From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3288C54E65 for ; Thu, 22 May 2025 03:22:32 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 35A2A6B0082; Wed, 21 May 2025 23:22:32 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 30B0C6B0083; Wed, 21 May 2025 23:22:32 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 220E66B0085; Wed, 21 May 2025 23:22:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 03E2E6B0082 for ; Wed, 21 May 2025 23:22:31 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 7F3BEC2075 for ; Thu, 22 May 2025 03:22:31 +0000 (UTC) X-FDA: 83469096102.20.523BB80 Received: from m16.mail.126.com (m16.mail.126.com [220.197.31.7]) by imf10.hostedemail.com (Postfix) with ESMTP id 5452BC000F for ; Thu, 22 May 2025 03:22:27 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=126.com header.s=s110527 header.b=XGKUyIWg; spf=pass (imf10.hostedemail.com: domain of yangge1116@126.com designates 220.197.31.7 as permitted sender) smtp.mailfrom=yangge1116@126.com; dmarc=pass (policy=none) header.from=126.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747884149; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:dkim-signature; bh=Cb+hzfIc+9S7u++Rf7aEoQ+l3gR236pxB/DTraEd8HU=; b=SZffssI/DJ0w0OFt0oVYMqAVZKyoAvK/t9HSWpnnOLVnIYneSDXRrym0F61ueT8vf+STRI AqQt/Ghj+SBtpKOoLF9xUyOHj2yY1HQMdyQG0xA4AaQ3dRA6mttaFGzLZq7zNw7P9atQ5l g71y1WDd6+kUKCUr1Eyvn4TCascPYWw= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=126.com header.s=s110527 header.b=XGKUyIWg; spf=pass (imf10.hostedemail.com: domain of yangge1116@126.com designates 220.197.31.7 as permitted sender) smtp.mailfrom=yangge1116@126.com; dmarc=pass (policy=none) header.from=126.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747884149; a=rsa-sha256; cv=none; b=upicte+1TNLvoYbPFvcJn3erbI9AcUpkPlnnF6nEIZeENh9m25Ep4FG/JfmE2ydIE5r3pK Ii7jesjiVbtu0GzQBCTDV6kePCb8WqMWb6ZKKnm7ARLTYObsPJMQS6GDVi9wpFBxt34zyM x5GFzVfgwlXh/gEkYwxqCAUjzx3FHKo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=126.com; s=s110527; h=From:To:Subject:Date:Message-Id; bh=Cb+hzfIc+9S7u++ Rf7aEoQ+l3gR236pxB/DTraEd8HU=; b=XGKUyIWgdrFRtonTjjghJzjzOY7WYg+ uAxCSb3JXSgtfAFZ7Ul2YHV3yrGQWm7fGTNnnt+HZX+UYjcyMzKAAF82lDElH9zI mvj1GRjb4G9nIFRE46mY/4u80LGEU3/BRqsHBAmar962kC6aS5Ytb9JF1l21cMfs TI+wRVKMoHgA= Received: from hg-OptiPlex-7040.hygon.cn (unknown []) by gzga-smtp-mtada-g0-2 (Coremail) with SMTP id _____wD375FsmC5oHGIhAg--.58174S2; Thu, 22 May 2025 11:22:21 +0800 (CST) From: yangge1116@126.com To: akpm@linux-foundation.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, 21cnbao@gmail.com, david@redhat.com, baolin.wang@linux.alibaba.com, muchun.song@linux.dev, osalvador@suse.de, liuzixing@hygon.cn, Ge Yang Subject: [PATCH] mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios Date: Thu, 22 May 2025 11:22:17 +0800 Message-Id: <1747884137-26685-1-git-send-email-yangge1116@126.com> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID:_____wD375FsmC5oHGIhAg--.58174S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxZw1fJF45uF4rur45urWfXwb_yoW5tr1rpr y7Krs8KrWkJryDAF47JF15Jrn0yrZ8ZF4jqFWxKrnrZFn8Jw1DGryDXw4jva1rArs7JF4x JFs0qa1vqF1UJaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRoGQDUUUUU= X-Originating-IP: [112.64.138.194] X-CM-SenderInfo: 51dqwwjhrrila6rslhhfrp/1tbiOhBVG2gulPN6iwAAs0 X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 5452BC000F X-Stat-Signature: dfpxiyki51snryebna8erpo1eeaowqgn