From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D785C07E95 for ; Tue, 13 Jul 2021 15:25:12 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E00986101E for ; Tue, 13 Jul 2021 15:25:11 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E00986101E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=oracle.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 1680B6B008C; Tue, 13 Jul 2021 11:25:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 118F56B0095; Tue, 13 Jul 2021 11:25:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E85E96B0096; Tue, 13 Jul 2021 11:25:11 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0007.hostedemail.com [216.40.44.7]) by kanga.kvack.org (Postfix) with ESMTP id C36B16B008C for ; Tue, 13 Jul 2021 11:25:11 -0400 (EDT) Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id AEB16184558FB for ; Tue, 13 Jul 2021 15:25:10 +0000 (UTC) X-FDA: 78357937980.25.BCE9D7A Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by imf10.hostedemail.com (Postfix) with ESMTP id 3335260019BF for ; Tue, 13 Jul 2021 15:25:10 +0000 (UTC) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16DFHJjc009397; Tue, 13 Jul 2021 15:25:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : content-type : mime-version; s=corp-2020-01-29; bh=gMWL2WidA2wQuktUTfceZS2UybqApX1FIIkhRn4wQ4s=; b=JSrk42NWe14AHG992Eslcx0OKJFIWPa4WEQleredRNwrn2bHeJHmBKHZglp+GkKBmXj9 DU5OUYlLbEnUsLxhB+MWwOVRFsK/s2c0qmOAUJua+b0f4TUpry0AIULUrNSZb625c8oV OSWNDVJp4QJDKO/2YAIwfEAM4uNXYEqopLOa7U4NmVI+eAkXAXIgdbxueAaU1TAoUA/j Grmle0gMmCHzTZSn5AOJX3bZpPK2T5AVa1DrbTN5jIaQeW7ZTYoJtFj4tQYxnkIiHw9S AitOzec9ncZOFepTuKusLgYvW51BZ+OUFzrlZwd2C0+m+EumPRVZ9mzs0cGbcJ3td6LC mA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39rpxran2a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 13 Jul 2021 15:25:08 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16DFGwo0055683; Tue, 13 Jul 2021 15:25:07 GMT Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam08lp2041.outbound.protection.outlook.com [104.47.73.41]) by userp3020.oracle.com with ESMTP id 39qnayfqc6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 13 Jul 2021 15:25:07 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b7bZId4BuzCsZggM9759EcctTUZVQLw/qAaS87Zf58khNirKU9MlpUMGvL24y0/zohINAyWTiUd5VxL7pVY82/CV9rKAXxtbpVp58peCri7VQLvw2cx6qTZhgczs2McNWkU3hbe4Kk1KqZKwsuIT/rMd5tbCfeVptEzxtGKz1P0VoLa5uvVUsaRGkIzrS/FjGz+2w2bELozCwglz4IMzmea9AZWaEvvgGuw8h8OppZb0kmiX4vt5rYzbOSbsPTh9ruA7Ykz61yny6w1lpVI09tSP4qdWhApvpWNjg478yv7bBXJ9XXoNwmeGJOjuXOOeG8tERIsRV1mrG2KLFkFgHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gMWL2WidA2wQuktUTfceZS2UybqApX1FIIkhRn4wQ4s=; b=kDPtUOBTMsqnwLXja0f72EWMlZo6rlXzu3ZH2z7m7gCAB0mGkp9FaC+HUlUGNT0gaw7HgB6O5t+w/uzSZVVYwbNUbE+YODLrTnMZHRUfTk0FSvwjmcLapw6zY1mRua63+Fze2+HibuTwUURgPHlNUSUqk0Qr+4abAiAI3I0wf7nIRvYv8+NM3kupPU1OSGj55TNPYH/9kZ0bktXcR//+QxYe2cnsgKA87sKFZSYlYJFKB0KWaZU2+b2kdKD5T5NJD5UG0Y3cIAP5BpNa4Q4pGP5oWON7IEYRMikeZC/h20LQs1BgH3Fjaw5b1QNZ03AfIaQLXENKy8ySVnTCt+7+Kg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gMWL2WidA2wQuktUTfceZS2UybqApX1FIIkhRn4wQ4s=; b=dwTO7SZTD+NSYZxeoyLiBBu2oFaPijJ9Ms7T8PpjcmYyaUsFYeoq4jNhcsfX4fVjS2JFG1SVNnwFUxpBTUUW5WZtSCXILVvQNwECs71lDaLvmoqAe2rS+MLQBk2GsyqeGFnvkKXJxmudDXlQ9WbvjtCX+nxJSSGKM3VmLuUxw1w= Received: from BLAPR10MB4835.namprd10.prod.outlook.com (2603:10b6:208:331::11) by MN2PR10MB4079.namprd10.prod.outlook.com (2603:10b6:208:1b9::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.23; Tue, 13 Jul 2021 15:25:04 +0000 Received: from BLAPR10MB4835.namprd10.prod.outlook.com ([fe80::5833:5ab2:944c:7360]) by BLAPR10MB4835.namprd10.prod.outlook.com ([fe80::5833:5ab2:944c:7360%9]) with mapi id 15.20.4308.027; Tue, 13 Jul 2021 15:25:04 +0000 From: Joao Martins To: linux-mm@kvack.org Cc: Mike Kravetz , Andrew Morton , Joao Martins Subject: [PATCH v1] mm/hugetlb: fix refs calculation from unaligned @vaddr Date: Tue, 13 Jul 2021 16:24:40 +0100 Message-Id: <20210713152440.28650-1-joao.m.martins@oracle.com> X-Mailer: git-send-email 2.11.0 Content-Type: text/plain X-ClientProxiedBy: AM0PR02CA0191.eurprd02.prod.outlook.com (2603:10a6:20b:28e::28) To BLAPR10MB4835.namprd10.prod.outlook.com (2603:10b6:208:331::11) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from paddy.uk.oracle.com (94.61.1.144) by AM0PR02CA0191.eurprd02.prod.outlook.com (2603:10a6:20b:28e::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.4308.23 via Frontend Transport; Tue, 13 Jul 2021 15:25:03 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7747bfdb-8ac8-43af-6553-08d946126399 X-MS-TrafficTypeDiagnostic: MN2PR10MB4079: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /J6XxJxleP4tKK7PRJTr4tDFlbIraUePYZcybZCGTdKTX9vsyvjGkZ9x7imH+4+Eo4gGQ8pn52t8zzlMLFNoq80C+7S0cZQfIKadudDa1S5ill4kmuAyujVsXy5KzlwJqG/LAiTX1u7zDO6f8dp7bDqy/HDHt3QilyaJAnaglMXuDLcFWOM1p/e/nxpCjP3BKVmJ5Q3a5UKN1gLPQ3qLbEG48ucc8HetmG02e3TuKDv2aZyw/bQv5fYdCdmyvWB7hbgnv2uho6eNE+Su3aFTozbE3B2sv4+6VVa/PcHTdPWRdDWCEKd1gZ3M8JdAiMC5F6Y3EMDbp8QSoO++TuDvIx6zrbCuTNwKgzJARw3RjsYqMwFtIIKA8rRd1WCNSwCBu2W1EjgANC2wtbuMDmiYiZJHQLT2s3tmC2CKffG7KP0QBXm3hGLLOU2gPBBm8Zfr0vm6jGM+NA1FnH/dBjxYhA7SOMiA7nyA5qAXWnUeeXlTOxAQCf3Osshagg5fK9bcfx+QOOwDzn1wY6YPj0tm40b92tAHugNn0ukpcY6vcMod7tcfqpQxuS23OoXbBQvYOCb1hLPzS6hFb4mos/fmTjzCoUgx91iY/lFIyboektCcHSM7kjnkuN57veafffePwsMPLs1XdybxTS4BSPegXpWEgdia4Ho8KihQmJ8zxSuhudE4jLwWQ2BLuwtIahEWMw61LykmQ/izKnxM5a54KQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BLAPR10MB4835.