From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 20E11C369C9
	for <linux-mm@archiver.kernel.org>; Fri, 18 Apr 2025 09:03:49 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 01F72280156; Fri, 18 Apr 2025 05:03:48 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id ED4D0280005; Fri, 18 Apr 2025 05:03:47 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D4F9A280156; Fri, 18 Apr 2025 05:03:47 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id C431D280005
	for <linux-mm@kvack.org>; Fri, 18 Apr 2025 05:03:37 -0400 (EDT)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id B77CE1CF588
	for <linux-mm@kvack.org>; Fri, 18 Apr 2025 09:03:38 +0000 (UTC)
X-FDA: 83346576516.07.7D36DE9
Received: from fanzine2.igalia.com (fanzine.igalia.com [178.60.130.6])
	by imf17.hostedemail.com (Postfix) with ESMTP id D339A4000F
	for <linux-mm@kvack.org>; Fri, 18 Apr 2025 09:03:36 +0000 (UTC)
Authentication-Results: imf17.hostedemail.com;
	dkim=pass header.d=igalia.com header.s=20170329 header.b=OaH6t4Em;
	dmarc=pass (policy=none) header.from=igalia.com;
	spf=pass (imf17.hostedemail.com: domain of gavinguo@igalia.com designates 178.60.130.6 as permitted sender) smtp.mailfrom=gavinguo@igalia.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1744967016; a=rsa-sha256;
	cv=none;
	b=Fj7vRZ6ZJ0ssNCMCFwTUFktRgtocDyyom/RBW5eq3O/g8m7CklPbl0q8GeFb8t2k3kBBFd
	pfe+N3g66xj3mTLfmjSWymrgbTmuUc8W46EVINY+742Lhy/Tuq5hW8UUHdbhPIfb2ZmFMw
	OKZITkk5IqmgGdiPcNrC092+U38VM3E=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1744967016;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=/TUgmXRIt862ZvkLN+SJfvXp8pRPa3ExVWG6heV/r3c=;
	b=kaabIc7TCOq2AKkT+/fTMFxvap08w92y95TyKrXmKnqmv/vjDct+dVOxXsEE1VW3+5b5HD
	VgM6G4Zq10QPWRS7WdwINKqh34ye3IXsrFBXmXVqzUzEhPqNAUWrGB0IYGXd3Lrz0WDp27
	feZVSGdL+5E+abzl22gVlqO7EpilIS8=
ARC-Authentication-Results: i=1;
	imf17.hostedemail.com;
	dkim=pass header.d=igalia.com header.s=20170329 header.b=OaH6t4Em;
	dmarc=pass (policy=none) header.from=igalia.com;
	spf=pass (imf17.hostedemail.com: domain of gavinguo@igalia.com designates 178.60.130.6 as permitted sender) smtp.mailfrom=gavinguo@igalia.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com;
	s=20170329; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:
	Cc:To:From:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=/TUgmXRIt862ZvkLN+SJfvXp8pRPa3ExVWG6heV/r3c=; b=OaH6t4EmRnkaOCLDxBbVCkP9bZ
	r0Nae3ODBz1Bym6pu799K8rcBPxqn1Y29idZLKhw5eCeZn+pSTjbdmdr6gZ+QVApzEjGcJWA0jEzl
	4AE+wkHEn0WcMeN4Kqjlf+wth7LVvp+b+RwIYtilGDIwhk9qfCaKWt+9b7DiKs1YBDHh+wJFPc9VD
	0TN0yz+TmMdAa02YBXKaVi8t/tZlodlb++fqvdz/q5Isg9pLu8VtoD8SSWEavvWOXF0QhpG3vB2bx
	sZzabt9Q0i9JO5uQQgWBShk3OAl4nz0a88Nks/wpQaV11tJ+VnBe7WqINPam5jkBbMY7xh7G2BA2F
	vrobwNEQ==;
Received: from 39-14-33-89.adsl.fetnet.net ([39.14.33.89] helo=[192.168.220.43])
	by fanzine2.igalia.com with esmtpsa 
	(Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128) (Exim)
