From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=uXmJ=CA=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-12.6 required=3.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 89F47C433E1
	for <linux-mm@archiver.kernel.org>; Sat, 22 Aug 2020 09:53:54 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 01A9D207DA
	for <linux-mm@archiver.kernel.org>; Sat, 22 Aug 2020 09:53:53 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (2048-bit key) header.d=bytedance-com.20150623.gappssmtp.com header.i=@bytedance-com.20150623.gappssmtp.com header.b="Hy08vYzb"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 01A9D207DA
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=bytedance.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 7B24C6B009E; Sat, 22 Aug 2020 05:53:53 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 763F36B009F; Sat, 22 Aug 2020 05:53:53 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6795B6B00A0; Sat, 22 Aug 2020 05:53:53 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0140.hostedemail.com [216.40.44.140])
	by kanga.kvack.org (Postfix) with ESMTP id 536766B009E
	for <linux-mm@kvack.org>; Sat, 22 Aug 2020 05:53:53 -0400 (EDT)
Received: from smtpin13.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 0E028180AD81A
	for <linux-mm@kvack.org>; Sat, 22 Aug 2020 09:53:53 +0000 (UTC)
X-FDA: 77177743146.13.cars46_3900d0e27041
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin13.hostedemail.com (Postfix) with ESMTP id D875C18140B60
	for <linux-mm@kvack.org>; Sat, 22 Aug 2020 09:53:52 +0000 (UTC)
X-HE-Tag: cars46_3900d0e27041
X-Filterd-Recvd-Size: 6146
Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67])
	by imf12.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Sat, 22 Aug 2020 09:53:52 +0000 (UTC)
Received: by mail-pj1-f67.google.com with SMTP id mt12so1867879pjb.4
        for <linux-mm@kvack.org>; Sat, 22 Aug 2020 02:53:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=AA4QvqZ8G3UUgWk56L6siBEVYBlQ7DKtEof4BU/gmnM=;
        b=Hy08vYzbJ2PXLCKeaQ8gMOUe5NEBsJHKUF3pXyca6ilV/ucXow/JiUg6qZKy2iL14I
         4gM6qgv9d3Hpktgt722p6TTGFt9m5EXNQWFQafd65aD8q5URNVlW4HuD/16xYbKayopp
         ppWSbM5gpm2h9jQRzRfPHuYv/ChyvWGH8OfGw2uD3QLz9ZSrPvrSKxrGK12c1/Ve2YEv
         ydDNukJRr3Fp2rWaQX/jLpgaFtKouvt9pvF/qC7uxQcnpvKiUh0FIuuDU/JY3dBA77Ak
         +xaQ5ef9Ten+QwSHX+Y9gdq+4py32DSzTve84iV272hi//du1s++RPXnNKIMwLBVwEGa
         pl2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=AA4QvqZ8G3UUgWk56L6siBEVYBlQ7DKtEof4BU/gmnM=;
        b=Fs9jtecuaaLL7wnni2uKCjJUefO09f9qN0ZlVliW3UCTTFwSuhC0O135ZxjewCBunN
         dSCTBZkfoIT0x0Exm+hyKKRpA3/MUh7Z9E+Q8ZHxwich7BprS776n7wbwVdBf0hqrdLn
         ZVQkHalCarkENmOG1EQCrHyVmBg5ljp3jFwjVCwXwlqbgN9/ZrCQ2z324H9iYiY0tyor
         mMtr0ylQPA0duHavJR5TaCgNy0PBvglwkADUE2ifYmJhk2T1bX1wW4K957liCzKcXjtU
         FZT88QncR2LLNc85gWKTrwVmaGVNUgmDdL/pg7awLI5/A2l+k+vE3SZhRR+Jcjye5FMq
         aCVA==
X-Gm-Message-State: AOAM530bqiJscGnCNP6/ZrEvhPF6EpRf2AnA4wAjizoOyeEg1m35+jrd
	+p67pG1uNExKqj98hpCtarZlRA==
X-Google-Smtp-Source: ABdhPJwCdC0vX5RwrRTQazcUNEUWzmuBbBvU1mkKSWh2/76IuEPrmpkdMhhiFvoPI3tn7Nm5ZeXcFw==
X-Received: by 2002:a17:902:b714:: with SMTP id d20mr5636180pls.103.1598090031269;
        Sat, 22 Aug 2020 02:53:51 -0700 (PDT)
Received: from localhost.localdomain ([103.136.220.72])
        by smtp.gmail.com with ESMTPSA id a13sm4972397pfo.49.2020.08.22.02.53.46
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 22 Aug 2020 02:53:50 -0700 (PDT)
From: Muchun Song <songmuchun@bytedance.com>
To: mike.kravetz@oracle.com,
	akpm@linux-foundation.org
Cc: npiggin@suse.de,
	agl@us.ibm.com,
	ak@linux.intel.com,
	nacc@us.ibm.com,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Muchun Song <songmuchun@bytedance.com>
Subject: [PATCH] mm/hugetlb: Fix a race between hugetlb sysctl handlers
Date: Sat, 22 Aug 2020 17:53:28 +0800
Message-Id: <20200822095328.61306-1-songmuchun@bytedance.com>
X-Mailer: git-send-email 2.21.0 (Apple Git-122)
MIME-Version: 1.0
X-Rspamd-Queue-Id: D875C18140B60
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam03
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

