From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E324C02180 for ; Thu, 16 Jan 2025 06:06:37 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 91A1D280001; Thu, 16 Jan 2025 01:06:36 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 8C9216B0082; Thu, 16 Jan 2025 01:06:36 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 79117280001; Thu, 16 Jan 2025 01:06:36 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 5B86C6B007B for ; Thu, 16 Jan 2025 01:06:36 -0500 (EST) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id B90E8AF2C6 for ; Thu, 16 Jan 2025 06:06:35 +0000 (UTC) X-FDA: 83012280750.06.D10A538 Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) by imf09.hostedemail.com (Postfix) with ESMTP id 36C7A140006 for ; Thu, 16 Jan 2025 06:06:28 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=none; spf=pass (imf09.hostedemail.com: domain of liuye@kylinos.cn designates 124.126.103.232 as permitted sender) smtp.mailfrom=liuye@kylinos.cn; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1737007593; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8jsrzpXtdKiD4q+4VFGnpeTnoxx6Yog+27ug517JDDs=; b=cccsMm36Ohu8Bku5z9OFQ7ydvDrNkdDIptKt/A4L5Ph/3s8GGFNON8pHwfUHDFGcOuUV1D 8QNFiGqd0F5RDwENNaKBVc7aY9WVM9JtzOErE08htP139UtFsVgLFHGsudqYMpWPhcKVE+ K8w22Kx12ZfItx1O+Ep6QJLjCKUHGzk= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=none; spf=pass (imf09.hostedemail.com: domain of liuye@kylinos.cn designates 124.126.103.232 as permitted sender) smtp.mailfrom=liuye@kylinos.cn; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1737007593; a=rsa-sha256; cv=none; b=1oIi2XPrgaANivzOSg56f/Sjy9RFPq1FbtyiLESoF5YH6XPuLw9pc2YjGrs2MwIT8+x8s8 QBZ7EG64Fst9Cb2DONyB9AiOvfEtGw23PXqJktEvkJ/7A5qo8sYcnX8wx4IH//1z3zeZT9 RZPJ40a1qhRY8yiPE2ihpyfsjQHRFtM= X-UUID: 01ee106ad3d011efa216b1d71e6e1362-20250116 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.45,REQID:253d9361-4f6f-4b23-ab55-b9f0d012f703,IP:10, URL:0,TC:1,Content:-5,EDM:0,RT:0,SF:-15,FILE:0,BULK:0,RULE:Release_Ham,ACT ION:release,TS:-9 X-CID-INFO: VERSION:1.1.45,REQID:253d9361-4f6f-4b23-ab55-b9f0d012f703,IP:10,UR L:0,TC:1,Content:-5,EDM:0,RT:0,SF:-15,FILE:0,BULK:0,RULE:Release_Ham,ACTIO N:release,TS:-9 X-CID-META: VersionHash:6493067,CLOUDID:5c649aa4b46d1503d60b71dd16236373,BulkI D:250116120148PE4ZO577,BulkQuantity:1,Recheck:0,SF:17|19|24|44|64|66|78|80 |81|82|83|102|841,TC:0,Content:0|52,EDM:-3,IP:-2,URL:0,File:nil,RT:nil,Bul k:40,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0, BRE:0,ARC:0 X-CID-BVR: 0,NGT X-CID-BAS: 0,NGT,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_FAS,TF_CID_SPAM_FSD,TF_CID_SPAM_FSI X-UUID: 01ee106ad3d011efa216b1d71e6e1362-20250116 X-User: liuye@kylinos.cn Received: from [192.168.22.248] [(223.70.160.239)] by mailgw.kylinos.cn (envelope-from ) (Generic MTA with TLSv1.3 TLS_AES_128_GCM_SHA256 128/128) with ESMTP id 1380132996; Thu, 16 Jan 2025 14:06:21 +0800 Content-Type: multipart/alternative; boundary="------------905couI37sYxc3v9D0blpupp" Message-ID: <107e1d14-1a2c-48ff-8947-22e5d791f632@kylinos.cn> Date: Thu, 16 Jan 2025 14:06:17 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] mm/vma: Add VM_WARN_ON for commit_merge To: Andrew Morton Cc: Liam.Howlett@oracle.com, lorenzo.stoakes@oracle.com, jannh@google.com, vbabka@suse.cz, linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20250116025005.55846-1-liuye@kylinos.cn> <20250115200138.708adc518dd4f92f4fe7fae5@linux-foundation.org> Content-Language: en-US From: liuye In-Reply-To: <20250115200138.708adc518dd4f92f4fe7fae5@linux-foundation.org> X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 36C7A140006 X-Stat-Signature: st541eu8gqha9dfy4kyacowxx9wubc1u X-Rspam-User: X-HE-Tag: 1737007588-79352 X-HE-Meta: