From patchwork Sun Aug 16 20:44:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugh Dickins X-Patchwork-Id: 11716203 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9952515E4 for ; Sun, 16 Aug 2020 20:44:44 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 6014420829 for ; Sun, 16 Aug 2020 20:44:44 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UokVGw0b" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6014420829 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 6C11C6B0002; Sun, 16 Aug 2020 16:44:43 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 64A376B0005; Sun, 16 Aug 2020 16:44:43 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5117C6B0006; Sun, 16 Aug 2020 16:44:43 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0180.hostedemail.com [216.40.44.180]) by kanga.kvack.org (Postfix) with ESMTP id 37FF16B0002 for ; Sun, 16 Aug 2020 16:44:43 -0400 (EDT) Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id DCDC3824556B for ; Sun, 16 Aug 2020 20:44:42 +0000 (UTC) X-FDA: 77157610404.25.crook94_1300ebb27011 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin25.hostedemail.com (Postfix) with ESMTP id A189F1804E3B4 for ; Sun, 16 Aug 2020 20:44:42 +0000 (UTC) X-Spam-Summary: 1,0,0,2fb838492bb9f3e9,d41d8cd98f00b204,hughd@google.com,,RULES_HIT:41:355:379:800:960:966:973:988:989:1260:1277:1313:1314:1345:1437:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:2196:2199:2393:2559:2562:2693:3138:3139:3140:3141:3142:3152:3352:3865:3866:3867:3868:3870:3871:3872:4321:4385:5007:6261:6653:8957:10004:10400:11026:11232:11473:11658:11914:12043:12296:12297:12438:12517:12519:12555:12679:12740:12895:12986:13069:13221:13229:13311:13357:13439:14096:14097:14181:14394:14659:14721:21080:21433:21444:21451:21627:30054:30070,0,RBL:209.85.219.67:@google.com:.lbl8.mailshell.net-62.18.0.100 66.100.201.100;04yg7abeh6wxbxoa3q7gkz9bqfir7yc8yd5rx71tnra8wh5ptxccqpzp1n6h78m.spxf6jb5hssm9hnqtde1mmubj5uuiguzyrzpqoiqry6w3fu5b4jre4bneuttej1.a-lbl8.mailshell.net-223.238.255.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:24,LUA_SUMMARY:none X-HE-Tag: crook94_1300ebb27011 X-Filterd-Recvd-Size: 4125 Received: from mail-qv1-f67.google.com (mail-qv1-f67.google.com [209.85.219.67]) by imf09.hostedemail.com (Postfix) with ESMTP for ; Sun, 16 Aug 2020 20:44:42 +0000 (UTC) Received: by mail-qv1-f67.google.com with SMTP id r19so6855147qvw.11 for ; Sun, 16 Aug 2020 13:44:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:user-agent:mime-version; bh=02orff/xitfT1a7j0rdVSyXbwLl/LTZJUmel3rsHuGY=; b=UokVGw0bTBJzJAP5mk46z+ZAX1acPHahIvehLKmbkgF3U8E9vy11enHSv+59uhwfC6 MB3FvyjmlA5NIi013M4LoTlAE9J9fjNT0v/6XkK6XphahSOtUcdZsqAqW/EgonzucWyK 9kOg+bxovxDslcdtaukP+scTTN7kDSbJr/EVHp35q/ksab+5hv3P3l0hQkRQRNG8aSjn BWAIF0kwbmkwpX8S6xylalaoPiqTNvyBSvLVdcEDD8oVCvgQzxYhiwzn206r/LbjTaZh 8Ng8M+J+/CQNDd4fIRMdy/HCNGmDYlGiHaGeq4mp6V7Uu8CIObegTuWaulCMi+dj+1c6 0TsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:user-agent :mime-version; bh=02orff/xitfT1a7j0rdVSyXbwLl/LTZJUmel3rsHuGY=; b=cZZGO8Hxl7tTzOKfCbs+HPtaz3wPd+vSX9+TBlnQM7RdHfRsTsDuzmmwzOBlg9wiVj S21A4LCq8ZbwgRv3ldqftPPwo2C3OH5aaKixiC4vEL9kwZwmMdbIYIYiPHtqrzvBZjl9 YV29dlBI7sOddlC60oBPcS8UaVojBzLDXpLfJ6ESReTAt+k6PM5NjPeM7ewkpp7SMAjj 53w29b1dxEaVfXHwThPldAF2rn0Y7MUmwBlBYn0311RYug9q+rFBFsSkwHQMYPJe9rI6 C523UmSm7xpaNWs2M12w23GIPblvgYW5xIrcXAyrC+78d0BPzwZeL1QC9knM1XcqQgyw DYWQ== X-Gm-Message-State: AOAM533ZLtWoOTrS7CwcLfZP8k5i/bg/M6YDDvRjSNZCS2VRKk1UVPj5 +siQWaBi2U39kpfhFIe89lEZ+g== X-Google-Smtp-Source: ABdhPJwwIEktwhWl//yA7SPQ9oSlYxBhu7RfeU4o4F7Vox9jA9eko+wClGjweWMWErokbEvHa4RSNg== X-Received: by 2002:a0c:e604:: with SMTP id z4mr11941741qvm.222.1597610681263; Sun, 16 Aug 2020 13:44:41 -0700 (PDT) Received: from eggly.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id k48sm18444264qtk.44.2020.08.16.13.44.38 (version=TLS1 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128); Sun, 16 Aug 2020 13:44:39 -0700 (PDT) Date: Sun, 16 Aug 2020 13:44:25 -0700 (PDT) From: Hugh Dickins X-X-Sender: hugh@eggly.anvils To: Andrew Morton cc: Song Liu , "Kirill A. Shutemov" , Srikar Dronamraju , Oleg Nesterov , linux-kernel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH] uprobes: __replace_page() avoid BUG in munlock_vma_page() Message-ID: User-Agent: Alpine 2.11 (LSU 23 2013-08-11) MIME-Version: 1.0 X-Rspamd-Queue-Id: A189F1804E3B4 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam02 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: syzbot crashed on the VM_BUG_ON_PAGE(PageTail) in munlock_vma_page(), when called from uprobes __replace_page(). Which of many ways to fix it? Settled on not calling when PageCompound (since Head and Tail are equals in this context, PageCompound the usual check in uprobes.c, and the prior use of FOLL_SPLIT_PMD will have cleared PageMlocked already). Reported-by: syzbot Fixes: 5a52c9df62b4 ("uprobe: use FOLL_SPLIT_PMD instead of FOLL_SPLIT") Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v5.4+ Acked-by: Oleg Nesterov Reviewed-by: Srikar Dronamraju Acked-by: Song Liu --- This one is not a 5.9-rc regression, but still good to fix. kernel/events/uprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- v5.9-rc/kernel/events/uprobes.c 2020-08-12 19:46:50.851196584 -0700 +++ linux/kernel/events/uprobes.c 2020-08-16 13:18:35.292821674 -0700 @@ -205,7 +205,7 @@ static int __replace_page(struct vm_area try_to_free_swap(old_page); page_vma_mapped_walk_done(&pvmw); - if (vma->vm_flags & VM_LOCKED) + if ((vma->vm_flags & VM_LOCKED) && !PageCompound(old_page)) munlock_vma_page(old_page); put_page(old_page);