From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=LumK=BB=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id F1717C433E0
	for <linux-mm@archiver.kernel.org>; Wed, 22 Jul 2020 12:14:51 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id BD78D20771
	for <linux-mm@archiver.kernel.org>; Wed, 22 Jul 2020 12:14:51 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BD78D20771
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 32D806B0003; Wed, 22 Jul 2020 08:14:51 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2DD896B0005; Wed, 22 Jul 2020 08:14:51 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 1F58C6B0006; Wed, 22 Jul 2020 08:14:51 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0199.hostedemail.com [216.40.44.199])
	by kanga.kvack.org (Postfix) with ESMTP id 07DB76B0003
	for <linux-mm@kvack.org>; Wed, 22 Jul 2020 08:14:51 -0400 (EDT)
Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id A4C9A106913EE
	for <linux-mm@kvack.org>; Wed, 22 Jul 2020 12:14:50 +0000 (UTC)
X-FDA: 77065605540.29.guide07_220f06926f36
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin29.hostedemail.com (Postfix) with ESMTP id 72DF91844C51F
	for <linux-mm@kvack.org>; Wed, 22 Jul 2020 12:14:50 +0000 (UTC)
X-HE-Tag: guide07_220f06926f36
X-Filterd-Recvd-Size: 3457
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
	by imf39.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Wed, 22 Jul 2020 12:14:49 +0000 (UTC)
IronPort-SDR: uRo3tzgVQXuySJoovPTbOt2XQ9z0+ao/WBe3+797e3E+KvELn0mJnuFOBf8ArHZi4WchW9jLKr
 C8uXUSIqTLMA==
X-IronPort-AV: E=McAfee;i="6000,8403,9689"; a="168457048"
X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; 
   d="scan'208";a="168457048"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jul 2020 05:14:44 -0700
IronPort-SDR: XcsOFPIWvYI5G2EfouK1mrTriZmWWw7I6dDeF9huLhFIfhCKOcNixQgXoqQokGzh7YULv2+s/I
 flI4ORPEI67A==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.75,381,1589266800"; 
   d="scan'208";a="301931586"
Received: from black.fi.intel.com ([10.237.72.28])
  by orsmga002.jf.intel.com with ESMTP; 22 Jul 2020 05:14:43 -0700
Received: by black.fi.intel.com (Postfix, from userid 1000)
	id 258C8FC; Wed, 22 Jul 2020 15:14:41 +0300 (EEST)
From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	syzbot+ed318e8b790ca72c5ad0@syzkaller.appspotmail.com
Subject: [PATCH] khugepaged: Fix null-pointer dereference due to race
Date: Wed, 22 Jul 2020 15:14:39 +0300
Message-Id: <20200722121439.44328-1-kirill.shutemov@linux.intel.com>
X-Mailer: git-send-email 2.27.0
MIME-Version: 1.0
X-Rspamd-Queue-Id: 72DF91844C51F
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam01
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

khugepaged has to drop mmap lock several times while collapsing a page.
The situation can change while the lock is dropped and we need to
re-validate that the VMA is still in place and the PMD is still subject
for collapse.

But we miss one corner case: while collapsing an anonymous pages the VMA
could be replaced with file VMA. If the file VMA doesn't have any
private pages we get NULL pointer dereference:

	general protection fault, probably for non-canonical address 0xdffffc000=
0000000: 0000 [#1] PREEMPT SMP KASAN
	KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
	anon_vma_lock_write include/linux/rmap.h:120 [inline]
	collapse_huge_page mm/khugepaged.c:1110 [inline]
	khugepaged_scan_pmd mm/khugepaged.c:1349 [inline]
	khugepaged_scan_mm_slot mm/khugepaged.c:2110 [inline]
	khugepaged_do_scan mm/khugepaged.c:2193 [inline]
	khugepaged+0x3bba/0x5a10 mm/khugepaged.c:2238

The fix is to make sure that the VMA is anonymous in
hugepage_vma_revalidate(). The helper is only used for collapsing
anonymous pages.

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) F=
S")
Reported-by: syzbot+ed318e8b790ca72c5ad0@syzkaller.appspotmail.com
---
 mm/khugepaged.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/khugepaged.c b/mm/khugepaged.c
index b043c40a21d4..700f5160f3e4 100644
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -958,6 +958,9 @@ static int hugepage_vma_revalidate(struct mm_struct *=
mm, unsigned long address,
 		return SCAN_ADDRESS_RANGE;
 	if (!hugepage_vma_check(vma, vma->vm_flags))
 		return SCAN_VMA_CHECK;
+	/* Anon VMA expected */
+	if (!vma->anon_vma || vma->vm_ops)
+		return SCAN_VMA_CHECK;
 	return 0;
 }
=20
--=20
2.26.2