X-Rspam-User: X-HE-Tag: 1747884147-345284 X-HE-Meta: U2FsdGVkX19oRXJy7oEf1pQLecGFLldkgqX/F8bv1U4jzeWRPWI5OxaPfWKRcQ5opusn74ozC6HjfSMGp2zWY/xZbZsKP+80vm92ixqgWT3BX4WT2P2EEPigwl/7yR1eD1sdV2ZZjgIwEUow2OPWf5q1DQNqQbjDD9xE7f2q8tHKJK1pnTbjgmTB6mfv3dw3Enaiqymb8DBKrIyjXxNsxKUDRFchP3eGagsGmhJQOHgktXbFdFzQw/NPqwJLRCItETXegg1hr63KslRU6TRCf4cWJneV7C5+NG/MJvdwHJaNticmZbrDSSBnvwK2veSfT+NlD4cROYg/BMYyY+vk47tXG+jlDGeYH4mE9aPCrlu6MSzbxYd6oTWxVB/Q7cAxl/jSfGP0+ltQJ+d8AuUdYIt6WPvwqEvWWT4x3eOw8vrCIwJjmEVcB76OM9B9pgIP673l07U/kc70ybz1fEx3T4PMytbCEBuiKCf3AnxN2fQrogFq93cTF7Idm5OQqp/f9o8MQ6NceHWPki7aP31eQS20DQ8LjwYICefujLtyo0Dlz/Q5UYPBncsiZoWtHlQpdvx2RK5LEBD+Je0q67t7AyAu6Dx9LnM9qunO7MEwi2SMxa5YVCy0uNJzhJ2q+W8SsAYYe7Oqa0wv1hUMkwBIkwrKGOpI71Zc7qwf8VQIuaCerGNeaa+9HIWQF5rft2Hivvzh80B1ogVkvRj7hEjfBv4h1k0oan52XoUS3+bbaDpdYICO7Lh7/4jcqYOR8pISy/ev2hNf7rrPZOW7f0OLpCyIqxT/9hi4qW22pbUPhI2dEtgbkCrw1SQiSW7UEX/yqJFGwwgqYJF/3nQnwVfsgThlSJA1KBCkCOhro/d1zuAuwYc+pRWpl9BiwbhtAXz6+t5dLgZllUPwtVul7nbU+3poXqzOmhQjZJPFYzDpM82u4QwLCgESamdDM+EAlKM8n+qR9Q5j86ZZaveWEJb o5pwx4gb 8BJ/5GzVv4PPiUr1ulN7prCNNJ1BwcBp8k/zGdWGLh+NKQ1mF5+OkKf48ReElf7U+Z0kQKN4AMcj/APVdKxMKejqoivtEeIEvVsex2yD+TQeaGYyrYXrAw/XYscaAaP6xQvNfeAam3SHmkxKZq5Ym/njztC1fgah6PkDHAwHF0si3LzSo9KtH79r7l7fcl7WE58xCAfKjlnssDxMWlh/foLVtco6SnFWopksEai1dDgOeV7l6DH5kFWCGElB6gse1vEyST9qg49+5XTI1Pj34tA/xmnMUMT2jNmlMFuM4lqQNjXs9zDzBon2pn6+xo0V78KwXa5COfhmPjMIpcu2F3wd+3Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Ge Yang A kernel crash was observed when replacing free hugetlb folios: BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: replace_free_hugepage_folios+0xb6/0x100 alloc_contig_range_noprof+0x18a/0x590 ? srso_return_thunk+0x5/0x5f ? down_read+0x12/0xa0 ? srso_return_thunk+0x5/0x5f cma_range_alloc.constprop.0+0x131/0x290 __cma_alloc+0xcf/0x2c0 cma_alloc_write+0x43/0xb0 simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 debugfs_attr_write+0x46/0x70 full_proxy_write+0x62/0xa0 vfs_write+0xf8/0x420 ? srso_return_thunk+0x5/0x5f ? filp_flush+0x86/0xa0 ? srso_return_thunk+0x5/0x5f ? filp_close+0x1f/0x30 ? srso_return_thunk+0x5/0x5f ? do_dup2+0xaf/0x160 ? srso_return_thunk+0x5/0x5f ksys_write+0x65/0xe0 do_syscall_64+0x64/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios(): CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) -- It's still hugetlb folio. __folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) -- Here, h is NULL pointer When the above race condition occurs, folio_hstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute folio_hstate(folio) under the protection of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not return NULL. Fixes: 04f13d241b8b ("mm: replace free hugepage folios after migration") Signed-off-by: Ge Yang Cc: --- mm/hugetlb.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 3d3ca6b..6c2e007 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2924,12 +2924,20 @@ int replace_free_hugepage_folios(unsigned long start_pfn, unsigned long end_pfn) while (start_pfn < end_pfn) { folio = pfn_folio(start_pfn); + + /* + * The folio might have been dissolved from under our feet, so make sure + * to carefully check the state under the lock. + */ + spin_lock_irq(&hugetlb_lock); if (folio_test_hugetlb(folio)) { h = folio_hstate(folio); } else { + spin_unlock_irq(&hugetlb_lock); start_pfn++; continue; } + spin_unlock_irq(&hugetlb_lock); if (!folio_ref_count(folio)) { ret = alloc_and_dissolve_hugetlb_folio(h, folio, -- 2.7.4