| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aSUwKBP97nd4kpjP@casper.infradead.org>
Date: Tue, 25 Nov 2025 04:27:20 +0000
From: Matthew Wilcox <willy@...radead.org>
To: syzbot <syzbot+5b19bad23ac7f44bf8b8@...kaller.appspotmail.com>
Cc: Liam.Howlett@...cle.com, akpm@...ux-foundation.org,
linux-kernel@...r.kernel.org, linux-mm@...ck.org,
lorenzo.stoakes@...cle.com, shakeel.butt@...ux.dev,
surenb@...gle.com, syzkaller-bugs@...glegroups.com, vbabka@...e.cz
Subject: Re: [syzbot] [mm?] WARNING: refcount bug in __vma_enter_locked
On Mon, Nov 24, 2025 at 07:20:22PM -0800, syzbot wrote:
> refcount_t: saturated; leaking memory.
Umm. Something like this?
#syz test
diff --git a/mm/mmap_lock.c b/mm/mmap_lock.c
index e6e5570d1ec7..71af7f0a5fe1 100644
--- a/mm/mmap_lock.c
+++ b/mm/mmap_lock.c
@@ -74,9 +74,18 @@ static inline int __vma_enter_locked(struct vm_area_struct *vma,
refcount_read(&vma->vm_refcnt) == tgt_refcnt,
state);
if (err) {
+ if (refcount_sub_and_test(VMA_LOCK_OFFSET, &vma->vm_refcnt)) {
+ /* Oh cobblers. While we got a fatal signal, we
+ * raced with the last user. Pretend we didn't notice
+ * the signal
+ */
+ refcount_set(&vma->vm_refcnt, VMA_LOCK_OFFSET);
+ goto acquired;
+ }
rwsem_release(&vma->vmlock_dep_map, _RET_IP_);
return err;
}
+acquired:
lock_acquired(&vma->vmlock_dep_map, _RET_IP_);
return 1;
Powered by blists - more mailing lists