linux

iv/linux

History

Yang Shi f4fa8d937e mm: madvise: fix vma user-after-free

commit 7867fd7cc44e63c6673cd0f8fea155456d34d0de upstream.

The syzbot reported the below use-after-free:

  BUG: KASAN: use-after-free in madvise_willneed mm/madvise.c:293 [inline]
  BUG: KASAN: use-after-free in madvise_vma mm/madvise.c:942 [inline]
  BUG: KASAN: use-after-free in do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145
  Read of size 8 at addr ffff8880a6163eb0 by task syz-executor.0/9996

  CPU: 0 PID: 9996 Comm: syz-executor.0 Not tainted 5.9.0-rc1-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x18f/0x20d lib/dump_stack.c:118
    print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
    __kasan_report mm/kasan/report.c:513 [inline]
    kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
    madvise_willneed mm/madvise.c:293 [inline]
    madvise_vma mm/madvise.c:942 [inline]
    do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145
    do_madvise mm/madvise.c:1169 [inline]
    __do_sys_madvise mm/madvise.c:1171 [inline]
    __se_sys_madvise mm/madvise.c:1169 [inline]
    __x64_sys_madvise+0xd9/0x110 mm/madvise.c:1169
    do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

  Allocated by task 9992:
    kmem_cache_alloc+0x138/0x3a0 mm/slab.c:3482
    vm_area_alloc+0x1c/0x110 kernel/fork.c:347
    mmap_region+0x8e5/0x1780 mm/mmap.c:1743
    do_mmap+0xcf9/0x11d0 mm/mmap.c:1545
    vm_mmap_pgoff+0x195/0x200 mm/util.c:506
    ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596
    do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

  Freed by task 9992:
    kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693
    remove_vma+0x132/0x170 mm/mmap.c:184
    remove_vma_list mm/mmap.c:2613 [inline]
    __do_munmap+0x743/0x1170 mm/mmap.c:2869
    do_munmap mm/mmap.c:2877 [inline]
    mmap_region+0x257/0x1780 mm/mmap.c:1716
    do_mmap+0xcf9/0x11d0 mm/mmap.c:1545
    vm_mmap_pgoff+0x195/0x200 mm/util.c:506
    ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596
    do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

It is because vma is accessed after releasing mmap_lock, but someone
else acquired the mmap_lock and the vma is gone.

Releasing mmap_lock after accessing vma should fix the problem.

Fixes: 692fe62433d4c ("mm: Handle MADV_WILLNEED through vfs_fadvise()")
Reported-by: syzbot+b90df26038d1d5d85c97@syzkaller.appspotmail.com
Signed-off-by: Yang Shi <shy828301@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: <stable@vger.kernel.org>	[5.4+]
Link: https://lkml.kernel.org/r/20200816141204.162624-1-shy828301@gmail.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2020-09-09 19:12:36 +02:00

kasan

kasan: disable branch tracing for core runtime

2020-05-27 17:46:48 +02:00

backing-dev.c

bdi: add a ->dev_name field to struct backing_dev_info

2020-05-14 07:58:30 +02:00

balloon_compaction.c

mm/balloon_compaction: suppress allocation warnings

2019-09-04 07:42:01 -04:00

cleancache.c

Driver Core and debugfs changes for 5.3-rc1

2019-07-12 12:24:03 -07:00

cma_debug.c

mm/cma_debug.c: fix the break condition in cma_maxchunk_get()

2019-05-14 09:47:45 -07:00

cma.c

cma: don't quit at first error when activating reserved areas

2020-09-03 11:26:51 +02:00

cma.h

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

compaction.c

mm, compaction: make capture control handling safe wrt interrupts

2020-07-09 09:37:57 +02:00

debug_page_ref.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

debug.c

mm/debug.c: always print flags in dump_page()

2020-03-05 16:43:51 +01:00

dmapool.c

mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options

2019-07-12 11:05:46 -07:00

early_ioremap.c

mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep

2017-12-11 14:54:44 +01:00

fadvise.c

fs: Export generic_fadvise()

2019-08-30 22:43:58 -07:00

failslab.c

mm/failslab.c: by default, do not fail allocations with direct reclaim only

2019-07-12 11:05:43 -07:00

filemap.c

mm/filemap.c: don't bother dropping mmap_sem for zero size readahead

2020-08-05 09:59:41 +02:00

frame_vector.c

mm: untag user pointers in get_vaddr_frames

2019-09-25 17:51:41 -07:00

frontswap.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 482

2019-06-19 17:09:52 +02:00

gup_benchmark.c

mm/gup: fix memory leak in __gup_benchmark_ioctl

2020-01-09 10:20:00 +01:00

gup.c

gup: document and work around "COW can break either way" issue

2020-06-17 16:40:30 +02:00

highmem.c

mm: convert totalram_pages and totalhigh_pages variables to atomic

2018-12-28 12:11:47 -08:00

hmm.c

pagewalk: separate function pointers from iterator data

2019-09-07 04:28:04 -03:00

huge_memory.c

mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()

2020-06-22 09:31:14 +02:00

hugetlb_cgroup.c

mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup()

