From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6EFD8C30658 for ; Tue, 2 Jul 2024 23:45:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E4D2C6B0096; Tue, 2 Jul 2024 19:45:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DFD3A6B0098; Tue, 2 Jul 2024 19:45:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CC4306B0099; Tue, 2 Jul 2024 19:45:48 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id A8D866B0096 for ; Tue, 2 Jul 2024 19:45:48 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 62B44A0614 for ; Tue, 2 Jul 2024 23:45:48 +0000 (UTC) X-FDA: 82296447576.14.21FEF6F Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf12.hostedemail.com (Postfix) with ESMTP id 7830E40006 for ; Tue, 2 Jul 2024 23:45:46 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=fgeKNCNJ; spf=pass (imf12.hostedemail.com: domain of longman@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=longman@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1719963928; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=dOfOaTN8FR3CJJcu2Y1S4txQuiktnHa6A2KoG2WP+sU=; b=RY21viW7ENKGhKP3PFC0DcROoqVObQsI8jXhv4yz0wagw5EzIGOXClG0sLkRnsYMIBMq/2 c4mMgKb/XKJ0WSuHq18iY6RP/qYeSbGIz2+Z5aY7F+IzfYWUoqTqjw3+E6A/chE7/C8BwY r7Xsq8qUwENyHC2d9t3UkRCMtg4f1fE= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=fgeKNCNJ; spf=pass (imf12.hostedemail.com: domain of longman@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=longman@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1719963928; a=rsa-sha256; cv=none; b=BZbLkm2G5eM8KkfdK7n34UL9lr9zdXuzdy1koKu3iapZLIehA1amp7XJKuRqnxO0KBcfMj pbz2v2/fHQi7pyXFXEtF+vIJhneqnhjUf+HnXXR+vGhEJKFAyMkauTCO33pvFSpsSgbJWk lfkzIZOUoEPTI/Z5CdXmo6jPFhUo5tA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1719963945; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dOfOaTN8FR3CJJcu2Y1S4txQuiktnHa6A2KoG2WP+sU=; b=fgeKNCNJ3eGVE3UX+Oo7Rl8EdSjifaRh03Nnm9bg/juEsXocFwS4MMjhmQQyTi0QJBVN8K n5mDwhX87mDgfWledqVdxwCeJyCpia1yOP+iDUWhoZZFmOyRUcLHd1sLLCzPJU8o/HBRdx 0gPjostfonXdGIYaHx3u6/4kBdj5NWg= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-421-r87MrYAWOD605KVXsyp2KQ-1; Tue, 02 Jul 2024 19:45:42 -0400 X-MC-Unique: r87MrYAWOD605KVXsyp2KQ-1 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 1A02D1956089; Tue, 2 Jul 2024 23:45:41 +0000 (UTC) Received: from [10.22.9.99] (unknown [10.22.9.99]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 7705019560AD; Tue, 2 Jul 2024 23:45:39 +0000 (UTC) Message-ID: <3b4c72ff-7894-4772-a918-7e20d00fac1b@redhat.com> Date: Tue, 2 Jul 2024 19:45:38 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] mm: Prevent derefencing NULL ptr in pfn_section_valid() To: Charan Teja Kalla , Andrew Morton , David Hildenbrand Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20240626001639.1350646-1-longman@redhat.com> Content-Language: en-US From: Waiman Long In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 X-Stat-Signature: seyguem3mhwdaa1taprzer9axeixx18w X-Rspam-User: X-Rspamd-Queue-Id: 7830E40006 X-Rspamd-Server: rspam02 X-HE-Tag: 1719963946-853137 X-HE-Meta: