lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f38cef22-d3e8-4f73-a8ba-1a2cb0f4808e@suse.cz>
Date: Thu, 10 Jul 2025 19:42:16 +0200
From: Vlastimil Babka <vbabka@...e.cz>
To: Suren Baghdasaryan <surenb@...gle.com>,
 "Liam R. Howlett" <Liam.Howlett@...cle.com>,
 Lorenzo Stoakes <lorenzo.stoakes@...cle.com>, akpm@...ux-foundation.org,
 david@...hat.com, peterx@...hat.com, jannh@...gle.com, hannes@...xchg.org,
 mhocko@...nel.org, paulmck@...nel.org, shuah@...nel.org,
 adobriyan@...il.com, brauner@...nel.org, josef@...icpanda.com,
 yebin10@...wei.com, linux@...ssschuh.net, willy@...radead.org,
 osalvador@...e.de, andrii@...nel.org, ryan.roberts@....com,
 christophe.leroy@...roup.eu, tjmercier@...gle.com, kaleshsingh@...gle.com,
 aha310510@...il.com, linux-kernel@...r.kernel.org,
 linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
 linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v6 7/8] fs/proc/task_mmu: read proc/pid/maps under per-vma
 lock

On 7/10/25 19:02, Suren Baghdasaryan wrote:
> On Thu, Jul 10, 2025 at 12:03 AM Suren Baghdasaryan <surenb@...gle.com> wrote:
>>
>>
>> I have the patchset ready but would like to test it some more. Will
>> post it tomorrow.
> 
> Ok, I found a couple of issues using the syzbot reproducer [1] (which
> is awesome BTW!):
> 1. rwsem_acquire_read() inside vma_start_read() at [2] should be moved
> after the last check, otherwise the lock is considered taken on
> vma->vm_refcnt overflow;
> 2. query_matching_vma() is missing unlock_vma() call when it does
> "goto next_vma;" and re-issues query_vma_find_by_addr(). The previous
> vma is left locked;

How does that happen? query_vma_find_by_addr() does get_next_vma() which
does unlock_vma()?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