From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3A49C3ABC3 for ; Mon, 12 May 2025 06:40:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 82C946B00B5; Mon, 12 May 2025 02:40:01 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7B4196B00B6; Mon, 12 May 2025 02:40:01 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 67C926B00B7; Mon, 12 May 2025 02:40:01 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 454726B00B5 for ; Mon, 12 May 2025 02:40:01 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 4AAE78037B for ; Mon, 12 May 2025 06:40:01 +0000 (UTC) X-FDA: 83433305802.03.E72E8F4 Received: from dggsgout12.his.huawei.com (dggsgout12.his.huawei.com [45.249.212.56]) by imf15.hostedemail.com (Postfix) with ESMTP id 90230A0007 for ; Mon, 12 May 2025 06:39:56 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=none; spf=pass (imf15.hostedemail.com: domain of yi.zhang@huaweicloud.com designates 45.249.212.56 as permitted sender) smtp.mailfrom=yi.zhang@huaweicloud.com; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747031999; a=rsa-sha256; cv=none; b=s74cYo5oq/ojCt/iIH6G/TRAS3gFTVGIkIuZkhRz5+8+et87WruzJSrdM2pUBSH5geSkPK ab7hfzVg7dNG5ShTHa9xZNtNALMTFKvTfmE8Fs21fawBE+/YonhxTxrnX56E6MId6FDXua i1sebHNBZ4FSz148ZaRZZorUc6dyxv0= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=none; spf=pass (imf15.hostedemail.com: domain of yi.zhang@huaweicloud.com designates 45.249.212.56 as permitted sender) smtp.mailfrom=yi.zhang@huaweicloud.com; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747031999; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references; bh=dR4zwlW2CWNZzc4yuX5FbdqTMd5KhzsSnjQGS6XUmyI=; b=L7LNWsiXQKreHmiOhFkoStaHf9PB0+S/VZPtSF4J69nn7z2+dIbM5NsjQ+0aQ7pqjrU9xz hjCqMkN/9BoYNIdcVt2ZbhejcLlL04FTckwoghV/Ao81+Bh6GjYTyVaYqyYyIZK6CiPyAz O2aC7+IroAa7wifQHseEkH2yro3L6rw= Received: from mail.maildlp.com (unknown [172.19.163.235]) by dggsgout12.his.huawei.com (SkyGuard) with ESMTPS id 4Zwqj52hgLzKHMV8 for ; Mon, 12 May 2025 14:39:53 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.128]) by mail.maildlp.com (Postfix) with ESMTP id 136CD1A0DE9 for ; Mon, 12 May 2025 14:39:52 +0800 (CST) Received: from huaweicloud.com (unknown [10.175.112.188]) by APP4 (Coremail) with SMTP id gCh0CgAni1+xlyFoYAesMA--.11556S4; Mon, 12 May 2025 14:39:51 +0800 (CST) From: Zhang Yi To: linux-mm@kvack.org Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, willy@infradead.org, akpm@linux-foundation.org, ziy@nvidia.com, wangkefeng.wang@huawei.com, yangerkun@huawei.com Subject: [PATCH] mm/truncate: fix out-of-bounds when doing a right-aligned split Date: Mon, 12 May 2025 14:28:25 +0800 Message-ID: <20250512062825.3533342-1-yi.zhang@huaweicloud.com> X-Mailer: git-send-email 2.46.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:gCh0CgAni1+xlyFoYAesMA--.11556S4 X-Coremail-Antispam: 1UD129KBjvJXoWxur1kCrWrurWxZw48ury5XFb_yoWrJFWUp3 4UKr1DCr4kGr17Gr47ZF45Aw45tasrCFWUAFyxGr17JFn8Xw1DKF18Ka4j93yUJw1kZryx Gr1Dta1IgF1UJaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUyKb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x 0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG 6I80ewAv7VC0I7IYx2IY67AKxVWUGVWUXwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV Cjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JMxkF7I0En4kS14v26r126r1DMxAIw28IcxkI 7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxV Cjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY 6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6x AIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY 1x0267AKxVWUJVW8JbIYCTnIWIevJa73UjIFyTuYvjxUotCzDUUUU X-CM-SenderInfo: d1lo6xhdqjqx5xdzvxpfor3voofrz/ X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 90230A0007 X-Stat-Signature: nnxrbgqttio8reqtyi1x4kr5p7cc3hfk X-HE-Tag: 1747031996-820136 X-HE-Meta: