Re: [PATCH] mm/rmap: Add anon_vma lifetime debug check

From: Jann Horn
Date: Fri Jul 25 2025 - 11:06:10 EST

Next message: Hiago De Franco: "System can not go into suspend when remoteproc is probed on AM62X"
Previous message: Vivian Wang: "Re: [PATCH] riscv: Add sysctl to control discard of vstate during syscall"
In reply to: Lorenzo Stoakes: "Re: [PATCH] mm/rmap: Add anon_vma lifetime debug check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jul 25, 2025 at 1:32 PM Lorenzo Stoakes
<lorenzo.stoakes@xxxxxxxxxx> wrote:
> On Thu, Jul 24, 2025 at 09:13:50PM +0200, Jann Horn wrote:
> > There have been syzkaller reports a few months ago[1][2] of UAF in rmap
>
> Will try to take a look when I get a chance.
>
> > walks that seems to indicate that there can be pages with elevated mapcount
> > whose anon_vma has already been freed, but I think we never figured out
> > what the cause is; and syzkaller only hit these UAFs when memory pressure
> > randomly caused reclaim to rmap-walk the affected pages, so it of course
> > didn't manage to create a reproducer.
>
> Fun.
>
> Please hook me in (I mean you're going to anyway right :P) on this stuff,
> as I'm looking to rework the anon_vma stuff so am naturally interested in
> any and all rmap anon stuff.
>
> For my sins ;)
>
> Maybe I"ll dig into these syzkallers.

For what it's worth, the point of this change is that hopefully we
won't have to dig more into them manually, because hopefully a few
days after this patch hits linux-next, syzkaller will present us with
a beautiful reproducer that shows exactly what went wrong... or maybe
it won't, I'm being very optimistic here.

Next message: Hiago De Franco: "System can not go into suspend when remoteproc is probed on AM62X"
Previous message: Vivian Wang: "Re: [PATCH] riscv: Add sysctl to control discard of vstate during syscall"
In reply to: Lorenzo Stoakes: "Re: [PATCH] mm/rmap: Add anon_vma lifetime debug check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]