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(376002)(396003)(136003)(39860400002)(346002)(86362001)(956004)(186003)(38350700002)(38100700002)(5660300002)(66476007)(83380400001)(6916009)(2906002)(36756003)(6486002)(2616005)(66556008)(66946007)(26005)(4326008)(8676002)(107886003)(6666004)(316002)(7696005)(54906003)(478600001)(103116003)(1076003)(8936002)(52116002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?wD+Z/sY/qmXQupM3UyaXHnCFlITxOL7WllBDeXIAy485t/XfROVcGv7HExrE?= =?us-ascii?Q?A9BztVikbSFfyj1P6wxEPlONMF9tUo6NJ2IPYiwmR5NY+VVTglnKcmY3e+g8?= =?us-ascii?Q?HL8gjziFM+aR5MfgYNGNnOhN/uESkesuC1KA2d7lxlb64xHIHFjgnfZSotc4?= =?us-ascii?Q?zNywwlJJ9orniFXqICnJ9mHTGvriHWAsol6rgMLgZQq4Dx+hALPL1O4AkooY?= =?us-ascii?Q?i6YA0oAcvVnQoyehxceHEBJxgxP7R9hEINIuA6iuFwXhVZ9WIt3t30Vmx5mm?= =?us-ascii?Q?BzijPZkly/aZihLOx4Y/xU8E5b+hb+Dr8kOs3CWzshUUlgO7BY4o3hRJxqSl?= =?us-ascii?Q?+4fMWFzh2QJ2ofrMTCU+JmV9nfKYPmMGN5X8z6ILvoPdRPLwkAgrFHqIig4J?= =?us-ascii?Q?dhOrYWEtZHHp4v1TMpIncVGQEqUNRyY8ivVh6S8D32kDGd6JaNVMJcfDfkei?= =?us-ascii?Q?fascxLcIb+S1qXE2GTz9/UOWQUn2y2KLk3veFe8eNWQZIuEFaL625bF9gU8+?= =?us-ascii?Q?uCozPZquUWShvy3s90aaXbAuiORbjnJZlscvq7bQGJm25yJ1N87bWSmyAyDb?= =?us-ascii?Q?cEgbSDxoRMRZoUBoHbQcbk714EYzSKzRgd3cX+6O/exwiTxRcd5RjTEIt/zD?= =?us-ascii?Q?qAi0KsYz6uWngkxzyDSkZxK3v/QEC7gsz/27glAHN4Wgtxk/fN/jpNhfK2gQ?= =?us-ascii?Q?OvWdA6J9SuEa9dCT/FZqlffy7gOAqVM/NZNf8ggIlCmbW7oeuBbKglna2u08?= =?us-ascii?Q?10gTl257CnT4p4FGfAmuo2vCzkbybXPMKdxFAqhQVQFvkqK/BfIabofgQCD5?= =?us-ascii?Q?anh3BGGbQc0JFjc4n2U0/OLs7SxAXETzSfvYI4yp+/5afu80LdMGWrg+4lNt?= =?us-ascii?Q?HSj4Q82864RSGQSxCYDDGfQtHa6nELSrlG/5/jWFqo/JdLKWnr3MkgqN7aw3?= =?us-ascii?Q?qEMO0tk+W1+BkD6N9uQo859WnrIPyahizb2GkFvvmxd2/w0IDjnAzyShwWD+?= =?us-ascii?Q?WIQ46S8DuSVtO3cMKlbQv7LKDbx1y4qWVXK+wn28xnnntbCUoO392zjqR/LR?= =?us-ascii?Q?66gJjtorct39IUV3cX+T7vk1NdOBZZT/c4pmYuIM75Q5Y5BJx4Pnq/C0Z1xX?= =?us-ascii?Q?0n3bJlisjxb8hR1HEQXeZjUD34hjuLNzR39CVynrXYlDxVMuD44RwYF0SfKf?= =?us-ascii?Q?gzXVIiCJHstYG6A0z1ntWoQcrbkgkjF3UiBiEr7AyFMVkaUtS5tHqA4uWxvO?= =?us-ascii?Q?88F8lVe08Jh7Q3D5B8YEGkOoDwJ3a37BoPvBTevWi1eTaa1e3piJky8aTwuk?= =?us-ascii?Q?MvUnFM/lAEYpflmKbZCjeguG?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7747bfdb-8ac8-43af-6553-08d946126399 X-MS-Exchange-CrossTenant-AuthSource: BLAPR10MB4835.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jul 2021 15:25:04.6368 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: bwy2ZAEO+l+fkQvkHt8xBE0ioLRjACgDcB/grxiB20/+c8DeoOv5fS4quboBPGQELWKX4sG88KeGROeeekijLhONhhv40RfvWNj8f01b0E4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4079 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10044 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 