find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like:
CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock!
To prevent possible deadlock while kasan reports, remove kasan_find_vm_area().
Link: https://lkml.kernel.org/r/20250703181018.580833-1-yeoreum.yun@arm.com Fixes: c056a364e954 ("kasan: print virtual mapping info in reports") Signed-off-by: Yeoreum Yun yeoreum.yun@arm.com Reported-by: Yunseong Kim ysk@kzalloc.com Reviewed-by: Andrey Ryabinin ryabinin.a.a@gmail.com Cc: Alexander Potapenko glider@google.com Cc: Andrey Konovalov andreyknvl@gmail.com Cc: Byungchul Park byungchul@sk.com Cc: Dmitriy Vyukov dvyukov@google.com Cc: Sebastian Andrzej Siewior bigeasy@linutronix.de Cc: Steven Rostedt rostedt@goodmis.org Cc: Vincenzo Frascino vincenzo.frascino@arm.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org (cherry picked from commit 6ee9b3d84775944fb8c8a447961cd01274ac671c) --- mm/kasan/report.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c index c7c0083203cb..5675d6a412ef 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -398,17 +398,8 @@ static void print_address_description(void *addr, u8 tag, }
if (is_vmalloc_addr(addr)) { - struct vm_struct *va = find_vm_area(addr); - - if (va) { - pr_err("The buggy address belongs to the virtual mapping at\n" - " [%px, %px) created by:\n" - " %pS\n", - va->addr, va->addr + va->size, va->caller); - pr_err("\n"); - - page = vmalloc_to_page(addr); - } + pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + page = vmalloc_to_page(addr); }
if (page) {
Sorry to make noise. I've missed in-reply-to.
I'll send again.
Thanks
-- Sincerely, Yeoreum Yun
________________________________________ From: Yeoreum Yun yeoreum.yun@arm.com Sent: 14 July 2025 07:44 To: ppbuk5246@gmail.com Cc: Yeo Reum Yun; Yunseong Kim; Andrey Ryabinin; Alexander Potapenko; Andrey Konovalov; Byungchul Park; Dmitriy Vyukov; Sebastian Andrzej Siewior; Steven Rostedt; Vincenzo Frascino; stable@vger.kernel.org; Andrew Morton Subject: [PATCH 6.12.y 1/1] kasan: remove kasan_find_vm_area() to prevent possible deadlock
find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like:
CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock!
To prevent possible deadlock while kasan reports, remove kasan_find_vm_area().
Link: https://lkml.kernel.org/r/20250703181018.580833-1-yeoreum.yun@arm.com Fixes: c056a364e954 ("kasan: print virtual mapping info in reports") Signed-off-by: Yeoreum Yun yeoreum.yun@arm.com Reported-by: Yunseong Kim ysk@kzalloc.com Reviewed-by: Andrey Ryabinin ryabinin.a.a@gmail.com Cc: Alexander Potapenko glider@google.com Cc: Andrey Konovalov andreyknvl@gmail.com Cc: Byungchul Park byungchul@sk.com Cc: Dmitriy Vyukov dvyukov@google.com Cc: Sebastian Andrzej Siewior bigeasy@linutronix.de Cc: Steven Rostedt rostedt@goodmis.org Cc: Vincenzo Frascino vincenzo.frascino@arm.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org (cherry picked from commit 6ee9b3d84775944fb8c8a447961cd01274ac671c) --- mm/kasan/report.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/mm/kasan/report.c b/mm/kasan/report.c index c7c0083203cb..5675d6a412ef 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -398,17 +398,8 @@ static void print_address_description(void *addr, u8 tag, }
if (is_vmalloc_addr(addr)) { - struct vm_struct *va = find_vm_area(addr); - - if (va) { - pr_err("The buggy address belongs to the virtual mapping at\n" - " [%px, %px) created by:\n" - " %pS\n", - va->addr, va->addr + va->size, va->caller); - pr_err("\n"); - - page = vmalloc_to_page(addr); - } + pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); + page = vmalloc_to_page(addr); }
if (page) { -- LEVI:{C3F47F37-75D8-414A-A8BA-3980EC8A46D7}
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
linux-stable-mirror@lists.linaro.org
-
Yeo Reum Yun -
Yeoreum Yun