lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 1 Feb 2021 12:52:29 +0000
From:   Matthew Wilcox <willy@...radead.org>
To:     syzbot <syzbot+97ef6376738cb5104a71@...kaller.appspotmail.com>
Cc:     akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org, syzkaller-bugs@...glegroups.com,
        kent.overstreet@...il.com, hch@....de
Subject: Re: BUG: Bad page state (8)

On Mon, Feb 01, 2021 at 02:07:22AM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:

Thank you, syzbot.  This is legit.  But annoying.

> BUG: Bad page state in process syz-executor.4  pfn:369c1
> page:0000000025f15602 refcount:0 mapcount:0 mapping:0000000000000000 index:0x3d pfn:0x369c1
> flags: 0xfff00000020005(locked|uptodate|mappedtodisk)
> raw: 00fff00000020005 dead000000000100 dead000000000122 0000000000000000
> raw: 000000000000003d 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set

Having the uptodate and mappedtodisk flags set is fine.  It's the 'locked'
flag which is triggering the bug.  Here's the code in question:

truncated:
        error = AOP_TRUNCATED_PAGE;
        put_page(page);
unlock:
        unlock_page(page);

So we're going to unlock the page!  But we actually have to unlock it first,
before the refcount goes to zero.  Does anyone see a better way than this?

(Andrew, this is a fix to "mm/filemap: add filemap_range_uptodate")

diff --git a/mm/filemap.c b/mm/filemap.c
index bc4c9ac0ef4a..a945102b55c2 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2322,8 +2322,9 @@ static int filemap_update_page(struct kiocb *iocb,
 		put_page(page);
 	return error;
 truncated:
-	error = AOP_TRUNCATED_PAGE;
+	unlock_page(page);
 	put_page(page);
+	return AOP_TRUNCATED_PAGE;
 unlock:
 	unlock_page(page);
 	return error;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