U2FsdGVkX18FZlvyLacUxCj2ZMbr+7Rk74kQ0eR1fF3YbXNU90dXhAvYGzZ6479PiKYFbBazMDrQ5kgKLgk9rOtzWc5et0URmXaSmqqRRCqOwsp7Jo67HbePK5ZDDPmQfng8RuxYqOtGd/XB9DH/gTqH7gLLUUZl1yWj6P79ukFs2p9O+mPSGPInuJcXYdC736aCF90vbZ8n2NLy01748MSJY+j08Xn2yyLVz/qZZzgAlp0ckhuJ2f3fPHgnMWap+4Q2euA/h/QRynz7PUfnrPZrBSKR1X6RjmErior9MhdaI3jLPZkubKFgMsSZzoANS4CEKT2nsX0KvKwIbeMZuul7hLpQoF+/TNHEUiBp3O9TAxjz5c6JPpZ3ns6B5eZEa9H1QBKXdnvg0z8KL0OTuAp7Ydw+E/ttTK0fhFXI863mAz6fYGKQJDSSHd8oHa51lMdZh3Tls6ALrRmujsNC++ed2v2Mp9TCEJ4YTyLXkDuX1jzNgSVnzRalWaNTPyxKxC8P+SKlrCNY3HpWKTpxE3Ut8gOBKC1KjbSsJcGui0UATGAe7lPH/i/lPsRwWVsNrUB8j0AbnjH72ExRdElaMChZAdX77dKjrN9pOK1dBcMemcj9Uw6xEvAXQ8wwtDKnG1eVhJHCwtxj5jO+WxBOUf9ImFTh26RX3fbCYkwcIPA45yGpklB+oNT+C2RfVuDwCrNw1Tk6PKBd3PfwKeF9+MT/TIbVr58Imdf/vloR+4IfprQDNKvUMXdKPaMLaLevJTlP6Olpo04Ti8uDNwJJ1VUg8WaOV93DOU+3R8zSAziaH8OzA3MnxLkL7xTYrKi1gJoeW0NZwpkkQceIfx2AHzIlAt5t9mJvJ7DvGZJh9aagpNdbsdVkUNr2b2xvLwnnfOgvenAwTE02h6cJRJJnoc1Roth3eRJhscu38Ll9d3CGU7X8ylcZ1x6/2Q10/v1xsWKgixb5AkFQocwTQG5 oS4+vHLF 4RAs0Q5KKZ6YFsXF16/YNPK9Wrdjpt9pR7bCaauscqxagNzamgUBz037kxtAu4dMaV0Y3jGeJraFam2bMu7sKIrqIPBfrl0sUosNgHreoxSRhD8hUthaeFwB2zLqQoDX9AglFmluR6Wt7nzJ54VGFN6Ml3f/eYfkestkkltK3e8Dw+DdL370/BpO0IDyEqbrj7BVIMk7Gfb/Ea69Zray4qLQZO2greqlnHgYMMs83njfH3KnugQFBhKDn6EQiiw/oiSXGxemjQh0060UEo2foxZxhc1yOURNvw9xQsPHzKvuqorw27MJMssEfB5qwHqtMm5KA1gJLf38s8oM/HLHoQgJPI33cgYJ2NFl0AKf0p6DtsCIZamh4AHFbQQQmxZLy8jJ2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: This is a multi-part message in MIME format. --------------905couI37sYxc3v9D0blpupp Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit 在 2025/1/16 12:01, Andrew Morton 写道: > On Thu, 16 Jan 2025 10:50:05 +0800 Liu Ye wrote: > >> Add VM_WARN_ON to prevent 'adjust' from accessing NULL pointers >> when 'adjust' is NULL and 'expanded' is false or 'adj_start' is >> not zero. >> >> ... >> >> --- a/mm/vma.c >> +++ b/mm/vma.c >> @@ -641,6 +641,7 @@ static int commit_merge(struct vma_merge_struct *vmg, >> >> init_multi_vma_prep(&vp, vmg->vma, adjust, remove, remove2); >> >> + VM_WARN_ON(!adjust && (!expanded || adj_start)); >> VM_WARN_ON(vp.anon_vma && adjust && adjust->anon_vma && >> vp.anon_vma != adjust->anon_vma); >> > This won't prevent a null deref. It will emit a warning which > duplicates all the information which we're about to emit from the oops > handler. Yes, the accurate description should be that an oops warning message will be generated when the corresponding input parameter is illegal.  This helps to find the problem. > Are there any reports of an oops from a NULL deref of `adjust'? This issue is not from any report yet, but by cppcheck tool only. mm/vma.c:652:29: warning: Possible null pointer dereference: adjust [nullPointer]   vma_iter_config(vmg->vmi, adjust->vm_start + adj_start,                                                             ^ mm/vma.c:1072:24: note: Calling function 'commit_merge', 2nd argument 'NULL' value is 0  if (commit_merge(vmg, NULL, remove_next ? next : NULL, NULL, 0, true))                                                    ^ mm/vma.c:652:29: note: Null pointer dereference   vma_iter_config(vmg->vmi, adjust->vm_start + adj_start,                                                             ^ mm/vma.c:653:5: warning: Possible null pointer dereference: adjust [nullPointer]     adjust->vm_end);     ^ mm/vma.c:1072:24: note: Calling function 'commit_merge', 2nd argument 'NULL' value is 0  if (commit_merge(vmg, NULL, remove_next ? next : NULL, NULL, 0, true))                                                   ^ mm/vma.c:653:5: note: Null pointer dereference     adjust->vm_end);     ^ Before calling commit_merge, the correct relationship between adjust, adj_start, and expanded must be ensured, such as the functions vma_merge_existing_range and vma_expand. Therefore, VM_WARN_ON is added inside the function to detect incorrect relationships. Of course, commit_merge is not used anywhere else at present, so adding VM_WARN_ON is just a suggestion. --------------905couI37sYxc3v9D0blpupp Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit


