| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231023175519.4jtszivgfidn6p6j@revolver>
Date: Mon, 23 Oct 2023 13:55:19 -0400
From: "Liam R. Howlett" <Liam.Howlett@...cle.com>
To: Hugh Dickins <hughd@...gle.com>
Cc: akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, postmaster@...gon.onmicrosoft.com,
syzkaller-bugs@...glegroups.com,
syzbot <syzbot+79fcba037b6df73756d3@...kaller.appspotmail.com>
Subject: Re: [syzbot] [mm?] WARNING: suspicious RCU usage in mas_walk (3)
* syzbot <syzbot+79fcba037b6df73756d3@...kaller.appspotmail.com> [231023 13:24]:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: e8361b005d7c Add linux-next specific files for 20231023
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=1207cb05680000
> kernel config: https://syzkaller.appspot.com/x/.config?x=75e8fc3570ec9a74
> dashboard link: https://syzkaller.appspot.com/bug?extid=79fcba037b6df73756d3
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=107fab89680000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/e28a7944599e/disk-e8361b00.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/7dd355dbe055/vmlinux-e8361b00.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7b2a9050635d/bzImage-e8361b00.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+79fcba037b6df73756d3@...kaller.appspotmail.com
>
> =============================
> WARNING: suspicious RCU usage
> 6.6.0-rc6-next-20231023-syzkaller #0 Not tainted
> -----------------------------
> lib/maple_tree.c:856 suspicious rcu_dereference_check() usage!
>
> other info that might help us debug this:
>
>
> rcu_scheduler_active = 2, debug_locks = 1
> no locks held by syz-executor.4/5222.
>
> stack backtrace:
> CPU: 0 PID: 5222 Comm: syz-executor.4 Not tainted 6.6.0-rc6-next-20231023-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
> lockdep_rcu_suspicious+0x20b/0x3a0 kernel/locking/lockdep.c:6711
> mas_root lib/maple_tree.c:856 [inline]
> mas_root lib/maple_tree.c:854 [inline]
> mas_start lib/maple_tree.c:1385 [inline]
> mas_state_walk lib/maple_tree.c:3705 [inline]
> mas_walk+0x4d1/0x7d0 lib/maple_tree.c:4888
> mas_find_setup lib/maple_tree.c:5948 [inline]
> mas_find+0x1e6/0x400 lib/maple_tree.c:5989
> vma_find include/linux/mm.h:952 [inline]
> do_mbind+0xc8f/0x1010 mm/mempolicy.c:1328
Hugh,
41de65c4cd27 ("mempolicy: mmap_lock is not needed while migrating
folios") changes the do_mbind() code locking here to drop the mmap write
lock on line 1300 in e8361b005d7c.
This is an issue as it opens the VMA (maple) tree to being updated, but
you then re-walk the tree later. If this is okay, then you can add an
rcu_read_lock()/rcu_read_unlock() to iterate over the VMAs so it is
safe (around 1327/1332, respectively).
I'm not entirely sure why this is safe to do without the mmap write
lock, but considering the change log it seems you have thought through
it. I'm just not sure what is going to stop the VMAs from being split
or such by a ref count on the memory policy (or if it matters if they
are)?
Thanks,
Liam
Powered by blists - more mailing lists