lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 9 Aug 2021 23:50:29 +0100
From:   Matthew Wilcox <willy@...radead.org>
To:     syzbot <syzbot+c87be4f669d920c76330@...kaller.appspotmail.com>
Cc:     akpm@...ux-foundation.org, bp@...en8.de, frederic@...nel.org,
        hpa@...or.com, jmattson@...gle.com, joro@...tes.org,
        kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org, mark.rutland@....com, masahiroy@...nel.org,
        mingo@...hat.com, npiggin@...il.com, pbonzini@...hat.com,
        peterz@...radead.org, rafael.j.wysocki@...el.com,
        rostedt@...dmis.org, seanjc@...gle.com, sedat.dilek@...il.com,
        syzkaller-bugs@...glegroups.com, tglx@...utronix.de,
        vitor@...saru.org, vkuznets@...hat.com, wanpengli@...cent.com,
        will@...nel.org, x86@...nel.org
Subject: Re: [syzbot] kernel BUG in find_lock_entries

On Mon, Aug 09, 2021 at 02:02:22PM -0700, syzbot wrote:
> The issue was bisected to:
> 
> commit 997acaf6b4b59c6a9c259740312a69ea549cc684
> Author: Mark Rutland <mark.rutland@....com>
> Date:   Mon Jan 11 15:37:07 2021 +0000
> 
>     lockdep: report broken irq restoration

That's just a bogus bisection.  The correct bad commit is 5c211ba29deb.

> kernel BUG at mm/filemap.c:2041!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 1 PID: 24786 Comm: syz-executor626 Not tainted 5.14.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:find_lock_entries+0x10d5/0x1110 mm/filemap.c:2041

This patch should fix it.  It's not just removing the warning; this
warning duplicates the warning a few lines down (after taking the
lock).  It's not safe to make this assertion without holding the page
lock as the page can move between the page cache and the swap cache.

#syz test

diff --git a/mm/filemap.c b/mm/filemap.c
index d1458ecf2f51..34de0b14aaa9 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2038,7 +2038,6 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t start,
 		if (!xa_is_value(page)) {
 			if (page->index < start)
 				goto put;
-			VM_BUG_ON_PAGE(page->index != xas.xa_index, page);
 			if (page->index + thp_nr_pages(page) - 1 > end)
 				goto put;
 			if (!trylock_page(page))

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