U2FsdGVkX19EnF0IcX5hJykwEuvqEeqU6gmiSHCX2bh0PN15b3PZAPXjzZ1UdHpS/bB75tMIo6y/2IccQ6eB7MZSzUjI/Cly290fKyjZfMKzT9eTBB950VC8x3p8hYqv8zRQnnEw7u66Lv6Vq9gNQN5DRm5RvG3PP3HwtBdQNZRo4qPIouYi3MOi+jyQUlrhmUDoPvfWs63h/lBJrEwAybyxaAuPcBCiTRmavJPyK0PdMzEHcKW0p54EHJYPGF+A8ugLyHrPNbq2jenhXFuZpqzpPJ0vi4um+zoGa2/ZxbFYVmsoi5EpKwBZa3T2CL1TW2pdpvDAblRX5tkHlGCXjHWbNOksjsmCIX2w/qQyYoq5E8NJb5UGRpnFQeGz/3MObsPterRCoNtRhYvZyvWzwTzkYlmPBw0S49MLVcboTF4ELF6hc3iWs7ZtsXUXLVxKzIJ8JIPyAqFxmIpb2TG6UWuz3h30mPiWagbHWqPvLGJ9tt/XnMwsYwAzNKena1vI7Vr9UiN+A/0rCeOALMVz3lfScLsqwkIRGJ0wmcm0nLtk/lAmeQ7j5KtQgBfOdLzhp6WnUEp5dIW3TViHE1HAxeqah8KuSQgFHyDxSqjknBlVoSIW07i7RSWz2jiyD8bAzeof2FNzmHZ8UvwZHc8O0sMvsd0cgi7MwN0Z7BDTMclww16LcxYOK7Cw35pgk3DGv9/zoLmFJU9mG2jkXefv/Z2cF/L82WRlK3YzjnVsXlgeeltIfIoMDlKb/Hj7z8MNaU7l6qF63glDImAg+Z1Mpc3Bw1pZ8f/hRPhYkQ3yZiJLv/5WFGs45Iq6dV0ceYf7HUDwyl7W4FfmDfPgX2eo+dXCbhOvPLRf9SWdmfkdFaMkEsVUBVG83yLbxiqUL7yDcGNrr8Pf5co0M/JI5GMmTXJszwh8KrWXGDecDBSStFkuGxoAmv8SGFiG2pLVZ4Nzc37uWEkIFzZoYF2Bw5b CIsYMR7j U1ltfb9q8DsaGKwRDz6ke/msiXPGm5FV2iAPP7Yh7l/rjPNWvHp3HvYecN5gCqm+jImcCg0Ml+zhpfi+yQK9cpZOEvoaCLqx1cOjax/bjDRUq1yGKtLuiZyWpKtUvyV0KZ7iC X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Zhang Yi When performing a right split on a folio, the split_at2 may point to a not-present page if the offset + length equals the original folio size, which will trigger the following error: BUG: unable to handle page fault for address: ffffea0006000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 143ffb9067 P4D 143ffb9067 PUD 143ffb8067 PMD 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 0 UID: 0 PID: 502640 Comm: fsx Not tainted 6.15.0-rc3-gc6156189fc6b #889 PR Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/4 RIP: 0010:truncate_inode_partial_folio+0x208/0x620 Code: ff 03 48 01 da e8 78 7e 13 00 48 83 05 10 b5 5a 0c 01 85 c0 0f 85 1c 02 001 RSP: 0018:ffffc90005bafab0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffea0005ffff00 RCX: 0000000000000002 RDX: 000000000000000c RSI: 0000000000013975 RDI: ffffc90005bafa30 RBP: ffffea0006000000 R08: 0000000000000000 R09: 00000000000009bf R10: 00000000000007e0 R11: 0000000000000000 R12: 0000000000001633 R13: 0000000000000000 R14: ffffea0005ffff00 R15: fffffffffffffffe FS: 00007f9f9a161740(0000) GS:ffff8894971fd000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffea0006000008 CR3: 000000017c2ae000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: truncate_inode_pages_range+0x226/0x720 truncate_pagecache+0x57/0x90 ... Fix this issue by skipping the split if truncation aligns with the folio size, make sure the split page number lies within the folio. Fixes: 7460b470a131 ("mm/truncate: use folio_split() in truncate operation") Signed-off-by: Zhang Yi --- mm/truncate.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/mm/truncate.c b/mm/truncate.c index 5d98054094d1..f2aaf99f2990 100644 --- a/mm/truncate.c +++ b/mm/truncate.c @@ -191,6 +191,7 @@ int truncate_inode_folio(struct address_space *mapping, struct folio *folio) bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) { loff_t pos = folio_pos(folio); + size_t size = folio_size(folio); unsigned int offset, length; struct page *split_at, *split_at2; @@ -198,14 +199,13 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) offset = start - pos; else offset = 0; - length = folio_size(folio); - if (pos + length <= (u64)end) - length = length - offset; + if (pos + size <= (u64)end) + length = size - offset; else length = end + 1 - pos - offset; folio_wait_writeback(folio); - if (length == folio_size(folio)) { + if (length == size) { truncate_inode_folio(folio->mapping, folio); return true; } @@ -224,16 +224,20 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) return true; split_at = folio_page(folio, PAGE_ALIGN_DOWN(offset) / PAGE_SIZE); - split_at2 = folio_page(folio, - PAGE_ALIGN_DOWN(offset + length) / PAGE_SIZE); - if (!try_folio_split(folio, split_at, NULL)) { /* * try to split at offset + length to make sure folios within * the range can be dropped, especially to avoid memory waste * for shmem truncate */ - struct folio *folio2 = page_folio(split_at2); + struct folio *folio2; + + if (offset + length == size) + goto no_split; + + split_at2 = folio_page(folio, + PAGE_ALIGN_DOWN(offset + length) / PAGE_SIZE); + folio2 = page_folio(split_at2); if (!folio_try_get(folio2)) goto no_split; -- 2.46.1