| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68d546f8.050a0220.25d7ab.001c.GAE@google.com> Date: Thu, 25 Sep 2025 06:43:20 -0700 From: syzbot <syzbot+f26d7c75c26ec19790e7@...kaller.appspotmail.com> To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Forwarded: [PATCH] hugetlbfs: skip non-shareable VMAs in hugetlb_vmdelete_list For archival purposes, forwarding an incoming command email to linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com. *** Subject: [PATCH] hugetlbfs: skip non-shareable VMAs in hugetlb_vmdelete_list Author: kartikey406@...il.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master hugetlb_vmdelete_list() processes VMAs from the i_mmap interval tree during truncate operations. This tree should only contain shareable (VM_MAYSHARE) mappings, as private mappings are handled through different code paths. However, VMAs without shareable locks can incorrectly appear in this path, causing assertion failures in huge_pmd_unshare() when it calls hugetlb_vma_assert_locked(). The assertion expects a lock to be held for the VMA being processed. When hugetlb_vma_trylock_write() succeeds but the VMA has no shareable lock (__vma_shareable_lock returns false), the code proceeds to call unmap_hugepage_range(). Inside this function, huge_pmd_unshare() calls hugetlb_vma_assert_locked() which fails because no lock is actually held, resulting in a kernel panic: WARNING: CPU: 1 PID: 6594 Comm: syz.0.28 Not tainted Call Trace: hugetlb_vma_assert_locked+0x1dd/0x250 huge_pmd_unshare+0x2c8/0x540 __unmap_hugepage_range+0x6e3/0x1aa0 unmap_hugepage_range+0x32e/0x410 hugetlb_vmdelete_list+0x189/0x1f0 Fix by skipping VMAs that don't have a shareable lock. These VMAs should not be in the shared mapping deletion path and are handled by separate code paths for private mappings. Reported-by: syzbot+f26d7c75c26ec19790e7@...kaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=f26d7c75c26ec19790e7 Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com> --- fs/hugetlbfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 9e0625167517..9ba98cab3388 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -487,7 +487,8 @@ hugetlb_vmdelete_list(struct rb_root_cached *root, pgoff_t start, pgoff_t end, if (!hugetlb_vma_trylock_write(vma)) continue; - + if (!__vma_shareable_lock(vma)) + continue; v_start = vma_offset_start(vma, start); v_end = vma_offset_end(vma, end); -- 2.43.0
Powered by blists - more mailing lists