There is a race between the assignment of `table->data` and write value
to the pointer of `table->data` in the __do_proc_doulongvec_minmax().
Fix this by duplicating the `table`, and only update the duplicate of
it. And introduce a helper of proc_hugetlb_doulongvec_minmax() to
simplify the code.

The following oops was seen:

    BUG: kernel NULL pointer dereference, address: 0000000000000000
    #PF: supervisor instruction fetch in kernel mode
    #PF: error_code(0x0010) - not-present page
    Code: Bad RIP value.
    ...
    Call Trace:
     ? set_max_huge_pages+0x3da/0x4f0
     ? alloc_pool_huge_page+0x150/0x150
     ? proc_doulongvec_minmax+0x46/0x60
     ? hugetlb_sysctl_handler_common+0x1c7/0x200
     ? nr_hugepages_store+0x20/0x20
     ? copy_fd_bitmaps+0x170/0x170
     ? hugetlb_sysctl_handler+0x1e/0x20
     ? proc_sys_call_handler+0x2f1/0x300
     ? unregister_sysctl_table+0xb0/0xb0
     ? __fd_install+0x78/0x100
     ? proc_sys_write+0x14/0x20
     ? __vfs_write+0x4d/0x90
     ? vfs_write+0xef/0x240
     ? ksys_write+0xc0/0x160
     ? __ia32_sys_read+0x50/0x50
     ? __close_fd+0x129/0x150
     ? __x64_sys_write+0x43/0x50
     ? do_syscall_64+0x6c/0x200
     ? entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: e5ff215941d5 ("hugetlb: multiple hstates for multiple page sizes")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
---
 mm/hugetlb.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index a301c2d672bf..818d6125af49 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3454,6 +3454,23 @@ static unsigned int allowed_mems_nr(struct hstate =
*h)
 }
=20
 #ifdef CONFIG_SYSCTL
+static int proc_hugetlb_doulongvec_minmax(struct ctl_table *table, int w=
rite,
+					  void *buffer, size_t *length,
+					  loff_t *ppos, unsigned long *out)
+{
+	struct ctl_table dup_table;
+
+	/*
+	 * In order to avoid races with __do_proc_doulongvec_minmax(), we
+	 * can duplicate the @table and alter the duplicate of it.
+	 */
+	dup_table =3D *table;
+	dup_table.data =3D out;
+	dup_table.maxlen =3D sizeof(unsigned long);
+
+	return proc_doulongvec_minmax(&dup_table, write, buffer, length, ppos);
+}
+
 static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
 			 struct ctl_table *table, int write,
 			 void *buffer, size_t *length, loff_t *ppos)
@@ -3465,9 +3482,8 @@ static int hugetlb_sysctl_handler_common(bool obey_=
mempolicy,
 	if (!hugepages_supported())
 		return -EOPNOTSUPP;
=20
-	table->data =3D &tmp;
-	table->maxlen =3D sizeof(unsigned long);
-	ret =3D proc_doulongvec_minmax(table, write, buffer, length, ppos);
+	ret =3D proc_hugetlb_doulongvec_minmax(table, write, buffer, length, pp=
os,
+					     &tmp);
 	if (ret)
 		goto out;
=20
@@ -3510,9 +3526,8 @@ int hugetlb_overcommit_handler(struct ctl_table *ta=
ble, int write,
 	if (write && hstate_is_gigantic(h))
 		return -EINVAL;
=20
-	table->data =3D &tmp;
-	table->maxlen =3D sizeof(unsigned long);
-	ret =3D proc_doulongvec_minmax(table, write, buffer, length, ppos);
+	ret =3D proc_hugetlb_doulongvec_minmax(table, write, buffer, length, pp=
os,
+					     &tmp);
 	if (ret)
 		goto out;
=20
--=20
2.11.0