| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68d5cdd6.050a0220.25d7ab.00ab.GAE@google.com>
Date: Thu, 25 Sep 2025 16:18:46 -0700
From: syzbot <syzbot+f26d7c75c26ec19790e7@...kaller.appspotmail.com>
To: kartikey406@...il.com
Cc: kartikey406@...il.com, yzbot@...kaller.appspotmail.com,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH v2] hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list
> #syz test: git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
"git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git" does not look like a valid git repo address.
>
> hugetlb_vmdelete_list() uses trylock to acquire VMA locks during truncate
> operations. As per the original design in commit 40549ba8f8e0 ("hugetlb:
> use new vma_lock for pmd sharing synchronization"), if the trylock fails
> or the VMA has no lock, it should skip that VMA. Any remaining mapped
> pages are handled by remove_inode_hugepages() which is called after
> hugetlb_vmdelete_list() and uses proper lock ordering to guarantee
> unmapping success.
>
> Currently, when hugetlb_vma_trylock_write() returns success (1) for VMAs
> without shareable locks, the code proceeds to call unmap_hugepage_range().
> This causes assertion failures in huge_pmd_unshare() → hugetlb_vma_assert_locked()
> because no lock is actually held:
>
> WARNING: CPU: 1 PID: 6594 Comm: syz.0.28 Not tainted
> Call Trace:
> hugetlb_vma_assert_locked+0x1dd/0x250
> huge_pmd_unshare+0x2c8/0x540
> __unmap_hugepage_range+0x6e3/0x1aa0
> unmap_hugepage_range+0x32e/0x410
> hugetlb_vmdelete_list+0x189/0x1f0
>
> Fix by checking for shareable lock before attempting trylock, avoiding
> both the assertion failure and potential lock leaks from skipping VMAs
> after locks are acquired.
>
> Reported-by: syzbot+f26d7c75c26ec19790e7@...kaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=f26d7c75c26ec19790e7
> Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization")
> Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
>
> ---
> Changes in v2:
> - Check for shareable lock before trylock to avoid lock leaks (Andrew Morton)
> - Add comment explaining why non-shareable VMAs are skipped (Andrew Morton)
> ---
> fs/hugetlbfs/inode.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
> index 9e0625167517..44943e97adb0 100644
> --- a/fs/hugetlbfs/inode.c
> +++ b/fs/hugetlbfs/inode.c
> @@ -484,6 +484,13 @@ hugetlb_vmdelete_list(struct rb_root_cached *root, pgoff_t start, pgoff_t end,
> vma_interval_tree_foreach(vma, root, start, end ? end - 1 : ULONG_MAX) {
> unsigned long v_start;
> unsigned long v_end;
> + /*
> + * Skip VMAs without shareable locks. Per the design in commit
> + * 40549ba8f8e0, these will be handled by remove_inode_hugepages()
> + * called after this function with proper locking.
> + */
> + if (!__vma_shareable_lock(vma))
> + continue;
>
> if (!hugetlb_vma_trylock_write(vma))
> continue;
> --
> 2.43.0
>
Powered by blists - more mailing lists