	id 1u5hd0-001AZP-2j; Fri, 18 Apr 2025 11:03:18 +0200
Message-ID: <983ba47e-ab95-4a43-bca2-97b75c3c90d0@igalia.com>
Date: Fri, 18 Apr 2025 17:03:09 +0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v2] mm/huge_memory: fix dereferencing invalid pmd
 migration entry
From: Gavin Guo <gavinguo@igalia.com>
To: ziy@nvidia.com
Cc: david@redhat.com, willy@infradead.org, linmiaohe@huawei.com,
 hughd@google.com, revest@google.com, kernel-dev@igalia.com,
 linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux-mm@kvack.org,
 akpm@linux-foundation.org
References: <20250418085802.2973519-1-gavinguo@igalia.com>
Content-Language: en-US
In-Reply-To: <20250418085802.2973519-1-gavinguo@igalia.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: D339A4000F
X-Stat-Signature: hwtsxnukwkto1pw6dj6j5qwbuy4nfwic
X-Rspam-User: 
X-HE-Tag: 1744967016-338428
X-HE-Meta: U2FsdGVkX1/Q6Gz7q+GO6uhGS4YpzSxoOgFmcJCGciUxZidAG6yyyIfmKkKE6g3V7lXpTkkFx+NeUk+taPdn6z3UKDGERur7T6Rk1U3ma2fglhp6A6CWi/LqXekyjBnYew/aSOVNGwZP1JD902tEAZrvCg5UkeYVjinmBTLWCmmPS3BKjviCO62QLltEHA7dNCsBCp/3HbnDG15Xo7v7quQB4yD2LX0gKITZZKVJsJp239ASXF8wCISkSsLbBhQpZPld3S1sPcXKmhgW2SBlc+DP/3g97Ax0EvfBDhqqEOWXyHGRMQlEmquCNHYN88LaQe+58+DMkvJEMaaDnM+gs0jGeYfb72HgIJ9Pq5rEWa41md7CcNkURgs+gMFuERcYYNVkavShowlGFfUuy4gLKMsrpqI2glkRkCgg9kPr1ecjJc3XRGpCXIN/Z7O1UwJM10P55cqNED5D4Vx5wkXaqYuB3/Ha6A4LZL3iWVmnKpANjItY1GewsgyR/VBjT8/z8d8OkxH6e+Dv8+E+umTDRDoK/x9D5nYpsqCHTKAAM2i0U1JRfW6sFotOKbfRyYEUyr5UhWSpuOuwb8j45rykMHxrYLUzqls4mQKExhCtr8ke6t1A0iUB4kLGb2xCB9k3gwZ4UkOswZbXFrbx9YahRBKY3Fx7XhT/was3TNdYW6LXh5PRcFHOhP4gHpe7tgP5r5QJRGhHhgVm23KOi5J8wgETeGWIsLRLlwYnlSQKrhT+mkXjPdxbi7gpvHeoFUgdrnx8aEeBzpiKkbYLE4bHSmPn9bdnipQmBxHRP1HotI77jJL4+5IxYKqFyf0/03YnI44JiKbu5LYwYBCI2kU0EZRtdlqa4tuaPi+kCml4h/SyhK7OiVylL5oDQArYUKGQlroS9SVHm3YiEbxYMueFycTIc7xVZwRomeh1K/lMjpMs1RVKzKgK/DbGMCv2ujjbKfvx3ilT66G2Hkz5KHy
 74s7wkXQ
 F1pkPnC8zQhd9xGo4yJzO8TgDraQoqyAj4u+WOarMWFRH1pcNMqM+e2UXZ8fhMOgDaiI9zDH6yHcLy+Fq8gW1sojw/HmFJo3J080UrpDP4x9vTieHlQv3iVhFSwNOxd5wj4tOrzhfAIAGcYG+9Fysp9ohSbryItvmA3UM1TeRNSBkpZeu/l+95hlULMhwSB2xGhnUyzCZ2GY6O+xp/+xTYqKJnNTz/mNAZxCI/BYJL4VaV/dGyKJMEybWKKxpRMLGka4iSyp/5f0REq4Tetruhv+O3raXiqKPSZwJylQqmzjEtFe8Ap6OctfHk4HXXhruO4ISzGCEsMGT5NnLoILr7QwFqkXpyGBILRc4E0vNEN4f5lkaEybhsvIE0jbVCKC1igIEIp0UHQxKrKlalKwivC9Ldl0GhCaPrf24QKU0t4xMHZ/dgxj/Z/qY6YCtsdm2rvwlUPVlbgqFbL8=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 4/18/25 16:58, Gavin Guo wrote:
> When migrating a THP, concurrent access to the PMD migration entry
> during a deferred split scan can lead to a invalid address access, as
> illustrated below. To prevent this page fault, it is necessary to check
> the PMD migration entry and return early. In this context, there is no
> need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the
> equality of the target folio. Since the PMD migration entry is locked,
> it cannot be served as the target.
