From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6388EC04A68 for ; Wed, 27 Jul 2022 19:16:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C4867940025; Wed, 27 Jul 2022 15:15:59 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BF648940012; Wed, 27 Jul 2022 15:15:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A973A940025; Wed, 27 Jul 2022 15:15:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 9946D940012 for ; Wed, 27 Jul 2022 15:15:59 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 618CBA0B1C for ; Wed, 27 Jul 2022 19:15:57 +0000 (UTC) X-FDA: 79733834754.21.7062E26 Received: from letterbox.kde.org (letterbox.kde.org [46.43.1.242]) by imf15.hostedemail.com (Postfix) with ESMTP id 727EBA00D1 for ; Wed, 27 Jul 2022 19:15:55 +0000 (UTC) Received: from vertex.vmware.com (pool-173-49-113-140.phlapa.fios.verizon.net [173.49.113.140]) (Authenticated sender: zack) by letterbox.kde.org (Postfix) with ESMTPSA id 6EF8832210A; Wed, 27 Jul 2022 20:15:47 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kde.org; s=users; t=1658949353; bh=fDNM1EfhMSR7Cw1oq4fZRt3P7rh7g46DE/zY9bHZqlA=; h=From:To:Cc:Subject:Date:From; b=KEGwKYurTeFL3ZDo5YWGRYjweJm2eVRsxpOlnZVsSiwBzOk7iWCYqg/rxGL47SSGW 6c7Q5uZVx5T1j/5EAzaDPAAtcXy/9kLW0alJ3QqN5eXc8unEvcttnz10HhgDzay97x ajjlGFpSho1WG7UqEeY/n1BSt2Ofb5jr2fwK5FGZP94vJy9Fc76lwrvXUrv19bhwiP hirhtX+R939fvG12SKq/DB2K0gf6v8lMzqFU6oZGnWB1B6Y647H8iCw2u57her2pT0 GvzSywIB0TJUV3YQQF+PuIDqdn2DwwYVyCSpFFNudxDypNHE2w/bYHWaLWBrcEHKLf M3WssJ+/TYaSQ== From: Zack Rusin To: dri-devel@lists.freedesktop.org Cc: krastevm@vmware.com, mombasawalam@vmware.com, banackm@vmware.com, Zack Rusin , David Hildenbrand , Vlastimil Babka , Andrea Arcangeli , Christoph Hellwig , David Rientjes , Don Dutile , Hugh Dickins , Jan Kara , Jann Horn , Jason Gunthorpe , John Hubbard , Khalid Aziz , "Kirill A. Shutemov" , Liang Zhang , "Matthew Wilcox (Oracle)" , Michal Hocko , Mike Kravetz , Mike Rapoport , Nadav Amit , Oded Gabbay , Oleg Nesterov , Pedro Demarchi Gomes , Peter Xu , Rik van Riel , Roman Gushchin , Shakeel Butt , Yang Shi , Andrew Morton , Muchun Song , Minchan Kim , David Howells , Miaohe Lin , NeilBrown , Suren Baghdasaryan , Hongchen Zhang , linux-mm@kvack.org Subject: [PATCH] mm: Fix a null ptr deref with CONFIG_DEBUG_VM enabled in wp_page_reuse Date: Wed, 27 Jul 2022 15:14:07 -0400 Message-Id: <20220727191407.1768600-1-zack@kde.org> X-Mailer: git-send-email 2.34.1 Reply-To: Zack Rusin MIME-Version: 1.0 Content-Transfer-Encoding: 8bit ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1658949356; a=rsa-sha256; cv=none; b=r2oUNMTz0CLiuzb8orvaD01RTR/PujvCdNNtazNkneorOl8eARwGqUPzlHYXz5jBe9Bmti L/Rc+Zoi5r/A1KsmXhRplOyn3y0o8/ysmnYxlxOeW8VtsDcwgfJhf4oXZIzu+RXMLuIbxF 40y+q8/GCUVRrUecWE61CR7a6xrAqmM= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=kde.org header.s=users header.b=KEGwKYur; dmarc=none; spf=pass (imf15.hostedemail.com: domain of zack@kde.org designates 46.43.1.242 as permitted sender) smtp.mailfrom=zack@kde.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1658949356; h=from:from:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=fDNM1EfhMSR7Cw1oq4fZRt3P7rh7g46DE/zY9bHZqlA=; b=CYoEApjy4EVyd9Lx+AfAPnkDmTsdkdjwUmLr1nOJI5sseQjFTfKFJ5Oy58MFiVj+aIl8W8 JtQ9OTXOH8+z383Ro6B9h8+qVaZ1DrCebTmL5lXCCMBCiwe8LbVVgqHd7dbEraTvZrN472 FDy9JiIUBCd2DP4GR0+EGBzZOfQ3J2w= X-Rspamd-Queue-Id: 727EBA00D1 X-Rspam-User: Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=kde.org header.s=users header.b=KEGwKYur; dmarc=none; spf=pass (imf15.hostedemail.com: domain of zack@kde.org designates 46.43.1.242 as permitted sender) smtp.mailfrom=zack@kde.org X-Rspamd-Server: rspam09 X-Stat-Signature: c19iehpx1rio5xr11pj5r44h3usryz7y X-HE-Tag: 