On Wed, Aug 07, 2024 at 11:45:56AM GMT, Pengfei Xu wrote: > Hi Lorenzo Stoakes, > > Greetings! > > I used syzkaller and found > KASAN: slab-use-after-free Read in userfaultfd_set_ctx in next-20240805. > > Bisected the first bad commit: > 4651ba8201cf userfaultfd: move core VMA manipulation logic to mm/userfaultfd.c > > All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/240806_122723_userfaultfd_set_ct [snip] Andrew - As this is so small, could you take this as a fix-patch? The fix is enclosed below. Pengfei - Sorry for the delay on getting this resolved, I was struggling to repro with my usual dev setup, after trying a lot of things I ended up using the supplied repro env and was able to do so there. (I suspect that VMAs are laid out slightly differently in my usual arch base image perhaps based on tunables, and this was the delta on that!) Regardless, I was able to identify the cause - we incorrectly pass a stale pointer to userfaultfd_reset_ctx() if a merge is performed in userfaultfd_clear_vma(). This was a subtle mistake on my part, I don't see any other instances like this in the patch. Syzkaller managed to get this merge to happen and kasan picked up on it, so thank you very much for supplying the infra! The fix itself is very simple, a one-liner, enclosed below. ----8<----
