From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7FD33C072A2
	for <linux-mm@archiver.kernel.org>; Wed, 15 Nov 2023 16:05:39 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 153E16B0360; Wed, 15 Nov 2023 11:05:39 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1039680023; Wed, 15 Nov 2023 11:05:39 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id F0D3280022; Wed, 15 Nov 2023 11:05:38 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id E1DCE6B0360
	for <linux-mm@kvack.org>; Wed, 15 Nov 2023 11:05:38 -0500 (EST)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id B08A6803EE
	for <linux-mm@kvack.org>; Wed, 15 Nov 2023 16:05:38 +0000 (UTC)
X-FDA: 81460663956.07.22816B9
Received: from 5.mo576.mail-out.ovh.net (5.mo576.mail-out.ovh.net [46.105.43.105])
	by imf10.hostedemail.com (Postfix) with ESMTP id E3936C003E
	for <linux-mm@kvack.org>; Wed, 15 Nov 2023 16:05:34 +0000 (UTC)
Authentication-Results: imf10.hostedemail.com;
	dkim=none;
	spf=pass (imf10.hostedemail.com: domain of jose.pekkarinen@foxhound.fi designates 46.105.43.105 as permitted sender) smtp.mailfrom=jose.pekkarinen@foxhound.fi;
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1700064335; a=rsa-sha256;
	cv=none;
	b=5LyfBEoqbNjRDC1yBefzZU7dmGHNm2PbCMwJbjsSJUnI6q6Yy63zmz9G3noJJUdjNlbxWx
	u8AGIsMKQRAI+Muy051lm1y7opxYu/bgEzK/4kOIeg0k5FQupJYI2M9B9Gy1SVXFrTC404
	Zf06A04n+KiEp1ntalgHo2VwLZGMivc=
ARC-Authentication-Results: i=1;
	imf10.hostedemail.com;
	dkim=none;
	spf=pass (imf10.hostedemail.com: domain of jose.pekkarinen@foxhound.fi designates 46.105.43.105 as permitted sender) smtp.mailfrom=jose.pekkarinen@foxhound.fi;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1700064335;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=5lS38NZOAnfNeexlATZSr84PqytmwSIpQ5uVSx7akbU=;
	b=6rQCsaM8SQ8gm1oTuroh8XaG8L+YdSOBOoizt/6S9ZaJx7rSwGM1UgsI0JbIEPs41Q52BL
	tAd0bI0u69NaPTsiRgs04UT8ZhiLsJeB0sIDMzGWvI6oVTCju06lOaoY+s4wPmd0m148Hc
	c1+dd30CQ2z/4+zSUkXvgFoGZSkEJzM=
Received: from director5.ghost.mail-out.ovh.net (unknown [10.108.1.162])
	by mo576.mail-out.ovh.net (Postfix) with ESMTP id F2EF42A5D6
	for <linux-mm@kvack.org>; Wed, 15 Nov 2023 16:05:32 +0000 (UTC)
Received: from ghost-submission-6684bf9d7b-k8mr2 (unknown [10.108.4.159])
	by director5.ghost.mail-out.ovh.net (Postfix) with ESMTPS id D06841FE53;
	Wed, 15 Nov 2023 16:05:31 +0000 (UTC)
Received: from RCM-web2.webmail.mail.ovh.net ([176.31.232.109])
	by ghost-submission-6684bf9d7b-k8mr2 with ESMTPSA
	id ayhHFUvsVGXUOSsAdDy9bg
	(envelope-from <jose.pekkarinen@foxhound.fi>); Wed, 15 Nov 2023 16:05:31 +0000
MIME-Version: 1.0
Date: Wed, 15 Nov 2023 18:05:30 +0200
From: =?UTF-8?Q?Jos=C3=A9_Pekkarinen?= <jose.pekkarinen@foxhound.fi>
To: Matthew Wilcox <willy@infradead.org>
Cc: akpm@linux-foundation.org, skhan@linuxfoundation.org,
 linux-mm@kvack.org, linux-kernel@vger.kernel.org,
 linux-kernel-mentees@lists.linux.dev,
 syzbot+89edd67979b52675ddec@syzkaller.appspotmail.com, Hugh Dickins
 <hughd@google.com>
Subject: Re: [PATCH] mm/pgtable: return null if no ptl in
 __pte_offset_map_lock
In-Reply-To: <ZVTTbuviH9/RWYyI@casper.infradead.org>
References: <20231115065506.19780-1-jose.pekkarinen@foxhound.fi>
