| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68d51c31.050a0220.3a612a.000b.GAE@google.com> Date: Thu, 25 Sep 2025 03:40:49 -0700 From: syzbot <syzbot+f26d7c75c26ec19790e7@...kaller.appspotmail.com> To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Forwarded: [PATCH] hugetlbfs: skip VMAs without locks in hugetlb_vmdelete_list For archival purposes, forwarding an incoming command email to linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com. *** Subject: [PATCH] hugetlbfs: skip VMAs without locks in hugetlb_vmdelete_list Author: kartikey406@...il.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master hugetlb_vmdelete_list() can call unmap_hugepage_range() on VMAs that have no associated lock, causing assertion failures in huge_pmd_unshare(). The function hugetlb_vma_trylock_write() returns 1 (success) even when a VMA has neither a shareable lock nor a private lock. This allows processing to continue, but when unmap_hugepage_range() is called, it eventually reaches huge_pmd_unshare() which calls hugetlb_vma_assert_locked() to verify a lock is held. The assertion fails because no lock was actually acquired. This results in a kernel panic: WARNING: CPU: 1 PID: 6594 Comm: syz.0.28 Not tainted Call Trace: hugetlb_vma_assert_locked+0x1dd/0x250 huge_pmd_unshare+0x2c8/0x540 __unmap_hugepage_range+0x6e3/0x1aa0 unmap_hugepage_range+0x32e/0x410 hugetlb_vmdelete_list+0x189/0x1f0 Fix by skipping VMAs that have no lock before calling unmap_hugepage_range(), as the unmap operation requires lock protection. Reported-by: syzbot+f26d7c75c26ec19790e7@...kaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=f26d7c75c26ec19790e7 Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com> --- fs/hugetlbfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 9e0625167517..d2ecd83848e5 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -487,7 +487,8 @@ hugetlb_vmdelete_list(struct rb_root_cached *root, pgoff_t start, pgoff_t end, if (!hugetlb_vma_trylock_write(vma)) continue; - + if (!__vma_shareable_lock(vma) && !__vma_private_lock(vma)) + continue; v_start = vma_offset_start(vma, start); v_end = vma_offset_end(vma, end); -- 2.43.0
Powered by blists - more mailing lists