Re: [syzbot] [mm?] general protection fault in find_mergeable_anon_vma

From: Lorenzo Stoakes
Date: Mon Dec 09 2024 - 12:09:54 EST

Next message: Nilay Shroff: "Re: [PATCHv3] gcc: disable '-Wstrignop-overread' universally for gcc-13+ and FORTIFY_SOURCE"
Previous message: Anup Patel: "Re: [PATCH 1/4] irqchip/riscv-imsic: Handle non-atomic MSI updates for device"
In reply to: Liam R. Howlett: "Re: [syzbot] [mm?] general protection fault in find_mergeable_anon_vma"
Next in thread: Oleg Nesterov: "Re: [syzbot] [mm?] general protection fault in find_mergeable_anon_vma"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Dec 09, 2024 at 11:12:52AM -0500, Liam R. Howlett wrote:
> +Cc maintainers listed of kernel/events/uprobe.c
>
> TL;DR:
> dup_mmap() fails, but uprobe thinks it's fine and keeps trying to use an
> incomplete mm_struct.
>
> We're looking for a way to signal to uprobe to abort, cleanly.
>
> Looking at kernel/fork.c, dup_mmap():
>
> fail_uprobe_end:
> uprobe_end_dup_mmap();
> return retval;
>
> So uprobe is aware it could fail, but releases the semaphore and then
> doesn't check if the mm struct is okay to use.
>
> What should happen in the failed mm_struct case?
>
> Thanks,
> Liam
>

(As discussed on IRC) how about moving up the dup_mmap_sem lock one level, we
can put the mm before the rmap lookup in build_map_info() is able to find it,
which should avoid the whole issue?

Untested patch attached.

----8<----

Next message: Nilay Shroff: "Re: [PATCHv3] gcc: disable '-Wstrignop-overread' universally for gcc-13+ and FORTIFY_SOURCE"
Previous message: Anup Patel: "Re: [PATCH 1/4] irqchip/riscv-imsic: Handle non-atomic MSI updates for device"
In reply to: Liam R. Howlett: "Re: [syzbot] [mm?] general protection fault in find_mergeable_anon_vma"
Next in thread: Oleg Nesterov: "Re: [syzbot] [mm?] general protection fault in find_mergeable_anon_vma"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]