Re: mm: use-after-free in collapse_huge_page

From: Kirill A. Shutemov
Date: Mon Aug 29 2016 - 08:46:19 EST

Next message: Joe Perches: "Re: [Ksummit-discuss] checkkpatch (in)sanity ?"
Previous message: Michael Moese: "[PATCH v2 2/2] Add a dma_device to mcb_device"
In reply to: Dmitry Vyukov: "mm: use-after-free in collapse_huge_page"
Next in thread: Andrea Arcangeli: "Re: mm: use-after-free in collapse_huge_page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Aug 28, 2016 at 12:42:21PM +0200, Dmitry Vyukov wrote:
> Hello,
>
> I've git the following use-after-free in collapse_huge_page while
> running syzkaller fuzzer. It is in khugepaged, so not reproducible. On
> commit 61c04572de404e52a655a36752e696bbcb483cf5 (Aug 25).
>
> ==================================================================
> BUG: KASAN: use-after-free in collapse_huge_page+0x28b1/0x3500 at addr
> ffff88006c731388
> Read of size 8 by task khugepaged/1327
> CPU: 0 PID: 1327 Comm: khugepaged Not tainted 4.8.0-rc3+ #33
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> ffffffff884b8280 ffff88003c207920 ffffffff82d1b239 ffffffff89ec1520
> fffffbfff1097050 ffff88003e94c700 ffff88006c731300 ffff88006c7313c0
> 0000000000000000 ffff88003c207b88 ffff88003c207948 ffffffff817da1fc
> Call Trace:
> [<ffffffff817da82e>] __asan_report_load8_noabort+0x3e/0x40
> mm/kasan/report.c:322
> [<ffffffff817ff651>] collapse_huge_page+0x28b1/0x3500 mm/khugepaged.c:1004

Okay, I think the patch below should do the trick. Build tested only.

Andrea, Ebru, could you re-check if it's reasonable.

Next message: Joe Perches: "Re: [Ksummit-discuss] checkkpatch (in)sanity ?"
Previous message: Michael Moese: "[PATCH v2 2/2] Add a dma_device to mcb_device"
In reply to: Dmitry Vyukov: "mm: use-after-free in collapse_huge_page"
Next in thread: Andrea Arcangeli: "Re: mm: use-after-free in collapse_huge_page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]