Re: [syzbot] [mm?] general protection fault in find_mergeable_anon_vma

From: Lorenzo Stoakes
Date: Mon Dec 09 2024 - 12:09:54 EST


On Mon, Dec 09, 2024 at 11:12:52AM -0500, Liam R. Howlett wrote:
> +Cc maintainers listed of kernel/events/uprobe.c
>
> TL;DR:
> dup_mmap() fails, but uprobe thinks it's fine and keeps trying to use an
> incomplete mm_struct.
>
> We're looking for a way to signal to uprobe to abort, cleanly.
>
> Looking at kernel/fork.c, dup_mmap():
>
> fail_uprobe_end:
> uprobe_end_dup_mmap();
> return retval;
>
> So uprobe is aware it could fail, but releases the semaphore and then
> doesn't check if the mm struct is okay to use.
>
> What should happen in the failed mm_struct case?
>
> Thanks,
> Liam
>

(As discussed on IRC) how about moving up the dup_mmap_sem lock one level, we
can put the mm before the rmap lookup in build_map_info() is able to find it,
which should avoid the whole issue?

Untested patch attached.

----8<----