 <ZVTTbuviH9/RWYyI@casper.infradead.org>
User-Agent: Roundcube Webmail/1.4.15
Message-ID: <1c4cb1959829ecf4f0c59691d833618c@foxhound.fi>
X-Sender: jose.pekkarinen@foxhound.fi
Organization: Foxhound Ltd.
X-Originating-IP: 185.220.100.249
X-Webmail-UserID: jose.pekkarinen@foxhound.fi
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
X-Ovh-Tracer-Id: 17026984294489761383
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvkedrudefiedgjeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepggffhffvvefujghffgfkgihoihgtgfesthekjhdttderjeenucfhrhhomheplfhoshorucfrvghkkhgrrhhinhgvnhcuoehjohhsvgdrphgvkhhkrghrihhnvghnsehfohighhhouhhnugdrfhhiqeenucggtffrrghtthgvrhhnpeekhfeguddufeegvdelgedtvdffgeehvddtkeevkeejvedvgeeitdefleehtdeitdenucfkphepuddvjedrtddrtddruddpudekhedrvddvtddruddttddrvdegledpudejiedrfedurddvfedvrddutdelnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpeeojhhoshgvrdhpvghkkhgrrhhinhgvnhesfhhogihhohhunhgurdhfiheqpdhnsggprhgtphhtthhopedupdhrtghpthhtoheplhhinhhugidqmhhmsehkvhgrtghkrdhorhhgpdfovfetjfhoshhtpehmohehjeeipdhmohguvgepshhmthhpohhuth
X-Rspam-User: 
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: E3936C003E
X-Stat-Signature: a5njd79prqao7rbdfdt8jcyauidcqt63
X-HE-Tag: 1700064334-388637
X-HE-Meta: U2FsdGVkX1+QyXfmeV11clCcLDJtWkNPzBMj83pAzN3qzNorsGml5ZzmjICpSxLZMmOYFe/O+SQ0slGP75SSmggNGJaB5lopt3Mt5UDcKnVYuxlc33tG5HWeop9sUtOh9twkHq3c0o2kIKXufv4FlogeVs650/OsttNw2D34iNYp0kF4LsW2SJ2NIme+C17qZH2en3gEVjlHR70YC+FRtflt+2KY78liLeGUPFXLHFyhdhEdSYxsKrhYOzYVQUgyX+IzpKNQO0mBRsZG6/yq7kaLiATNaB0Gtp/WTMI/sJIFIoQJVpFqcEN3O+4fd9p/iQ+FHKEmZCR0FD2ULJNnIPoLOgMiQ0RfpomgHiiSt7PhpHmeGfCzh3aG85XoXeXuOGBkf4V6bpn3r4a6mX0iIuOYhN0ZD+liD836XcXQDIPR1mFBNvglM+xnDz+0ilgyOT3qz6XFSO2zwFyB5WbJg8tN+PfsSXgYU4D11bj9zJFWBGgnX0Nm7z3OPI1OFDYEHsLZ9seoZVMyRHmdtg/XAUPEj0aOFaIUAQ5Twwa2GW0sx1igQeyN5DrtQA6r6PlVLZ/gAR5PbLv8CO+rtWCEfwby9RFB/4HOEDpv+9nYexymUFBFlfKvoZsaboFT6pbaKkAz1nh+JAJjdjoBSxfFPN5TrXErejMrG5C1G1MfwcMHd0WK8Dz5NxtkumU9XgGFHAilwlLn+Quh3tQ2Ag3ECOkcE+dzccM6YJXWkkMNdCUVvy5LbFsWax4ZxLSvhrQHx7/lLTfVQ5g716mAVXOe+2CZBw/lBUQExz7dfm+ycLXvNhuK8LJZ4mEKLf47eJCK4ObqVeO9JFrVmzCcDFuZNUG+i6M7Dwqbsd2rAD2IXKRg7d1bbWFGCJK71JVqnhKhzVYDhu3aFvX6kNTFkDXBBZWleZeniwIk7nhF1RLgqjs6kRtO+QRD2U7CFppK6LjbkI6wh5CZehqSX+uYhOp
 MguC/rvu
 htTeuqmEhHpPH/n+WA7wRJMEgXe0aVXFt7WdDrv7funhyYANi+tOvNmypurR4PAdl/93zrYIs2lAkEbc7awYvwYyzkHXWUjelV5Qp1LEVAnMXjp/RpqvqKLP+/BS54AsC0gh4TfdDsqJ3ItvkAg1hzNdL/bZTvnhgnjcVdfmQgyAceb+I3f7XoaiTD06YB+Dj5ZOFVJdq0KYRh+EYPOVeM+vnxG7EvmAhLb015qFl18eO905dCykcd5UhMWTpUDoGVqeGDWrsR4b6/OCYjFwFMTj0Ghs08gKb9v+0SE9gPgOsJ1vRog5eFXTNs8WEenC1XefEp7i0OdMKTTdVBD4VGwlaic+Y1NC5dVS91kYcmEQ3s9523si4ll/PfeZAUPz/qTg4kwOAg7Qz8zuj8bkfcw5NhUMYkKE2d1XF2SUFaF0eS+y5tKLLtvf/1Uswqx5waioUP2FrGKkYHhSA3C1EuD9z1ksitIr3MC6s8h0+VOYNCruwF51JiB1DfWv2Ayzn4kck4cG2EEDVsCnXcMeZp69WzRIkMfzHXgFxll9gNdz0E6yFU/6odtiH/W3mYeQqiZ9qkR7VIn3CdoscSOsvtxkJNA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 2023-11-15 16:19, Matthew Wilcox wrote:
> On Wed, Nov 15, 2023 at 08:55:05AM +0200, José Pekkarinen wrote:
>> Documentation of __pte_offset_map_lock suggest there is situations 
>> where
> 
> You should have cc'd Hugh who changed all this code recently.