bulkscore=0 malwarescore=0 spamscore=0 suspectscore=0 adultscore=0 mlxlogscore=999 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107130098 X-Proofpoint-GUID: PP25rVmPhjRBAefsrqD5rDLjmJ2pGPha X-Proofpoint-ORIG-GUID: PP25rVmPhjRBAefsrqD5rDLjmJ2pGPha Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=oracle.com header.s=corp-2020-01-29 header.b=JSrk42NW; dkim=pass header.d=oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=dwTO7SZT; spf=none (imf10.hostedemail.com: domain of joao.m.martins@oracle.com has no SPF policy when checking 205.220.165.32) smtp.mailfrom=joao.m.martins@oracle.com; dmarc=pass (policy=none) header.from=oracle.com X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 3335260019BF X-Stat-Signature: s7krikk9gw9ideqtspsujdifkgx4mdh9 X-HE-Tag: 1626189910-745593 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: commit 82e5d378b0e47 ("mm/hugetlb: refactor subpage recording") refactored the count of subpages but missed an edge case when @vaddr is not aligned to PAGE_SIZE e.g. when close to vma->vm_end. It would then errousnly set @refs to 0 and record_subpages_vmas() wouldn't set the @pages array element to its value, consequently causing the reported null-deref by syzbot. Fix it by aligning down @vaddr by PAGE_SIZE in @refs calculation. Reported-by: syzbot+a3fcd59df1b372066f5a@syzkaller.appspotmail.com Fixes: 82e5d378b0e47 ("mm/hugetlb: refactor subpage recording") Signed-off-by: Joao Martins --- An alternate approach is to have record_subpages_vmas() iterate while addr < vm_end and renaming @refs to nr_pages (which would limit how many pages we should store). But I felt that this approach would be slightly more convoluted? Side-Note: I could add a WARN_ON_ONCE(!refs) and/or create an helper like vma_pages() but with a ulong addr argument e.g. vma_pages_from(vma, vaddr). The syzbot repro no longer reproduces after this patch. Additionally, ran the libhugetlbfs tests (which were passing without this), gup_test and an extra gup_test extension that take an offset to exercise gup() starting address not being page aligned. --- mm/hugetlb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 924553aa8f78..dfc940d5221d 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -5440,8 +5440,9 @@ long follow_hugetlb_page(struct mm_struct *mm, struct vm_area_struct *vma, continue; } - refs = min3(pages_per_huge_page(h) - pfn_offset, - (vma->vm_end - vaddr) >> PAGE_SHIFT, remainder); + /* vaddr may not be aligned to PAGE_SIZE */ + refs = min3(pages_per_huge_page(h) - pfn_offset, remainder, + (vma->vm_end - ALIGN_DOWN(vaddr, PAGE_SIZE)) >> PAGE_SHIFT); if (pages || vmas) record_subpages_vmas(mem_map_offset(page, pfn_offset), -- 2.17.1