2019-11-15 18:34:00 -08:00

hugetlb.c

mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible

2020-08-26 10:41:07 +02:00

hwpoison-inject.c

hwpoison-inject: no need to check return value of debugfs_create functions

2019-06-03 15:39:40 +02:00

init-mm.c

mm/init-mm.c: include <linux/mman.h> for vm_committed_as_batch

2019-10-19 06:32:32 -04:00

internal.h

mm: drop mmap_sem before calling balance_dirty_pages() in write fault

2020-01-09 10:19:55 +01:00

interval_tree.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 248

2019-06-19 17:09:08 +02:00

Kconfig

mm,thp: add read-only THP support for (non-shmem) FS

2019-09-24 15:54:11 -07:00

Kconfig.debug

mm, page_owner, debug_pagealloc: save and dump freeing stack trace

2019-09-24 15:54:08 -07:00

khugepaged.c

khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter()

2020-08-26 10:40:48 +02:00

kmemleak-test.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333

2019-06-05 17:37:06 +02:00

kmemleak.c

kmemleak: Do not corrupt the object_list during clean-up

2019-10-14 08:56:16 -07:00

ksm.c

mm/ksm: fix NULL pointer dereference when KSM zero page is enabled

2020-04-29 16:33:15 +02:00

list_lru.c

mm: memcg/slab: stop setting page->mem_cgroup pointer for slab pages

2019-07-12 11:05:44 -07:00

maccess.c

uaccess: Add non-pagefault user-space write function

2020-01-17 19:48:40 +01:00

madvise.c

mm: madvise: fix vma user-after-free

2020-09-09 19:12:36 +02:00

Makefile

mm: silence -Woverride-init/initializer-overrides

2019-09-24 15:54:10 -07:00

memblock.c

mm: memblock: do not enforce current limit for memblock_phys* family

2019-10-19 06:32:32 -04:00

memcontrol.c

mm/memcg: fix refcount error while moving and swapping

2020-07-29 10:18:43 +02:00

memfd.c

mm: page cache: store only head pages in i_pages

2019-09-24 15:54:08 -07:00

memory_hotplug.c

mm/memory_hotplug: fix unpaired mem_hotplug_begin/done

2020-08-21 13:05:27 +02:00

memory-failure.c

mm/memory-failure.c: don't access uninitialized memmaps in memory_failure()

2019-10-19 06:32:31 -04:00

memory.c

mm: drop mmap_sem before calling balance_dirty_pages() in write fault

2020-01-09 10:19:55 +01:00

mempolicy.c

mm: mempolicy: require at least one nodeid for MPOL_PREFERRED

2020-04-08 09:08:47 +02:00

mempool.c

docs/core-api/mm: fix return value descriptions in mm/

2019-03-05 21:07:20 -08:00

memremap.c

mm/memory_hotplug: shrink zones when offlining memory

2020-01-09 10:19:56 +01:00

memtest.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

migrate.c

mm: move_pages: report the number of non-attempted pages

2020-02-11 04:35:13 -08:00

mincore.c

mm: untag user pointers passed to memory syscalls

2019-09-25 17:51:41 -07:00

mlock.c

mm: untag user pointers passed to memory syscalls

2019-09-25 17:51:41 -07:00

mm_init.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

mmap.c

mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls

2020-08-19 08:16:02 +02:00

mmu_context.c

mm: fix kthread_use_mm() vs TLB invalidate

2020-09-03 11:26:51 +02:00

mmu_gather.c

mm/mmu_gather: invalidate TLB correctly on batch allocation failure and flush

2020-02-11 04:35:42 -08:00

mmu_notifier.c

mm/mmu_notifiers: use the right return code for WARN_ON

2019-11-06 08:47:50 -08:00

mmzone.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

mprotect.c

mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa

2020-03-12 13:00:19 +01:00

mremap.c

mm: Fix mremap not considering huge pmd devmap

2020-06-07 13:18:46 +02:00

msync.c

mm: untag user pointers passed to memory syscalls

2019-09-25 17:51:41 -07:00

nommu.c

x86/mm: split vmalloc_sync_all()

2020-03-25 08:25:58 +01:00

oom_kill.c

mm/oom: fix pgtables units mismatch in Killed process message

2020-01-09 10:19:57 +01:00

page_alloc.c

mm, page_alloc: fix core hung in free_pcppages_bulk()

2020-08-26 10:40:51 +02:00

page_counter.c

mm/page_counter.c: fix protection usage propagation

2020-08-21 13:05:27 +02:00

page_ext.c

mm, page_owner: fix off-by-one error in __set_page_owner_handle()

2019-10-14 15:04:00 -07:00

page_idle.c

mm/page_idle.c: fix oops because end_pfn is larger than max_pfn

2019-06-29 16:43:45 +08:00

page_io.c

mm/page_io.c: do not free shared swap slots

2019-11-15 18:34:00 -08:00

page_isolation.c

mm/page_isolation.c: change the prototype of undo_isolate_page_range()