     Hi,

     Sorry, he seems to be missing if I run get_maintainer.pl:

$ ./scripts/get_maintainer.pl include/linux/mm.h
Andrew Morton <akpm@linux-foundation.org> (maintainer:MEMORY MANAGEMENT)
linux-mm@kvack.org (open list:MEMORY MANAGEMENT)
linux-kernel@vger.kernel.org (open list)

>> a pmd may not have a corresponding page table, in which case it should
>> return NULL without changing ptlp. Syzbot found its ways to produce a
>> NULL dereference in the function showing this case. This patch will
>> provide the exit path suggested if this unlikely situation turns up. 
>> The
>> output of the kasan null-ptr-report follows:
> 
> There's no need to include all this nonsense in the changelog.

     No problem, we can clean the patch if we find there is something
worth upstreaming.

>>  spin_lock include/linux/spinlock.h:351 [inline]
>>  __pte_offset_map_lock+0x154/0x360 mm/pgtable-generic.c:373
>>  pte_offset_map_lock include/linux/mm.h:2939 [inline]
>>  filemap_map_pages+0x698/0x11f0 mm/filemap.c:3582
> 
> This was the only interesting part.
> 
>> +++ b/include/linux/mm.h
>> @@ -2854,7 +2854,7 @@ void ptlock_free(struct ptdesc *ptdesc);
>> 
>>  static inline spinlock_t *ptlock_ptr(struct ptdesc *ptdesc)
>>  {
>> -	return ptdesc->ptl;
>> +	return (likely(ptdesc)) ? ptdesc->ptl : NULL;
>>  }
> 
> I don't think we should be changing ptlock_ptr().

     This is where the null ptr dereference originates, so the only
alternative I can think of is to protect the life cycle of the ptdesc
to prevent it to die between the pte check and the spin_unlock of
__pte_offset_map_lock. Would that work for you?

>> +++ b/mm/pgtable-generic.c
>> @@ -370,6 +370,8 @@ pte_t *__pte_offset_map_lock(struct mm_struct *mm, 
>> pmd_t *pmd,
>>  	if (unlikely(!pte))
>>  		return pte;
>>  	ptl = pte_lockptr(mm, &pmdval);
>> +	if (unlikely(!ptl))
>> +		return NULL;
>>  	spin_lock(ptl);
> 
> I don't understand how this could possibly solve the problem.  If 
> there's
> no PTE level, then __pte_offset_map() should return NULL and we'd 
> already
> return due to the check for !pte.

     I tested the syzbot reproducer in x86 and it doesn't produce this 
kasan
report anymore.

     José.