> 
> Mailing list discussion and explanation from Hugh Dickins:
> "An anon_vma lookup points to a location which may contain the folio of
> interest, but might instead contain another folio: and weeding out those
> other folios is precisely what the "folio != pmd_folio((*pmd)" check
> (and the "risk of replacing the wrong folio" comment a few lines above
> it) is for."
> 
> BUG: unable to handle page fault for address: ffffea60001db008
> CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60
> Call Trace:
> <TASK>
> try_to_migrate_one+0x28c/0x3730
> rmap_walk_anon+0x4f6/0x770
> unmap_folio+0x196/0x1f0
> split_huge_page_to_list_to_order+0x9f6/0x1560
> deferred_split_scan+0xac5/0x12a0
> shrinker_debugfs_scan_write+0x376/0x470
> full_proxy_write+0x15c/0x220
> vfs_write+0x2fc/0xcb0
> ksys_write+0x146/0x250
> do_syscall_64+0x6a/0x120
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> 
> The bug is found by syzkaller on an internal kernel, then confirmed on
> upstream.
> 
> Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path")
> Cc: stable@vger.kernel.org
> Signed-off-by: Gavin Guo <gavinguo@igalia.com>
> Acked-by: David Hildenbrand <david@redhat.com>
> Acked-by: Hugh Dickins <hughd@google.com>
> Acked-by: Zi Yan <ziy@nvidia.com>
> Link: https://lore.kernel.org/all/20250414072737.1698513-1-gavinguo@igalia.com/
> ---
> V1 -> V2: Add explanation from Hugh and correct the wording from page
> fault to invalid address access.
> 
>   mm/huge_memory.c | 18 ++++++++++++++----
>   1 file changed, 14 insertions(+), 4 deletions(-)
> 
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 2a47682d1ab7..0cb9547dcff2 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -3075,6 +3075,8 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
>   void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address,
>   			   pmd_t *pmd, bool freeze, struct folio *folio)
>   {
> +	bool pmd_migration = is_pmd_migration_entry(*pmd);
> +
>   	VM_WARN_ON_ONCE(folio && !folio_test_pmd_mappable(folio));
>   	VM_WARN_ON_ONCE(!IS_ALIGNED(address, HPAGE_PMD_SIZE));
>   	VM_WARN_ON_ONCE(folio && !folio_test_locked(folio));
> @@ -3085,10 +3087,18 @@ void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address,
>   	 * require a folio to check the PMD against. Otherwise, there
>   	 * is a risk of replacing the wrong folio.
>   	 */
> -	if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) ||
> -	    is_pmd_migration_entry(*pmd)) {
> -		if (folio && folio != pmd_folio(*pmd))
> -			return;
> +	if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) {
> +		if (folio) {
> +			/*
> +			 * Do not apply pmd_folio() to a migration entry; and
> +			 * folio lock guarantees that it must be of the wrong
> +			 * folio anyway.
> +			 */
> +			if (pmd_migration)
> +				return;
> +			if (folio != pmd_folio(*pmd))
> +				return;
> +		}
>   		__split_huge_pmd_locked(vma, pmd, address, freeze);
>   	}
>   }
> 
> base-commit: a24588245776dafc227243a01bfbeb8a59bafba9

Hi Zi, I've carefully reviewed the mailing list and observed that the 
indentation is not a strong concern from the reviews. And the cleanup 
suggestion from David will override the modification in this patch. I 
have decided to keep the original version (the unindented one). Let me 
know if you have any feedback with the v2 patch. Thank you!