path: root/mm/mmap.c
diff options
authorMiaohe Lin <>2020-10-10 23:16:34 -0700
committerLinus Torvalds <>2020-10-11 10:31:10 -0700
commitbc4fe4cdd602b3bee5eeb49d843bd6b3296cfc86 (patch)
treea286ab624b0ae5126cfb56366e87dda6848d06cb /mm/mmap.c
parent512b557ac8a869932e03f1fd522419f4348118bf (diff)
mm: mmap: Fix general protection fault in unlink_file_vma()
The syzbot reported the below general protection fault: general protection fault, probably for non-canonical address 0xe00eeaee0000003b: 0000 [#1] PREEMPT SMP KASAN KASAN: maybe wild-memory-access in range [0x00777770000001d8-0x00777770000001df] CPU: 1 PID: 10488 Comm: syz-executor721 Not tainted 5.9.0-rc3-syzkaller #0 RIP: 0010:unlink_file_vma+0x57/0xb0 mm/mmap.c:164 Call Trace: free_pgtables+0x1b3/0x2f0 mm/memory.c:415 exit_mmap+0x2c0/0x530 mm/mmap.c:3184 __mmput+0x122/0x470 kernel/fork.c:1076 mmput+0x53/0x60 kernel/fork.c:1097 exit_mm kernel/exit.c:483 [inline] do_exit+0xa8b/0x29f0 kernel/exit.c:793 do_group_exit+0x125/0x310 kernel/exit.c:903 get_signal+0x428/0x1f00 kernel/signal.c:2757 arch_do_signal+0x82/0x2520 arch/x86/kernel/signal.c:811 exit_to_user_mode_loop kernel/entry/common.c:136 [inline] exit_to_user_mode_prepare+0x1ae/0x200 kernel/entry/common.c:167 syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:242 entry_SYSCALL_64_after_hwframe+0x44/0xa9 It's because the ->mmap() callback can change vma->vm_file and fput the original file. But the commit d70cec898324 ("mm: mmap: merge vma after call_mmap() if possible") failed to catch this case and always fput() the original file, hence add an extra fput(). [ Thanks Hillf for pointing this extra fput() out. ] Fixes: d70cec898324 ("mm: mmap: merge vma after call_mmap() if possible") Reported-by: Signed-off-by: Miaohe Lin <> Signed-off-by: Andrew Morton <> Cc: Christian K├Ânig <> Cc: Hongxiang Lou <> Cc: Chris Wilson <> Cc: Dave Airlie <> Cc: Daniel Vetter <> Cc: Sumit Semwal <> Cc: Matthew Wilcox (Oracle) <> Cc: John Hubbard <> Link: Signed-off-by: Linus Torvalds <>
Diffstat (limited to 'mm/mmap.c')
1 files changed, 5 insertions, 1 deletions
diff --git a/mm/mmap.c b/mm/mmap.c
index 40248d84ad5f..bdd19f5b994e 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1781,7 +1781,11 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
merge = vma_merge(mm, prev, vma->vm_start, vma->vm_end, vma->vm_flags,
NULL, vma->vm_file, vma->vm_pgoff, NULL, NULL_VM_UFFD_CTX);
if (merge) {
- fput(file);
+ /* ->mmap() can change vma->vm_file and fput the original file. So
+ * fput the vma->vm_file here or we would add an extra fput for file
+ * and cause general protection fault ultimately.
+ */
+ fput(vma->vm_file);
vma = merge;
/* Update vm_flags and possible addr to pick up the change. We don't