U2FsdGVkX1/qe/DhWAFmkww6aprzzWCdcwXxGxL9LdTQVH57NQagTUB1B3Yne+RUgy9B0R0f/6IjyJ17CbQIZvLo2/qHADSTX9mDVoAbtWER95mR5rRy42wveOj0txKavQQCCX4riUnxwp8HK53zKA2jGInFqaGHJSjDbwlWXpTlww75ERNDQiImHK32kp3bXAwkxZPYz/aRam0EBddGHqLOEE9kzScvcP07LSr99tnHVy6ns/ObYH5sGFLY7HwEoYB7/R6gBo5D5o6xZKWA7scODgpKtNraGdAE/+G+AS2n8sEKa7CtGY7Ns/9tnPKzxinyOvbvaUJEsG2vkv/YmnL2LcT7UBOLoreB4/wdJRtien2v8hbFsp7jNF3gal7YYQ9Ex5f/JVxYGotYlrJIukyMP/+OJgzk/2Ynu3TXAW5Q7iJR24sbynyoYililDqpQVl7Sv5lKVwOfR48woxIRJyblkO6q43YxTHXnTBt3LNasHqWj2TJx9iJx24PiUnsFAqFUHxPqG0tPGHR9jty38CPal1YWNOl107bISxu/kcv7i1rM/hCY7Zj9eT+RJwX/wTlVabKKHNvhuJG/8Oxm9BpRWY6wwPbT/CVndU/gOfiwahVNnqyNxykC80sqOQ7MHN5zuC9dkfL3DIRZD6rp5cJY8lFahM12VhPzN5mLncGGw8spLkIqYEjW3gbZy2IaApiLiH6zCQXuio+d2LW8nlxkUZ4/q96alJyMtV2rSsSIxgFK+L13MTyx1cj+5P6czfaUa8ZMjt8npESy7RZOAuqzEv3hZ94d9gvlDgBUbAyuIAtH6KsY1DKK955dhi7iKoVcPM3Sva3FZsKq3k+bVXZST4NWuaAxKW5YLWJWi/irWjMoUo0RK3jm+Yt3nYTkDA8LdT+yK6W17D7yvUQuSczXDBKfg6rQSQXejPDx2MQCCvTreVqZRs2Otvj9JSD1bIFvzGOQN4Qae2M+cl Epkhu8I2 M+OoPrXGowMQetdOviNxo1mA64FMQq39XKfe1I0XcKKMhoVb8O+62e882jwWF7ov1MUv4WcK7yPw7fVOzCBqQwpguxmMkYfvppOG48GUq1n6Fm6GwgIsBY4EcGAv8C2QhE05RTsBF9sICB21t2BjewfAFxp/uZyYdlXbA7pRTQP6ZK1b19Nd2mmeXAjYBphAMP6a5nt5ppTFiw15YMNf6z3Ojb8FoZSJDnHJLASniDxHs5p/5/dOsWPPk/fdHYhW5bsITXIsFk9bvQEJQH+hiuiofB7IdsgjIZ9OJlvghhSIrJCo1UaqkXLhAs8vHNSUH8K2m8wbDR3RkpSMKKJK33M6ZalZtKWWvrGxBLdDgHGMJW2lNiCYk0GY+f+sGrUlAOudx+L16Nri43Zg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 7/1/24 09:50, Charan Teja Kalla wrote: > Hi Waiman, > > On 6/26/2024 5:46 AM, Waiman Long wrote: >> Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing >> memory_section->usage") changed pfn_section_valid() to add a READ_ONCE() >> call around "ms->usage" to fix a race with section_deactivate() where >> ms->usage can be cleared. The READ_ONCE() call, by itself, is not enough >> to prevent NULL pointer dereference. We need to check its value before >> dereferencing it. > I am unable to see a scenario where ms->usage will be NULL when > pfn_section_valid() is called: > > 1) In pfn_valid, valid_section() check ensures that pfn_section_valid() > is not called as the section is marked as invalid. > > 2) In pfn_to_online_page, online_section() check ensures that > pfn_section_valid() is not called. > > and in the update path, we do: > kfree_rcu(ms->usage, rcu); > WRITE_ONCE(ms->usage, NULL); > > Could you help me in understanding about what I am missing here, please? > With the below timing sequence:      CPU 0                                      CPU 1      -----                                      -----                                         if (!valid_section(ms))                                             return 0;  ms->section_mem_map &=     ~SECTION_HAS_MEM_MAP                 WRITE_ONCE(ms->usage, NULL);                                         READ_ONCE(ms->usage)->subsection_map In the time gap between valid_section() check and accessing ms->usage, it may have been cleared leading to dereferencing a NULL pointer. That is why it will be prudent to do a NULL check first. Regards, Longman