From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3ADA2C47DDB for ; Wed, 31 Jan 2024 03:07:32 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C24F16B0098; Tue, 30 Jan 2024 22:07:31 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id BAE116B0099; Tue, 30 Jan 2024 22:07:31 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A75086B009A; Tue, 30 Jan 2024 22:07:31 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 90C0A6B0098 for ; Tue, 30 Jan 2024 22:07:31 -0500 (EST) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 5982D80871 for ; Wed, 31 Jan 2024 03:07:31 +0000 (UTC) X-FDA: 81738120702.11.46A40ED Received: from out-185.mta1.migadu.com (out-185.mta1.migadu.com [95.215.58.185]) by imf27.hostedemail.com (Postfix) with ESMTP id 9738A40018 for ; Wed, 31 Jan 2024 03:07:29 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=pnoxswJV; spf=pass (imf27.hostedemail.com: domain of muchun.song@linux.dev designates 95.215.58.185 as permitted sender) smtp.mailfrom=muchun.song@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706670449; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=NNpTT/WqMYE/kMlEau8F0K6s+byKh41jM8d3ijxTy+U=; b=7JuBrp9SALWcQt+YVqfw7A9oaWSJ/aItnWns0AhUTYjEftqW2cZREotH3U6yMmpKbCx0Hi 4V3yq43m1BPkPCCgJRs6laegpPEfa5D8eAxf2X7nehIkskMHz3o5XLHpxnK52RehkRsktL rz8dNdE2cYQpun7CoSNJTcA/Cu+cfm0= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706670449; a=rsa-sha256; cv=none; b=DbMELBpNauQJN3bABUYiA3szOpA3dsFvfNPl0ODjS0kqbtAi7Qs6lChyuhuajSySUHgqGz 018B0Zzyj4KHrpBiKES7qu5Czo/vB7wyFkjaCEXSNDpyN5CzkWaGNkC1Et/Lno9dulio8F F7m4sw03V0Cf7gCN5xvwAfgqpDXdbE8= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=pnoxswJV; spf=pass (imf27.hostedemail.com: domain of muchun.song@linux.dev designates 95.215.58.185 as permitted sender) smtp.mailfrom=muchun.song@linux.dev; dmarc=pass (policy=none) header.from=linux.dev Content-Type: text/plain; charset=us-ascii DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1706670447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NNpTT/WqMYE/kMlEau8F0K6s+byKh41jM8d3ijxTy+U=; b=pnoxswJVQxLXXKjgabA/iWqVs55dd1FIBzgFJZkrFqruLK6cJ93egcuzxTj86u1a4YNGwc N6RFFZZPkByRzNX+DvNBJPZxhiaHlumPSevDx48S0D+6Uzm6qIInKeeZPtT3lLTKpLW+jf OcDJOrb1g8fqXEAQghRBQLsoMx2S00c= Mime-Version: 1.0 Subject: Re: [PATCH] fs,hugetlb: Fix NULL pointer dereference in hugetlbs_fill_super X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Muchun Song In-Reply-To: <20240130210418.3771-1-osalvador@suse.de> Date: Wed, 31 Jan 2024 11:06:43 +0800 Cc: Andrew Morton , LKML , Linux-MM , Michal Hocko , David Howells Content-Transfer-Encoding: quoted-printable Message-Id: References: <20240130210418.3771-1-osalvador@suse.de> To: Oscar Salvador X-Migadu-Flow: FLOW_OUT X-Rspamd-Queue-Id: 9738A40018 X-Rspam-User: X-Stat-Signature: 8kkzye7oegdhrcxwno8t4i95nrubk9cj X-Rspamd-Server: rspam03 X-HE-Tag: 1706670449-693036 X-HE-Meta: U2FsdGVkX18TolilCRhpJK4zm4HborwdxUXX+GMhLwVIA7DeR99Tj9Ipjk0ixObz3sPuzAXuzDZbV86Bwe7FOPqiNGp3wKQDpUzg2fOmgVBlr8+AF9bjAL4NbnPv4r5a01BuitD4L/ZJibZqwlrusTEaSwNoo6Aaw+Y4VoVVr7YFkQdfXQva9Qz4JhPL+/wsPPuG+/cOZwvOWw0keZB6YYXOM/VeoVlqd9YLWbCylVFcc/NJECTUZnYMA9He1EZdRKEV42GzRQNeZ3ps+JN74CUbrCtx6ADGCPD+4pZRLJeDF33vJYnSRaUtJT8IwS9nNIQYyBotoaAAlcalGW2yiWxLnqwQInMyNYn6vHNzbsCw0FaLyXcWnIUz68HJ1LPxkb72FjVlm2Q0POzslzCCc1w7JBDtrCxGv9DCHjNKk4hR24KT8ZA4vOZXn0RYcOMnO8RSua3ggmQkwyQaiBa6u/rY03A9hlO3692ogekq4rGlfndbnb/fOpU7kXfXFwFZSRL7++bJtm/dG5RLx4o8+HUe5E1Vbld1LwhhihbRGbS/4MkoMdUE0D8TytpMoMYwR9HpAStj9KHtU9dwF33MBddWPSFiVRuD51gfQvm7zS4byMIJECirDA3x9k8S8Wlng2NVixMSTBCFAL634Sqcu7aW1xHEsvqb8/yg6TIuVV2ongpu1suOrCpF7c+QRywu/SHZrwZktRYBWFLCuOXUvnYEixfo63byi4cb6chmVbzvSixQpFpTFVt+n3OY6i0GbcaMm2FKK8HYUWUkfcqa5uaVwpvRwenIVtrAw8+9/E7HMZaH/nezexBY9lKc2Zhdd1bzQJi9Z3WsqlsSKfbmqsyiq8yNcpdyj6H6n1f0UG0ru3TgUPuTfw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: > On Jan 31, 2024, at 05:04, Oscar Salvador wrote: >=20 > When configuring a hugetlb filesystem via the fsconfig() syscall, = there is a > possible NULL dereference in hugetlbfs_fill_super() caused by = assigning > NULL to ctx->hstate in hugetlbfs_parse_param() when the requested = pagesize > is non valid. >=20 > E.g: Taking the following steps: >=20 > fd =3D fsopen("hugetlbfs", FSOPEN_CLOEXEC); > fsconfig(fd, FSCONFIG_SET_STRING, "pagesize", "1024", 0); > fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0); >=20 > Given that the requested "pagesize" is invalid, ctxt->hstate will be = replaced > with NULL, losing its previous value, and we will print an error: >=20 > ... > ... > case Opt_pagesize: > ps =3D memparse(param->string, &rest); > ctx->hstate =3D h; > if (!ctx->hstate) { > pr_err("Unsupported page size %lu MB\n", ps / SZ_1M); > return -EINVAL; > } > return 0; > ... > ... >=20 > This is a problem because later on, we will dereference ctxt->hstate = in > hugetlbfs_fill_super() >=20 > ... > ... > sb->s_blocksize =3D huge_page_size(ctx->hstate); > ... > ... >=20 > Causing below Oops. >=20 > Fix this by replacing cxt->hstate value only when then pagesize is = known to be valid. >=20 > kernel: hugetlbfs: Unsupported page size 0 MB > kernel: BUG: kernel NULL pointer dereference, address: = 0000000000000028 > kernel: #PF: supervisor read access in kernel mode > kernel: #PF: error_code(0x0000) - not-present page > kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0 > kernel: Oops: 0000 [#1] PREEMPT SMP PTI > kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E = 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f > kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS = GVPRCRB1.86B.0016.D04.1705030402 05/03/2017 > kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 > kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 = 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 = <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 > kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 > kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: = 0000000000372004 > kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: = ffff9af555e9b000 > kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: = 0000000000370004 > kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: = ffff9af555e9b000 > kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: = ffff9af507d2f400 > kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) = knlGS:0000000000000000 > kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: = 00000000001506f0 > kernel: Call Trace: > kernel: > kernel: ? __die_body+0x1a/0x60 > kernel: ? page_fault_oops+0x16f/0x4a0 > kernel: ? search_bpf_extables+0x65/0x70 > kernel: ? fixup_exception+0x22/0x310 > kernel: ? exc_page_fault+0x69/0x150 > kernel: ? asm_exc_page_fault+0x22/0x30 > kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 > kernel: ? hugetlbfs_fill_super+0xb4/0x1a0 > kernel: ? hugetlbfs_fill_super+0x28/0x1a0 > kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10 > kernel: vfs_get_super+0x40/0xa0 > kernel: ? __pfx_bpf_lsm_capable+0x10/0x10 > kernel: vfs_get_tree+0x25/0xd0 > kernel: vfs_cmd_create+0x64/0xe0 > kernel: __x64_sys_fsconfig+0x395/0x410 > kernel: do_syscall_64+0x80/0x160 > kernel: ? syscall_exit_to_user_mode+0x82/0x240 > kernel: ? do_syscall_64+0x8d/0x160 > kernel: ? syscall_exit_to_user_mode+0x82/0x240 > kernel: ? do_syscall_64+0x8d/0x160 > kernel: ? exc_page_fault+0x69/0x150 > kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76 > kernel: RIP: 0033:0x7ffbc0cb87c9 > kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 = f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 = <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48 > kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: = 00000000000001af > kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: = 00007ffbc0cb87c9 > kernel: RDX: 0000000000000000 RSI: 0000000000000006 RDI: = 0000000000000003 > kernel: RBP: 00007ffc29d2f3b0 R08: 0000000000000000 R09: = 0000000000000000 > kernel: R10: 0000000000000000 R11: 0000000000000206 R12: = 0000000000000000 > kernel: R13: 00007ffc29d2f4c0 R14: 0000000000000000 R15: = 0000000000000000 > kernel: > kernel: Modules linked in: rpcsec_gss_krb5(E) auth_rpcgss(E) nfsv4(E) = dns_resolver(E) nfs(E) lockd(E) grace(E) sunrpc(E) netfs(E) af_packet(E) = bridge(E) stp(E) llc(E) iscsi_ibft(E) iscsi_boot_sysfs(E) = intel_rapl_msr(E) intel_rapl_common(E) iTCO_wdt(E) intel_pmc_bxt(E) = sb_edac(E) iTCO_vendor_support(E) x86_pkg_temp_thermal(E) = intel_powerclamp(E) coretemp(E) kvm_intel(E) rfkill(E) ipmi_ssif(E) = kvm(E) acpi_ipmi(E) irqbypass(E) pcspkr(E) igb(E) ipmi_si(E) mei_me(E) = i2c_i801(E) joydev(E) intel_pch_thermal(E) i2c_smbus(E) dca(E) = lpc_ich(E) mei(E) ipmi_devintf(E) ipmi_msghandler(E) acpi_pad(E) = tiny_power_button(E) button(E) fuse(E) efi_pstore(E) configfs(E) = ip_tables(E) x_tables(E) ext4(E) mbcache(E) jbd2(E) hid_generic(E) = usbhid(E) sd_mod(E) t10_pi(E) crct10dif_pclmul(E) crc32_pclmul(E) = crc32c_intel(E) polyval_clmulni(E) ahci(E) xhci_pci(E) = polyval_generic(E) gf128mul(E) ghash_clmulni_intel(E) sha512_ssse3(E) = sha256_ssse3(E) xhci_pci_renesas(E) libahci(E) ehci_pci(E) sha1_ssse3(E) = xhci_hcd(E) ehci_hcd(E) libata(E) > kernel: mgag200(E) i2c_algo_bit(E) usbcore(E) wmi(E) sg(E) = dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) = scsi_mod(E) scsi_common(E) aesni_intel(E) crypto_simd(E) cryptd(E) > kernel: Unloaded tainted modules: acpi_cpufreq(E):1 fjes(E):1 > kernel: CR2: 0000000000000028 > kernel: ---[ end trace 0000000000000000 ]--- > kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0 > kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 = 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 = <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28 > kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246 > kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: = 0000000000372004 > kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: = ffff9af555e9b000 > kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: = 0000000000370004 > kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: = ffff9af555e9b000 > kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: = ffff9af507d2f400 > kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) = knlGS:0000000000000000 > kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: = 00000000001506f0 >=20 > Signed-off-by: Michal Hocko > Signed-off-by: Oscar Salvador Thanks for your fix. Acked-by: Muchun Song