From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=LumK=BB=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-10.1 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0DEBDC433E4
	for <linux-mm@archiver.kernel.org>; Wed, 22 Jul 2020 17:56:10 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id CA4C620B1F
	for <linux-mm@archiver.kernel.org>; Wed, 22 Jul 2020 17:56:09 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jPRuwLr3"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CA4C620B1F
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 2D45B6B0002; Wed, 22 Jul 2020 13:56:09 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 287556B0005; Wed, 22 Jul 2020 13:56:09 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 175266B0006; Wed, 22 Jul 2020 13:56:09 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0081.hostedemail.com [216.40.44.81])
	by kanga.kvack.org (Postfix) with ESMTP id F2D526B0002
	for <linux-mm@kvack.org>; Wed, 22 Jul 2020 13:56:08 -0400 (EDT)
Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 9298D25AC24
	for <linux-mm@kvack.org>; Wed, 22 Jul 2020 17:56:08 +0000 (UTC)
X-FDA: 77066465616.07.bomb83_230882626f38
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin07.hostedemail.com (Postfix) with ESMTP id C61DE184E9AF7
	for <linux-mm@kvack.org>; Wed, 22 Jul 2020 17:55:29 +0000 (UTC)
X-HE-Tag: bomb83_230882626f38
X-Filterd-Recvd-Size: 4950
Received: from mail-ej1-f68.google.com (mail-ej1-f68.google.com [209.85.218.68])
	by imf20.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Wed, 22 Jul 2020 17:55:29 +0000 (UTC)
Received: by mail-ej1-f68.google.com with SMTP id n26so3209521ejx.0
        for <linux-mm@kvack.org>; Wed, 22 Jul 2020 10:55:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=v6guxX6mZtix0UN5UXZjDkdDZ88VY9pbVBPWoe8hGYQ=;
        b=jPRuwLr32SMDzzTNsRbghRPMenaWVD+B/SVzZF1Uc1Llsq/ZIivz/T2o5NrbEYVBeE
         80cewu8Dm2oDPeU2T5l8KbRX5uCRRPNXKGZe76hTgXrlYJ4elRmCeqOka6AyaKkp+a7s
         tnk/332zp8t1AETZ0FjTRzFOtOuc0geYlT+Ui0cQOsKgBbPK877a7fzOmuv04SvVY9Pu
         +blOv/fx0pZSJyb9xbRMaNxgo93g9vImKoXda8tZHsytWfDipNMj8tq3VHHssp6jgGAj
         GBl2XSguaL63ZfAPPVPBL2RhYT6Zk1UWJ/FvurSAG62Qi/1i4ReuK4AkuI7H4wYv56hZ
         YOsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=v6guxX6mZtix0UN5UXZjDkdDZ88VY9pbVBPWoe8hGYQ=;
        b=KnRHFo2lw6PChIxFFyag4oY54MXJBtf0RJ3dWrRrunHDcMLhIza7kmJ0K3tAIqkRk1
         FTOUaCevdEE2DE/aGZmiahQW4onA97DRnsoEKEUjFvvX+KOimhOZvkTA71rXoXf0niJF
         AOgouWtFFbbENRsQZ7a+V5fVRwCPXyCY/rEMoclwRLt0Dp3JwKnwXd8IA7bpnycspG3T
         NSxCDCmrOkvrWcssZU5jzqn0G9jT1Ij/ZLW1IW+gQQQRonakwWUlMTec3OinPTQp3zSU
         zAkHNeR10ozVBq0nWMhqot3QCGWpWmMCXLg53qg+21BVK90VkbqHX0hM6j2I/2FBZZ+c
         8MiQ==
X-Gm-Message-State: AOAM533yDg9GWKzmTf/soo6zOzev40a3EDbqJep9qaoewfzEz4ZSI4Dh
	ppVsefk/m2v6tTRlbH/LPagTwudfbCziXypT5y8=
X-Google-Smtp-Source: ABdhPJzQHgTVTJmsdSnHKQg+hRAmObEtDQPCwtFEQ4cKuewxqthv0FypycyZ0js2NzGr+FeBDN0d6aQyo6ktu11WGNc=
X-Received: by 2002:a17:907:2058:: with SMTP id pg24mr741268ejb.79.1595440528090;
 Wed, 22 Jul 2020 10:55:28 -0700 (PDT)
MIME-Version: 1.0
References: <20200722121439.44328-1-kirill.shutemov@linux.intel.com>
In-Reply-To: <20200722121439.44328-1-kirill.shutemov@linux.intel.com>
From: Yang Shi <shy828301@gmail.com>
Date: Wed, 22 Jul 2020 10:54:41 -0700
Message-ID: <CAHbLzkpYxxO=p82upzjRBW5eD0iwMRC=_9KheiRP54MHwaAGvg@mail.gmail.com>
Subject: Re: [PATCH] khugepaged: Fix null-pointer dereference due to race
To: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>, Linux MM <linux-mm@kvack.org>, 
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, 
	syzbot+ed318e8b790ca72c5ad0@syzkaller.appspotmail.com
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: C61DE184E9AF7
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam02
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Jul 22, 2020 at 5:14 AM Kirill A. Shutemov
<kirill.shutemov@linux.intel.com> wrote:
>
> khugepaged has to drop mmap lock several times while collapsing a page.
> The situation can change while the lock is dropped and we need to
> re-validate that the VMA is still in place and the PMD is still subject
> for collapse.
>
> But we miss one corner case: while collapsing an anonymous pages the VMA
> could be replaced with file VMA. If the file VMA doesn't have any
> private pages we get NULL pointer dereference:
>
>         general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
>         KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
>         anon_vma_lock_write include/linux/rmap.h:120 [inline]
>         collapse_huge_page mm/khugepaged.c:1110 [inline]
>         khugepaged_scan_pmd mm/khugepaged.c:1349 [inline]
>         khugepaged_scan_mm_slot mm/khugepaged.c:2110 [inline]
>         khugepaged_do_scan mm/khugepaged.c:2193 [inline]
>         khugepaged+0x3bba/0x5a10 mm/khugepaged.c:2238
>
> The fix is to make sure that the VMA is anonymous in
> hugepage_vma_revalidate(). The helper is only used for collapsing
> anonymous pages.
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
> Reported-by: syzbot+ed318e8b790ca72c5ad0@syzkaller.appspotmail.com

Acked-by: Yang Shi <yang.shi@linux.alibaba.com>

I think this is worth backporting to stable as well.

> ---
>  mm/khugepaged.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/mm/khugepaged.c b/mm/khugepaged.c
> index b043c40a21d4..700f5160f3e4 100644
> --- a/mm/khugepaged.c
> +++ b/mm/khugepaged.c
> @@ -958,6 +958,9 @@ static int hugepage_vma_revalidate(struct mm_struct *mm, unsigned long address,
>                 return SCAN_ADDRESS_RANGE;
>         if (!hugepage_vma_check(vma, vma->vm_flags))
>                 return SCAN_VMA_CHECK;
> +       /* Anon VMA expected */
> +       if (!vma->anon_vma || vma->vm_ops)
> +               return SCAN_VMA_CHECK;
>         return 0;
>  }
>
> --
> 2.26.2
>
>