Re: KASAN: use-after-free Read in filemap_fault

Fri, 28 Dec 2018 13:09:55 -0800 

On Fri, 28 Dec 2018 12:51:04 -0800 syzbot 
<syzbot+b437b5a429d680cf2...@syzkaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot found the following crash on:

uh-oh.  Josef, could you please take a look?

:       page = find_get_page(mapping, offset);
:       if (likely(page) && !(vmf->flags & FAULT_FLAG_TRIED)) {
:               /*
:                * We found the page, so try async readahead before
:                * waiting for the lock.
:                */
:               fpin = do_async_mmap_readahead(vmf, page);
:       } else if (!page) {
:               /* No page in the page cache at all */
:               fpin = do_sync_mmap_readahead(vmf);
:               count_vm_event(PGMAJFAULT);
:               count_memcg_event_mm(vmf->vma->vm_mm, PGMAJFAULT);

vmf->vma has been freed at this point.

:               ret = VM_FAULT_MAJOR;
: retry_find:
:               page = pagecache_get_page(mapping, offset,
:                                         FGP_CREAT|FGP_FOR_MMAP,
:                                         vmf->gfp_mask);
:               if (!page) {
:                       if (fpin)
:                               goto out_retry;
:                       return vmf_error(-ENOMEM);
:               }
:       }

Reply via email to