From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00574C2D0A8 for ; Mon, 28 Sep 2020 10:43:59 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 480052080A for ; Mon, 28 Sep 2020 10:43:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 480052080A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=chris-wilson.co.uk Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id A11D46B005D; Mon, 28 Sep 2020 06:43:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9BFA18E0001; Mon, 28 Sep 2020 06:43:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8D39E6B0068; Mon, 28 Sep 2020 06:43:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0205.hostedemail.com [216.40.44.205]) by kanga.kvack.org (Postfix) with ESMTP id 797D36B005D for ; Mon, 28 Sep 2020 06:43:58 -0400 (EDT) Received: from smtpin26.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 304BC364A for ; Mon, 28 Sep 2020 10:43:58 +0000 (UTC) X-FDA: 77312134956.26.jeans08_5903ab127180 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin26.hostedemail.com (Postfix) with ESMTP id 11EB91804A301 for ; Mon, 28 Sep 2020 10:43:58 +0000 (UTC) X-HE-Tag: jeans08_5903ab127180 X-Filterd-Recvd-Size: 4603 Received: from fireflyinternet.com (unknown [77.68.26.236]) by imf49.hostedemail.com (Postfix) with ESMTP for ; Mon, 28 Sep 2020 10:43:57 +0000 (UTC) X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=78.156.65.138; Received: from localhost (unverified [78.156.65.138]) by fireflyinternet.com (Firefly Internet (M1)) with ESMTP (TLS) id 22555708-1500050 for multiple; Mon, 28 Sep 2020 11:43:48 +0100 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable In-Reply-To: <20200928103507.2164-1-Jason@zx2c4.com> References: <20200928103507.2164-1-Jason@zx2c4.com> Subject: Re: [PATCH] mm: do not rely on mm == current->mm in __get_user_pages_locked From: Chris Wilson Cc: torvalds@linux-foundation.org, dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, akpm@linux-foundation.org, Jason A. Donenfeld To: Jason A. Donenfeld , jgg@ziepe.ca, linux-mm@kvack.org, peterx@redhat.com Date: Mon, 28 Sep 2020 11:43:50 +0100 Message-ID: <160128983096.13711.12861675638427541068@build.alporthouse.com> User-Agent: alot/0.9 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000265, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Quoting Jason A. Donenfeld (2020-09-28 11:35:07) > It seems likely this block was pasted from internal_get_user_pages_fast, > which is not passed an mm struct and therefore uses current's. But > __get_user_pages_locked is passed an explicit mm, and current->mm is not > always valid. This was hit when being called from i915, which uses: >=20 > pin_user_pages_remote-> > __get_user_pages_remote-> > __gup_longterm_locked-> > __get_user_pages_locked >=20 > Before, this would lead to an OOPS: >=20 > BUG: kernel NULL pointer dereference, address: 0000000000000064 > #PF: supervisor write access in kernel mode > #PF: error_code(0x0002) - not-present page > PGD 0 P4D 0 > Oops: 0002 [#1] SMP > CPU: 10 PID: 1431 Comm: kworker/u33:1 Tainted: P S U O 5.9.0= -rc7+ #140 > Hardware name: LENOVO 20QTCTO1WW/20QTCTO1WW, BIOS N2OET47W (1.34 ) 08/0= 6/2020 > Workqueue: i915-userptr-acquire __i915_gem_userptr_get_pages_worker [i9= 15] > RIP: 0010:__get_user_pages_remote+0xd7/0x310 > Code: f5 01 00 00 83 7d 00 01 0f 85 ed 01 00 00 f7 c1 00 00 04 00 0f 84= 58 01 00 00 65 48 8b 04 25 00 6d 01 00 48 8b 80 40 03 00 00 40 64 01 = 00 00 00 65 48 8b 04 25 00 6d 01 00 48 c7 44 24 18 00 > RSP: 0018:ffff888fdfe47de0 EFLAGS: 00010206 > RAX: 0000000000000000 RBX: 00007fe188531000 RCX: 0000000000040001 > RDX: 0000000000000001 RSI: 00007fe188531000 RDI: ffff888ff0748f00 > RBP: ffff888fdfe47e54 R08: ffff888fedc7d7c8 R09: 0000000000000000 > R10: 0000000000000018 R11: fefefefefefefeff R12: ffff888ff0748f00 > R13: ffff888fedc7d7c8 R14: ffff888f81fe3a40 R15: 0000000000042003 > FS: 0000000000000000(0000) GS:ffff888ffc480000(0000) knlGS:00000000000= 00000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000064 CR3: 0000000002009003 CR4: 00000000003706e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > __i915_gem_userptr_get_pages_worker+0xc8/0x260 [i915] > process_one_work+0x1ca/0x390 > worker_thread+0x48/0x3c0 > ? rescuer_thread+0x3d0/0x3d0 > kthread+0x114/0x130 > ? kthread_create_worker_on_cpu+0x40/0x40 > ret_from_fork+0x1f/0x30 > CR2: 0000000000000064 >=20 > This commit fixes the problem by using the mm pointer passed to the > function rather than the bogus one in current. >=20 > Fixes: 008cfe4418b3 ("mm: Introduce mm_struct.has_pinned") > Cc: Jason Gunthorpe > Cc: Peter Xu > Signed-off-by: Jason A. Donenfeld > --- > mm/gup.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/mm/gup.c b/mm/gup.c > index dfe781d2ad4c..e869c634cc9a 100644 > --- a/mm/gup.c > +++ b/mm/gup.c > @@ -1256,7 +1256,7 @@ static __always_inline long __get_user_pages_locked= (struct mm_struct *mm, > } > =20 > if (flags & FOLL_PIN) > - atomic_set(¤t->mm->has_pinned, 1); > + atomic_set(&mm->has_pinned, 1); That's literally the same diff as I was just testing :) I can attest that it fixes the i915 issue, but since that's also your test case, I'm not adding much information. -Chris