-for-4.18-rc1
2018-06-11 10:16:13 -07:00
debugfs
Revert "debugfs: inode: debugfs_create_dir uses mode permission from parent"
2018-06-12 20:52:16 -07:00
devpts
devpts: comment devpts_mntget()
2018-03-14 13:31:23 +01:00
dlm
treewide: Use array_size() in vmalloc()
2018-06-12 16:19:22 -07:00
ecryptfs
Merge branch 'fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs into aio-base
2018-05-26 09:16:25 +02:00
efivarfs
efs
exofs
exofs: avoid VLA in structures
2018-06-15 07:55:24 +09:00
exportfs
ovl: do not try to reconnect a disconnected origin dentry
2018-04-12 12:04:49 +02:00
ext2
ext2: add warning when specifying nocheck option
2018-06-20 11:04:26 +02:00
ext4
Bug fixes for ext4; most of which relate to vulnerabilities where a
2018-07-08 11:10:30 -07:00
f2fs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
fat
fat: fix memory allocation failure handling of match_strdup()
2018-07-21 12:50:46 -07:00
freevxfs
freevxfs_lookup(): use d_splice_alias()
2018-05-22 14:27:51 -04:00
fscache
fscache: Fix reference overput in fscache_attach_object() error handling
2018-07-25 14:49:00 +01:00
fuse
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
gfs2
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
hfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
hfsplus
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
hostfs
vfs: change inode times to use struct timespec64
2018-06-05 16:57:31 -07:00
hpfs
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
hugetlbfs
mm: use vma_init() to initialize VMAs on stack and data segments
2018-07-26 19:38:03 -07:00
isofs
isofs: fix potential memory leak in mount option parsing
2018-04-16 09:47:41 +02:00
jbd2
Bug fixes for ext4; most of which relate to vulnerabilities where a
2018-07-08 11:10:30 -07:00
jffs2
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
jfs
This fixes a too-small allocation in the xattr code.
2018-06-19 07:47:32 +09:00
kernfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
lockd
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
minix
minix_lookup: use d_splice_alias()
2018-05-22 14:27:52 -04:00
nfs
NFS client bugfixes for Linux 4.18
2018-06-22 06:21:34 +09:00
nfs_common
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
nfsd
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
nilfs2
do d_instantiate/unlock_new_inode combinations safely
2018-05-11 15:36:37 -04:00
nls
notify
fsnotify: add fsnotify_add_inode_mark() wrappers
2018-05-18 14:58:22 +02:00
ntfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
ocfs2
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
omfs
omfs_lookup(): report IO errors, use d_splice_alias()
2018-05-22 14:27:58 -04:00
openpromfs
openpromfs: switch to d_splice_alias()
2018-05-22 14:27:57 -04:00
orangefs
Solve a series of broken links for files under Documentation:
2018-06-17 05:25:18 +09:00
overlayfs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
proc
fs/proc/task_mmu.c: fix Locked field in /proc/pid/smaps*
2018-07-14 11:11:09 -07:00
pstore
pstore: Remove bogus format string definition
2018-06-14 14:57:24 +02:00
qnx4
qnx4_lookup: use d_splice_alias()
2018-05-22 14:27:52 -04:00
qnx6
qnx6_lookup: switch to d_splice_alias()
2018-05-22 14:27:54 -04:00
quota
quota: Cleanup list iteration in dqcache_shrink_scan()
2018-06-20 11:04:26 +02:00
ramfs
reiserfs
reiserfs: fix buffer overflow with long warning messages
2018-07-14 11:11:10 -07:00
romfs
romfs_lookup: switch to d_splice_alias()
2018-05-22 14:27:55 -04:00
squashfs
sysfs
unfuck sysfs_mount()
2018-05-21 14:30:09 -04:00
sysv
sysv_lookup: use d_splice_alias()
2018-05-22 14:27:53 -04:00
tracefs
ubifs
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
udf
udf: Drop unused arguments of udf_delete_aext()
2018-06-20 11:05:49 +02:00
ufs
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
xfs
xfs: fix fdblocks accounting w/ RMAPBT per-AG reservation
2018-06-24 12:00:12 -07:00
aio.c
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-07-22 12:04:51 -07:00
anon_inodes.c
attr.c
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
bad_inode.c
vfs: change inode times to use struct timespec64
2018-06-05 16:57:31 -07:00
binfmt_aout.c
exec: introduce finalize_exec() before start_thread()
