lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250818100758.5020-1-hdanton@sina.com>
Date: Mon, 18 Aug 2025 18:07:57 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+f65a2014305525a9f816@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fs?] BUG: sleeping function called from invalid context in vfree (2)

> Date: Mon, 18 Aug 2025 01:05:33 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    8f5ae30d69d7 Linux 6.17-rc1
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=15232442580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=8c5ac3d8b8abfcb
> dashboard link: https://syzkaller.appspot.com/bug?extid=f65a2014305525a9f816
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14cbaba2580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1157faf0580000

#syz test upstream master

--- x/include/linux/mm_types.h
+++ y/include/linux/mm_types.h
@@ -1166,6 +1166,7 @@ struct mm_struct {
 #ifdef CONFIG_PREEMPT_RT
 		struct rcu_head delayed_drop;
 #endif
+		struct work_struct drop_work;
 #ifdef CONFIG_HUGETLB_PAGE
 		atomic_long_t hugetlb_usage;
 #endif
--- x/kernel/fork.c
+++ y/kernel/fork.c
@@ -666,6 +666,14 @@ static void cleanup_lazy_tlbs(struct mm_
 		on_each_cpu(do_check_lazy_tlb, (void *)mm, 1);
 }
 
+static void mmdrop_workfn(struct work_struct *work)
+{
+	struct mm_struct *mm;
+
+	mm = container_of(work, struct mm_struct, drop_work);
+	futex_hash_free(mm);
+	free_mm(mm);
+}
 /*
  * Called when the last reference to the mm
  * is dropped: either by a lazy thread or by
@@ -689,9 +697,8 @@ void __mmdrop(struct mm_struct *mm)
 	mm_pasid_drop(mm);
 	mm_destroy_cid(mm);
 	percpu_counter_destroy_many(mm->rss_stat, NR_MM_COUNTERS);
-	futex_hash_free(mm);
-
-	free_mm(mm);
+	INIT_WORK(&mm->drop_work, mmdrop_workfn);
+	schedule_work(&mm->drop_work);
 }
 EXPORT_SYMBOL_GPL(__mmdrop);
 
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