mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-12 03:26:26 +00:00
cb0631fd3c
Syzkaller with KASAN has reported a use-after-free of vma->vm_flags in
__do_page_fault() with the following reproducer:
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x1, 0x32, 0xffffffffffffffff, 0x0)
r0 = userfaultfd(0x0)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000002000-0x18)={0xaa, 0x0, 0x0})
ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000019000)={{&(0x7f0000012000/0x2000)=nil, 0x2000}, 0x1, 0x0})
r1 = gettid()
syz_open_dev$evdev(&(0x7f0000013000-0x12)="2f6465762f696e7075742f6576656e742300", 0x0, 0x0)
tkill(r1, 0x7)
The vma should be pinned by mmap_sem, but handle_userfault() might (in a
return to userspace scenario) release it and then acquire again, so when
we return to __do_page_fault() (with other result than VM_FAULT_RETRY),
the vma might be gone.
Specifically, per Andrea the scenario is
"A return to userland to repeat the page fault later with a
VM_FAULT_NOPAGE retval (potentially after handling any pending signal
during the return to userland). The return to userland is identified
whenever FAULT_FLAG_USER|FAULT_FLAG_KILLABLE are both set in
vmf->flags"
However, since commit
|
||
---|---|---|
.. | ||
kmemcheck | ||
amdtopology.c | ||
debug_pagetables.c | ||
dump_pagetables.c | ||
extable.c | ||
fault.c | ||
highmem_32.c | ||
hugetlbpage.c | ||
ident_map.c | ||
init.c | ||
init_32.c | ||
init_64.c | ||
iomap_32.c | ||
ioremap.c | ||
kasan_init_64.c | ||
kaslr.c | ||
kmmio.c | ||
Makefile | ||
mem_encrypt.c | ||
mem_encrypt_boot.S | ||
mm_internal.h | ||
mmap.c | ||
mmio-mod.c | ||
mpx.c | ||
numa.c | ||
numa_32.c | ||
numa_64.c | ||
numa_emulation.c | ||
numa_internal.h | ||
pageattr-test.c | ||
pageattr.c | ||
pat.c | ||
pat_internal.h | ||
pat_rbtree.c | ||
pf_in.c | ||
pf_in.h | ||
pgtable.c | ||
pgtable_32.c | ||
physaddr.c | ||
physaddr.h | ||
pkeys.c | ||
setup_nx.c | ||
srat.c | ||
testmmiotrace.c | ||
tlb.c |