2018-04-11 10:28:37 -07:00
binfmt_elf_fdpic.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
binfmt_elf.c
fs, elf: make sure to page align bss in load_elf_library
2018-07-14 11:11:10 -07:00
binfmt_em86.c
binfmt_flat.c
exec: introduce finalize_exec() before start_thread()
2018-04-11 10:28:37 -07:00
binfmt_misc.c
docs: Fix more broken references
2018-06-15 18:11:26 -03:00
binfmt_script.c
block_dev.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
buffer.c
fs: move page_cache_seek_hole_data to iomap.c
2018-06-01 18:37:33 -07:00
char_dev.c
block, char_dev: Use correct format specifier for unsigned ints
2018-03-15 17:59:24 +01:00
compat_binfmt_elf.c
compat_ioctl.c
autofs: clean up includes
2018-06-07 17:34:40 -07:00
compat.c
ncpfs: remove compat functionality
2018-06-05 19:23:26 +02:00
coredump.c
d_path.c
split d_path() and friends into a separate file
2018-03-29 15:07:46 -04:00
dax.c
libnvdimm for 4.18
2018-06-08 17:21:52 -07:00
dcache.c
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-04 10:14:28 -07:00
dcookies.c
fs: add do_lookup_dcookie() helper; remove in-kernel call to syscall
2018-04-02 20:15:39 +02:00
direct-io.c
block: consistently use GFP_NOIO instead of __GFP_NORECLAIM
2018-05-14 08:55:18 -06:00
drop_caches.c
eventfd.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
eventpoll.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
exec.c
mm: fix vma_is_anonymous() false-positives
2018-07-26 19:38:03 -07:00
fcntl.c
mm: restructure memfd code
2018-06-07 17:34:35 -07:00
fhandle.c
file_table.c
file.c
fs: add ksys_close() wrapper; remove in-kernel calls to sys_close()
2018-04-02 20:16:00 +02:00
filesystems.c
proc: introduce proc_create_single{,_data}
2018-05-16 07:23:35 +02:00
fs_pin.c
fs_struct.c
fs-writeback.c
bdi: Fix oops in wb_workfn()
2018-05-03 16:11:37 -06:00
inode.c
Fix up non-directory creation in SGID directories
2018-07-05 12:36:36 -07:00
internal.h
drm_mode_create_lease_ioctl(): fix open-coded filp_clone_open()
2018-07-10 23:29:03 -04:00
ioctl.c
fs: Allow CAP_SYS_ADMIN in s_user_ns to freeze and thaw filesystems
2018-05-24 12:04:28 -05:00
iomap.c
Changes since last update:
2018-06-12 15:49:00 -07:00
Kconfig
autofs: remove left-over autofs4 stubs
2018-06-11 08:22:34 -07:00
Kconfig.binfmt
docs: Fix more broken references
2018-06-15 18:11:26 -03:00
libfs.c
fs, dax: prepare for dax-specific address_space_operations
2018-03-30 11:34:55 -07:00
locks.c
vfs/y2038: inode timestamps conversion to timespec64
2018-06-15 07:31:07 +09:00
Makefile
autofs: remove left-over autofs4 stubs
2018-06-11 08:22:34 -07:00
mbcache.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
mount.h
mpage.c
namei.c
Merge branch 'afs-proc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:32:04 +09:00
namespace.c
fs: Allow superblock owner to access do_remount_sb()
2018-05-24 12:02:25 -05:00
no-block.c
nsfs.c
open.c
Revert "fs: fold open_check_o_direct into do_dentry_open"
2018-06-03 10:58:23 -07:00
pipe.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
treewide: kmalloc() -> kmalloc_array()
2018-06-12 16:19:22 -07:00
readdir.c
fs: add ksys_getdents64() helper; remove in-kernel calls to sys_getdents64()
2018-04-02 20:16:02 +02:00
select.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
seq_file.c
proc: fix smaps and meminfo alignment
2018-05-25 18:12:11 -07:00
signalfd.c
Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:21:50 +09:00
splice.c
Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-16 16:21:50 +09:00
stack.c
stat.c
fs: add do_readlinkat() helper; remove internal call to sys_readlinkat()
2018-04-02 20:15:34 +02:00
statfs.c
super.c
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-06-04 10:14:28 -07:00
sync.c
Changes for this release:
2018-04-04 12:44:02 -07:00
timerfd.c
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
2018-06-28 10:40:47 -07:00
userfaultfd.c
userfaultfd: hugetlbfs: fix userfaultfd_huge_must_wait() pte access
2018-07-03 17:32:18 -07:00
utimes.c
fs: add do_compat_futimesat() helper; remove in-kernel call to compat syscall
2018-04-02 20:15:44 +02:00
xattr.c
vfs: delete unnecessary assignment in vfs_listxattr
2018-05-29 13:22:41 -04:00