在 2025/1/16 12:01, Andrew Morton 写道:
On Thu, 16 Jan 2025 10:50:05 +0800 Liu Ye <liuye@kylinos.cn> wrote:


    Add VM_WARN_ON to prevent 'adjust' from accessing NULL pointers
    when 'adjust' is NULL and 'expanded' is false or 'adj_start' is
    not zero.

...

--- a/mm/vma.c
+++ b/mm/vma.c
@@ -641,6 +641,7 @@ static int commit_merge(struct vma_merge_struct *vmg,
 
 	init_multi_vma_prep(&vp, vmg->vma, adjust, remove, remove2);
 
+	VM_WARN_ON(!adjust && (!expanded || adj_start));
 	VM_WARN_ON(vp.anon_vma && adjust && adjust->anon_vma &&
 		   vp.anon_vma != adjust->anon_vma);
 

This won't prevent a null deref.  It will emit a warning which
duplicates all the information which we're about to emit from the oops
handler.
Yes, the accurate description should be that an oops warning message will be
generated when the corresponding input parameter is illegal.  This helps to
find the problem.    
Are there any reports of an oops from a NULL deref of `adjust'?

This issue is not from any report yet, but by cppcheck tool only.

mm/vma.c:652:29: warning: Possible null pointer dereference: adjust [nullPointer]
  vma_iter_config(vmg->vmi, adjust->vm_start + adj_start,
                                                            ^
mm/vma.c:1072:24: note: Calling function 'commit_merge', 2nd argument 'NULL' value is 0
 if (commit_merge(vmg, NULL, remove_next ? next : NULL, NULL, 0, true))
                                                   ^
mm/vma.c:652:29: note: Null pointer dereference
  vma_iter_config(vmg->vmi, adjust->vm_start + adj_start,
                                                            ^
mm/vma.c:653:5: warning: Possible null pointer dereference: adjust [nullPointer]
    adjust->vm_end);
    ^
mm/vma.c:1072:24: note: Calling function 'commit_merge', 2nd argument 'NULL' value is 0
 if (commit_merge(vmg, NULL, remove_next ? next : NULL, NULL, 0, true))
                                                  ^
mm/vma.c:653:5: note: Null pointer dereference
    adjust->vm_end);
    ^


Before calling commit_merge, the correct relationship between adjust,
adj_start, and expanded must be ensured, such as the functions
vma_merge_existing_range and vma_expand. Therefore, VM_WARN_ON is added
inside the function to detect incorrect relationships. Of course,
commit_merge is not used anywhere else at present, so adding VM_WARN_ON
is just a suggestion.                                                  


    

  


--------------905couI37sYxc3v9D0blpupp--