1658949355-794740 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Zack Rusin Write page faults on last references might not have a valid page anymore. wp_page_reuse has always dealt with that scenario by making sure the page isn't null (or the reference was shared) before doing anything with it. Recently added checks in VM_BUG_ON (enabled by the CONFIG_DEBUG_VM option) use PageAnon helpers which assume the passed page is never null, before making sure there is a valid page to work with. Move the VM_BUG_ON, which unconditionally uses the page, after the code that checks that we have a valid one. Fixes a kernel oops, which is easy to reproduce with 3D apps on arm64 and x86 on kernels with CONFIG_DEBUG_VM set: Unable to handle kernel paging request at virtual address dfff800000000001 KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 [dfff800000000001] address between user and kernel address ranges Internal error: Oops: 96000004 [#1] SMP CPU: 0 PID: 2396 Comm: Xwayland Tainted: G U 5.19.0-rc2-vmwgfx #28 Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.20138482.BA64.2207201941 07/20/2022 pstate: 10400005 (nzcV daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : _compound_head+0x24/0xd0 lr : wp_page_reuse+0x8c/0x544 sp : ffff800013637aa0 x29: ffff800013637aa0 x28: ffff00002a28b730 x27: ffff800013637cc8 x26: 0000000000000000 x25: ffff800013637d00 x24: ffff00000c742168 x23: 1ffff000026c6fa0 x22: ffff000013ce59a0 x21: ffff00002a28b730 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 1ffff000026c6f22 x13: 65676170206c6c75 x12: ffff600019dc772f x11: 1fffe00019dc772e x10: ffff600019dc772e x9 : ffff8000085b1a78 x8 : ffff0000cee3b977 x7 : 0000000000000001 x6 : ffff600019dc772e x5 : ffff0000cee3b970 x4 : ffff600019dc772f x3 : 1ffff000026c6f99 x2 : 0000000000000001 x1 : dfff800000000000 x0 : 0000000000000008 Call trace: _compound_head+0x24/0xd0 wp_page_reuse+0x8c/0x544 finish_mkwrite_fault+0x1a0/0x274 do_wp_page+0x6cc/0x1000 __handle_mm_fault+0xdc8/0x2620 handle_mm_fault+0x21c/0x530 do_page_fault+0x250/0xa40 do_mem_abort+0x78/0x1b4 el0_da+0x80/0x1c0 el0t_64_sync_handler+0xf8/0x140 el0t_64_sync+0x1a0/0x1a4 Code: aa0003f3 91002000 f2fbffe1 d343fc02 (38e16841) ---[ end trace 0000000000000000 ]--- Fixes: 6c287605fd56 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive") Signed-off-by: Zack Rusin Cc: David Hildenbrand Cc: Vlastimil Babka Cc: Andrea Arcangeli Cc: Christoph Hellwig Cc: David Rientjes Cc: Don Dutile Cc: Hugh Dickins Cc: Jan Kara Cc: Jann Horn Cc: Jason Gunthorpe Cc: John Hubbard Cc: Khalid Aziz Cc: "Kirill A. Shutemov" Cc: Liang Zhang Cc: "Matthew Wilcox (Oracle)" Cc: Michal Hocko Cc: Mike Kravetz Cc: Mike Rapoport Cc: Nadav Amit Cc: Oded Gabbay Cc: Oleg Nesterov Cc: Pedro Demarchi Gomes Cc: Peter Xu Cc: Rik van Riel Cc: Roman Gushchin Cc: Shakeel Butt Cc: Yang Shi Cc: Andrew Morton Cc: Muchun Song Cc: Minchan Kim Cc: David Howells Cc: Miaohe Lin Cc: NeilBrown Cc: Suren Baghdasaryan Cc: Hongchen Zhang Cc: linux-mm@kvack.org --- mm/memory.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index 7a089145cad4..3e28c652cf60 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -3043,15 +3043,16 @@ static inline void wp_page_reuse(struct vm_fault *vmf) pte_t entry; VM_BUG_ON(!(vmf->flags & FAULT_FLAG_WRITE)); - VM_BUG_ON(PageAnon(page) && !PageAnonExclusive(page)); /* * Clear the pages cpupid information as the existing * information potentially belongs to a now completely * unrelated process. */ - if (page) + if (page) { + VM_BUG_ON(PageAnon(page) && !PageAnonExclusive(page)); page_cpupid_xchg_last(page, (1 << LAST_CPUPID_SHIFT) - 1); + } flush_cache_page(vma, vmf->address, pte_pfn(vmf->orig_pte)); entry = pte_mkyoung(vmf->orig_pte); -- 2.34.1