Re: [BUG mm-unstable] BUG: KASAN: use-after-free in shrink_folio_list+0x9f4/0x1ae0

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: Matthew Wilcox <willy@infradead.org>
To: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Cc: David Wysochanski <dwysocha@redhat.com>,
	David Howells <dhowells@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Jeff Layton <jlayton@kernel.org>,
	Christoph Hellwig <hch@infradead.org>,
	linux-afs@lists.infradead.org, linux-nfs@vger.kernel.org,
	linux-cifs@vger.kernel.org, ceph-devel@vger.kernel.org,
	v9fs-developer@lists.sourceforge.net,
	linux-erofs@lists.ozlabs.org, linux-ext4@vger.kernel.org,
	linux-cachefs@redhat.com, linux-fsdevel@vger.kernel.org,
	Rohith Surabattula <rohiths.msft@gmail.com>,
	Steve French <sfrench@samba.org>,
	Shyam Prasad N <nspmangalore@gmail.com>,
	Dominique Martinet <asmadeus@codewreck.org>,
	Ilya Dryomov <idryomov@gmail.com>,
	linux-mm@kvack.org, Daire Byrne <daire.byrne@gmail.com>
Subject: Re: [BUG mm-unstable] BUG: KASAN: use-after-free in shrink_folio_list+0x9f4/0x1ae0
Date: Fri, 7 Jul 2023 19:40:20 +0100	[thread overview]
Message-ID: <ZKhcFE1JpT6F2ez3@casper.infradead.org> (raw)
In-Reply-To: <ZKhZHg6LSGnvryIe@fedora>

On Sat, Jul 08, 2023 at 03:27:42AM +0900, Hyeonggon Yoo wrote:
> Hmm, was it UAF because it references wrong field ->mapping,
> instead of swapper address space?

Ooh, I know this one!

When a folio is in use as an anonymous page, ->mapping has the bottom
two bits set to 01b.  The rest of the pointer is actually a pointer
to an anon_vma.  It's entirely plausible that an anon page might have
had its anon_vma freed by the time the folio is on the inactive list,
and on its way to being recycled (eg it was unmapped).  I'm not
terribly familiar with the lifetime rules of the anon_vma, but I doubt
that a folio still being in RAM would pin it if it has been unmapped.

WARNING: multiple messages have this Message-ID (diff)

From: Matthew Wilcox <willy@infradead.org>
To: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Cc: Dominique Martinet <asmadeus@codewreck.org>,
	David Howells <dhowells@redhat.com>,
	linux-mm@kvack.org, linux-afs@lists.infradead.org,
	Shyam Prasad N <nspmangalore@gmail.com>,
	linux-cifs@vger.kernel.org, Christoph Hellwig <hch@infradead.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-cachefs@redhat.com, v9fs-developer@lists.sourceforge.net,
	Ilya Dryomov <idryomov@gmail.com>,
	linux-ext4@vger.kernel.org, ceph-devel@vger.kernel.org,
	linux-nfs@vger.kernel.org,
	Rohith Surabattula <rohiths.msft@gmail.com>,
	Daire Byrne <daire.byrne@gmail.com>,
	David Wysochanski <dwysocha@redhat.com>,
	Jeff Layton <jlayton@kernel.org>,
	Steve French <sfrench@samba.org>,
	linux-fsdevel@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-erofs@lists.ozlabs.org
Subject: Re: [BUG mm-unstable] BUG: KASAN: use-after-free in shrink_folio_list+0x9f4/0x1ae0
Date: Fri, 7 Jul 2023 19:40:20 +0100	[thread overview]
Message-ID: <ZKhcFE1JpT6F2ez3@casper.infradead.org> (raw)
In-Reply-To: <ZKhZHg6LSGnvryIe@fedora>

On Sat, Jul 08, 2023 at 03:27:42AM +0900, Hyeonggon Yoo wrote:
> Hmm, was it UAF because it references wrong field ->mapping,
> instead of swapper address space?

Ooh, I know this one!

When a folio is in use as an anonymous page, ->mapping has the bottom
two bits set to 01b.  The rest of the pointer is actually a pointer
to an anon_vma.  It's entirely plausible that an anon page might have
had its anon_vma freed by the time the folio is on the inactive list,
and on its way to being recycled (eg it was unmapped).  I'm not
terribly familiar with the lifetime rules of the anon_vma, but I doubt
that a folio still being in RAM would pin it if it has been unmapped.

next prev parent reply	other threads:[~2023-07-07 18:40 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-28 10:48 [PATCH v7 0/2] mm, netfs, fscache: Stop read optimisation when folio removed from pagecache David Howells
2023-06-28 10:48 ` David Howells
2023-06-28 10:48 ` [PATCH v7 1/2] mm: Merge folio_has_private()/filemap_release_folio() call pairs David Howells
2023-06-28 10:48   ` David Howells
2023-06-28 10:48 ` [PATCH v7 2/2] mm, netfs, fscache: Stop read optimisation when folio removed from pagecache David Howells
2023-06-28 10:48   ` David Howells
2023-06-29  0:39   ` [Linux-cachefs] " Xiubo Li
2023-06-29  0:39     ` Xiubo Li
2023-06-30  3:20     ` Jingbo Xu
2023-06-30  3:20       ` Jingbo Xu
2023-07-07 16:38   ` [BUG mm-unstable] BUG: KASAN: use-after-free in shrink_folio_list+0x9f4/0x1ae0 Hyeonggon Yoo
2023-07-07 16:38     ` Hyeonggon Yoo
2023-07-07 16:46     ` Hyeonggon Yoo
2023-07-07 16:46       ` Hyeonggon Yoo
2023-07-07 18:12       ` David Wysochanski
2023-07-07 18:12         ` David Wysochanski
2023-07-07 18:27         ` Hyeonggon Yoo
2023-07-07 18:27           ` Hyeonggon Yoo
2023-07-07 18:40           ` Matthew Wilcox [this message]
2023-07-07 18:40             ` Matthew Wilcox
2023-07-07 18:33         ` Matthew Wilcox
2023-07-07 18:33           ` Matthew Wilcox
2023-07-07 19:23         ` SeongJae Park
2023-07-07 19:23           ` SeongJae Park
2023-07-17  7:34   ` [PATCH v7 2/2] mm, netfs, fscache: Stop read optimisation when folio removed from pagecache kernel test robot
2023-07-17  7:34     ` kernel test robot
2023-07-17 12:43     ` David Wysochanski
2023-07-17 12:43       ` David Wysochanski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZKhcFE1JpT6F2ez3@casper.infradead.org \
    --to=willy@infradead.org \
    --cc=42.hyeyoo@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=asmadeus@codewreck.org \
    --cc=ceph-devel@vger.kernel.org \
    --cc=daire.byrne@gmail.com \
    --cc=dhowells@redhat.com \
    --cc=dwysocha@redhat.com \
    --cc=hch@infradead.org \
    --cc=idryomov@gmail.com \
    --cc=jlayton@kernel.org \
    --cc=linux-afs@lists.infradead.org \
    --cc=linux-cachefs@redhat.com \
    --cc=linux-cifs@vger.kernel.org \
    --cc=linux-erofs@lists.ozlabs.org \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=nspmangalore@gmail.com \
    --cc=rohiths.msft@gmail.com \
    --cc=sfrench@samba.org \
    --cc=torvalds@linux-foundation.org \
    --cc=v9fs-developer@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.