2019-07-12 11:05:43 -07:00

page_owner.c

mm/page_owner: don't access uninitialized memmaps when reading /proc/pagetypeinfo

2019-10-19 06:32:31 -04:00

page_poison.c

mm/page_poison.c: fix a typo in a comment

2019-09-24 15:54:08 -07:00

page_vma_mapped.c

mm: introduce page_size()

2019-09-24 15:54:08 -07:00

page-writeback.c

mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()

2020-01-23 08:22:41 +01:00

pagewalk.c

pagewalk: use lockdep_assert_held for locking validation

2019-09-07 04:28:04 -03:00

percpu-internal.h

percpu: convert chunk hints to be based on pcpu_block_md

2019-03-13 12:25:31 -07:00

percpu-km.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 428

2019-06-05 17:37:16 +02:00

percpu-stats.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 428

2019-06-05 17:37:16 +02:00

percpu-vm.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 428

2019-06-05 17:37:16 +02:00

percpu.c

percpu: Use struct_size() helper

2019-09-04 13:40:49 -07:00

pgtable-generic.c

x86/mm: Page size aware flush_tlb_mm_range()

2018-10-09 16:51:11 +02:00

process_vm_access.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152

2019-05-30 11:26:32 -07:00

readahead.c

treewide: Add SPDX license identifier for missed files

2019-05-21 10:50:45 +02:00

rmap.c

mm: include <linux/huge_mm.h> for is_vma_temporary_stack

2019-10-19 06:32:32 -04:00

rodata_test.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

2019-06-05 17:37:17 +02:00

shmem.c

shmem: fix possible deadlocks on shmlock_user_lock

2020-05-20 08:20:03 +02:00

shuffle.c

mm/shuffle: don't move pages between zones and don't read garbage memmaps

2020-09-03 11:26:51 +02:00

shuffle.h

mm: maintain randomization of page free lists

2019-05-14 19:52:48 -07:00

slab_common.c

mm: memcg/slab: fix memory leak at non-root kmem_cache destroy

2020-07-29 10:18:44 +02:00

slab.c

mm, debug_pagealloc: don't rely on static keys too early

2020-01-23 08:22:40 +01:00

slab.h

mm: slab: make page_cgroup_ino() to recognize non-compound slab pages properly

2019-11-06 08:47:50 -08:00

slob.c

mm, sl[aou]b: guarantee natural alignment for kmalloc(power-of-two)

2019-10-07 15:47:20 -07:00

slub.c

mm: slub: fix conversion of freelist_corrupted()

2020-09-09 19:12:36 +02:00

sparse-vmemmap.c

mm/sparsemem: convert kmalloc_section_memmap() to populate_section_memmap()

2019-07-18 17:08:07 -07:00

sparse.c

mm/sparse: fix kernel crash with pfn_section_valid check

2020-04-01 11:02:03 +02:00

swap_cgroup.c

License cleanup: add SPDX GPL-2.0 license identifier to files with no license

2017-11-02 11:10:55 +01:00

swap_slots.c

mm, swap, get_swap_pages: use entry_size instead of cluster in parameter

2018-08-22 10:52:44 -07:00

swap_state.c

mm: fix swap cache node allocation mask

2020-07-09 09:37:49 +02:00

swap.c

mm: introduce MADV_COLD

2019-09-25 17:51:41 -07:00

swapfile.c

mm/swapfile.c: move inode_lock out of claim_swapfile

2020-04-01 11:02:02 +02:00

truncate.c

mm/thp: allow dropping THP from page cache

2019-10-19 06:32:33 -04:00

usercopy.c

usercopy: Avoid HIGHMEM pfn warning

2019-09-17 15:20:17 -07:00

userfaultfd.c

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 499

2019-06-19 17:09:53 +02:00

util.c

mm: add kvfree_sensitive() for freeing sensitive data objects

2020-06-17 16:40:23 +02:00

vmacache.c

mm: get rid of vmacache_flush_all() entirely

2018-09-13 15:18:04 -10:00

vmalloc.c

mm/vunmap: add cond_resched() in vunmap_pmd_range

2020-09-03 11:26:52 +02:00

vmpressure.c

mm/vmpressure.c: fix a signedness bug in vmpressure_register_event()

2019-10-07 15:47:19 -07:00

vmscan.c

mm/vmscan.c: don't round up scan size for online memory cgroup

2020-02-28 17:22:20 +01:00

vmstat.c

mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo

2019-11-06 08:47:50 -08:00

workingset.c

mm: workingset: fix vmstat counters for shadow nodes

2019-08-13 16:06:52 -07:00

z3fold.c

mm/z3fold.c: claim page in the beginning of free

2019-10-07 15:47:19 -07:00

zbud.c

treewide: Add SPDX license identifier for more missed files

2019-05-21 10:50:45 +02:00

zpool.c

zpool: add malloc_support_movable to zpool_driver

2019-09-24 15:54:12 -07:00

zsmalloc.c

mm/zsmalloc.c: fix the migrated zspage statistics.

2020-01-09 10:19:56 +01:00

zswap.c

zswap: do not map same object twice

2019-09-24 15:54:12 -07:00