| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b3aec4d4-737d-255a-d25e-451222fc9bb9@redhat.com>
Date: Wed, 4 Jan 2023 10:04:04 +0100
From: David Hildenbrand <david@...hat.com>
To: Suren Baghdasaryan <surenb@...gle.com>
Cc: akpm@...ux-foundation.org, hughd@...gle.com, hannes@...xchg.org,
vincent.whitchurch@...s.com, seanjc@...gle.com, rppt@...nel.org,
shy828301@...il.com, pasha.tatashin@...een.com,
paul.gortmaker@...driver.com, peterx@...hat.com, vbabka@...e.cz,
Liam.Howlett@...cle.com, ccross@...gle.com, willy@...radead.org,
arnd@...db.de, cgel.zte@...il.com, yuzhao@...gle.com,
bagasdotme@...il.com, suleiman@...gle.com, steven@...uorix.net,
heftig@...hlinux.org, cuigaosheng1@...wei.com,
kirill@...temov.name, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
syzbot+91edf9178386a07d06a7@...kaller.appspotmail.com
Subject: Re: [PATCH 1/1] mm: fix vma->anon_name memory leak for anonymous
shmem VMAs
On 03.01.23 20:53, Suren Baghdasaryan wrote:
> On Mon, Jan 2, 2023 at 4:00 AM David Hildenbrand <david@...hat.com> wrote:
>>
>> On 28.12.22 20:42, Suren Baghdasaryan wrote:
>>> free_anon_vma_name() is missing a check for anonymous shmem VMA which
>>> leads to a memory leak due to refcount not being dropped. Fix this by
>>> adding the missing check.
>>>
>>> Fixes: d09e8ca6cb93 ("mm: anonymous shared memory naming")
>>> Reported-by: syzbot+91edf9178386a07d06a7@...kaller.appspotmail.com
>>> Signed-off-by: Suren Baghdasaryan <surenb@...gle.com>
>>> ---
>>> include/linux/mm_inline.h | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/include/linux/mm_inline.h b/include/linux/mm_inline.h
>>> index e8ed225d8f7c..d650ca2c5d29 100644
>>> --- a/include/linux/mm_inline.h
>>> +++ b/include/linux/mm_inline.h
>>> @@ -413,7 +413,7 @@ static inline void free_anon_vma_name(struct vm_area_struct *vma)
>>> * Not using anon_vma_name because it generates a warning if mmap_lock
>>> * is not held, which might be the case here.
>>> */
>>> - if (!vma->vm_file)
>>> + if (!vma->vm_file || vma_is_anon_shmem(vma))
>>> anon_vma_name_put(vma->anon_name);
>>
>> Wouldn't it be me more consistent to check for "vma->anon_name"?
>>
>> That's what dup_anon_vma_name() checks. And it's safe now because
>> anon_name is no longer overloaded in vm_area_struct.
>
> Thanks for the suggestion, David. Yes, with the recent change that
> does not overload anon_name, checking for "vma->anon_name" would be
> simpler. I think we can also drop anon_vma_name() function now
> (https://elixir.bootlin.com/linux/v6.2-rc2/source/mm/madvise.c#L94)
> since vma->anon_name does not depend on vma->vm_file anymore, remove
> the last part of this comment:
> https://elixir.bootlin.com/linux/v6.2-rc2/source/include/linux/mm_types.h#L584
> and use vma->anon_name directly going forward. If all that sounds
> good, I'll post a separate patch implementing all these changes.
> So, for this patch I would suggest keeping it as is because
> functionally it is correct and will change this check along with other
> corrections I mentioned above in a separate patch. Does that sound
> good?
Works for me.
Acked-by: David Hildenbrand <david@...hat.com>
for this one, as it fixes the issue.
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists