Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitbc4fe4c

Browse files
MiaoheLintorvalds
authored andcommitted
mm: mmap: Fix general protection fault in unlink_file_vma()
The syzbot reported the below general protection fault: general protection fault, probably for non-canonical address 0xe00eeaee0000003b: 0000 [#1] PREEMPT SMP KASAN KASAN: maybe wild-memory-access in range [0x00777770000001d8-0x00777770000001df] CPU: 1 PID: 10488 Comm: syz-executor721 Not tainted 5.9.0-rc3-syzkaller #0 RIP: 0010:unlink_file_vma+0x57/0xb0 mm/mmap.c:164 Call Trace: free_pgtables+0x1b3/0x2f0 mm/memory.c:415 exit_mmap+0x2c0/0x530 mm/mmap.c:3184 __mmput+0x122/0x470 kernel/fork.c:1076 mmput+0x53/0x60 kernel/fork.c:1097 exit_mm kernel/exit.c:483 [inline] do_exit+0xa8b/0x29f0 kernel/exit.c:793 do_group_exit+0x125/0x310 kernel/exit.c:903 get_signal+0x428/0x1f00 kernel/signal.c:2757 arch_do_signal+0x82/0x2520 arch/x86/kernel/signal.c:811 exit_to_user_mode_loop kernel/entry/common.c:136 [inline] exit_to_user_mode_prepare+0x1ae/0x200 kernel/entry/common.c:167 syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:242 entry_SYSCALL_64_after_hwframe+0x44/0xa9It's because the ->mmap() callback can change vma->vm_file and fput theoriginal file. But the commitd70cec8 ("mm: mmap: merge vma aftercall_mmap() if possible") failed to catch this case and always fput()the original file, hence add an extra fput().[ Thanks Hillf for pointing this extra fput() out. ]Fixes:d70cec8 ("mm: mmap: merge vma after call_mmap() if possible")Reported-by: syzbot+c5d5a51dcbb558ca0cb5@syzkaller.appspotmail.comSigned-off-by: Miaohe Lin <linmiaohe@huawei.com>Signed-off-by: Andrew Morton <akpm@linux-foundation.org>Cc: Christian König <ckoenig.leichtzumerken@gmail.com>Cc: Hongxiang Lou <louhongxiang@huawei.com>Cc: Chris Wilson <chris@chris-wilson.co.uk>Cc: Dave Airlie <airlied@redhat.com>Cc: Daniel Vetter <daniel@ffwll.ch>Cc: Sumit Semwal <sumit.semwal@linaro.org>Cc: Matthew Wilcox (Oracle) <willy@infradead.org>Cc: John Hubbard <jhubbard@nvidia.com>Link:https://lkml.kernel.org/r/20200916090733.31427-1-linmiaohe@huawei.comSigned-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent512b557 commitbc4fe4c

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

‎mm/mmap.c‎

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1781,7 +1781,11 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
17811781
merge=vma_merge(mm,prev,vma->vm_start,vma->vm_end,vma->vm_flags,
17821782
NULL,vma->vm_file,vma->vm_pgoff,NULL,NULL_VM_UFFD_CTX);
17831783
if (merge) {
1784-
fput(file);
1784+
/* ->mmap() can change vma->vm_file and fput the original file. So
1785+
* fput the vma->vm_file here or we would add an extra fput for file
1786+
* and cause general protection fault ultimately.
1787+
*/
1788+
fput(vma->vm_file);
17851789
vm_area_free(vma);
17861790
vma=merge;
17871791
/* Update vm_flags and possible addr to pick up the change. We don't

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp