From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F7AEC52D7B for ; Tue, 13 Aug 2024 06:38:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6E02A6B0095; Tue, 13 Aug 2024 02:38:40 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 690056B0098; Tue, 13 Aug 2024 02:38:40 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5315D6B009A; Tue, 13 Aug 2024 02:38:40 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 339CD6B0095 for ; Tue, 13 Aug 2024 02:38:40 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id D50771C2806 for ; Tue, 13 Aug 2024 06:38:39 +0000 (UTC) X-FDA: 82446268758.11.3BEE517 Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) by imf23.hostedemail.com (Postfix) with ESMTP id EDFF7140005 for ; Tue, 13 Aug 2024 06:38:37 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=BMvytk0N; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf23.hostedemail.com: domain of urezki@gmail.com designates 209.85.167.53 as permitted sender) smtp.mailfrom=urezki@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723531066; a=rsa-sha256; cv=none; b=hiRKYDmDhuLnyCsq/kU5gX0vQOW3j7W2AD94shkXKRXmxPPaH13mWFfCMuPAr0a6SJFyrU Ck244RDcak1MgjEl/0Ek1j9x4/Ao90icAd/iqqf9ipgeOhaMDIDpb8TQFciAYziF3JU8pz py2DzsUAjJPyJYw8ZPZS/SUfhGItevI= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=BMvytk0N; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf23.hostedemail.com: domain of urezki@gmail.com designates 209.85.167.53 as permitted sender) smtp.mailfrom=urezki@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723531066; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=CJa60IJFVdBK+UxERtF9fP2C2kOIjqyMYl8iCwtl87Q=; b=A19VLCT3EkQXZksxXgoUgPIELwjqVcaVn0Zi7wEeBZt/g4+lGgz1Ys+lV3a6VfsfKtSGwl idnBMJJI7jnSyMc5wWSW3/My0LyWZs9g8k/do3/NO3iPua5Pt/dHBBAsKSIb07u28fzWZW BpjFlKmnXIbms5E5CTe7I2teSp90fFQ= Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-53212e0aa92so1104804e87.0 for ; Mon, 12 Aug 2024 23:38:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723531116; x=1724135916; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:date:from:from:to:cc:subject:date:message-id:reply-to; bh=CJa60IJFVdBK+UxERtF9fP2C2kOIjqyMYl8iCwtl87Q=; b=BMvytk0NkGKSDCM05kl2fa2TN/5psr0+9Rp/ZyDln9ijWycn6k9AfMNmps5tIda9Q3 3JNrwwBo/unin49KForIovCwbAQJN3ftQDgSPyVbmCwCxA0tdDmPDm3NvL5lsBhB6xnw EMgndw70X0Farw9VdOMAmq+NIIsyWHSt35HJCNCl+CcQdVBNEPwiUbAD1ALSPeX9qWlS seAny1jUnBBDsEiqGS5no0yDA/v8LJH8x7AUeNuJNy9MM7+hpwqHcT9NxoZIrr5lNXkr Kcz4hVxxOrontgaokLrOn/hJWjLChAt1y1fhJbHkkC+WTdjMoZzt+KdZ/r4xg6qg8XsS CCDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723531116; x=1724135916; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:date:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=CJa60IJFVdBK+UxERtF9fP2C2kOIjqyMYl8iCwtl87Q=; b=qDVRWAjRhODVwEpAmTTg89zrKxIZD/mlTjAiUNk2Yga8JdHVzCyVKt8gaJ0K8GS4GX 1lNdxllFWi2AjVIiFGmkZm9HOvmDF7yVPF8znrxNu/NJ9VCPad5HcCB6qreQMZtnmM/I HzQDQM1scfS+DLeYbVkN3nQQSooTEfCFU+2WjfbddK/KKdy5lF+LK8WIGAFVinNPlD9C 5U0ngC277bAr1f4sk8H2u3PxePfT5RzNYlZRfI2FLUt4xK1GA2tWRzKUmcqiZNq+hZly r3uxuQdePWi/8jJ+Qmjc2wpru+GOZCYZ5erqtPAlcVNQcgkFbsxlmUBlg3q9g2LMFHrh qOow== X-Gm-Message-State: AOJu0YwUFCU7JWex5hlOVKR/T274zN1SzsEZRdz14tteV7i9Gu7wUcmg a+4XSikA5HseKomA5JKj8jFoPL3DRvbMKSYDcTA2CLVtG9tBd394 X-Google-Smtp-Source: AGHT+IHhkmtFOfnRR50pgIzu5D/40I3gw9Ry+fCCMDd3CDlMfZaly4fo1Ik4GsP056Fe4HFXbMVR8g== X-Received: by 2002:a05:6512:1055:b0:52e:9b74:120 with SMTP id 2adb3069b0e04-5321365875cmr1672804e87.19.1723531115765; Mon, 12 Aug 2024 23:38:35 -0700 (PDT) Received: from pc636 (host-95-193-9-14.mobileonline.telia.com. [95.193.9.14]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-53202b5b447sm830926e87.177.2024.08.12.23.38.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Aug 2024 23:38:35 -0700 (PDT) From: Uladzislau Rezki X-Google-Original-From: Uladzislau Rezki Date: Tue, 13 Aug 2024 08:38:32 +0200 To: Will Deacon Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Zhaoyang Huang , "Hailong . Liu" , Uladzislau Rezki , Baoquan He , Christoph Hellwig , Lorenzo Stoakes , Thomas Gleixner , Andrew Morton , stable@vger.kernel.org Subject: Re: [PATCH] mm: vmalloc: Ensure vmap_block is initialised before adding to queue Message-ID: References: <20240812171606.17486-1-will@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240812171606.17486-1-will@kernel.org> X-Rspamd-Queue-Id: EDFF7140005 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 8arnfqfh1yenwzr43dqo9686bt13on63 X-HE-Tag: 1723531117-23639 X-HE-Meta: U2FsdGVkX1+C0wpKdCmeybRGOCR6BEUFT9iSp6sSJGiR0dBpYBf+yk8k0CCQo5jQEdWctlAfh7ok9mOxTgFK8hW0Rn8aYbW9bBZxc3PIm6aExSPgxUeR6S/a7DGD9wmEFaE5s8UMl2UPjjbA3J9Aak28go/QDAXigBrxv4ZoL1qwM86YvH3Pg3esy9uZMjrcygYpp1cBu56/+H16kZEdch9MI/tBH1VeV0d+LXL7a0Z7s8wAoJqHi5dQLlwG1iQlG0fzz4gJ5LGlPx4PyIfKljAyUwy0dU+AE7twbI5EO7u/EvW81a/2+dwLsBvb2gEDFoLHw6SF70v0KS+Qk175u/mfvwmmzYj34POq6dswy1Qu1mEA1bl0q1HdrwtsV/4mYCNGRm7Wf79TjV5XdXP5E8g30/uAxWMpjrJTL+J6eErFoW0qrWzMAcBF7jy1KEyr0EU/SeSd+aHjeGkYmHzf9rdBdxDxL3pfxBsBlRYZgHskjvNcR7twUMMM4HWToAZZho0/xJpvDJuMz+CiR1os9PeO/5gT6LvvPR+0sYpnLcH7gj7HfePHg+bK2njC8yh/loa1zfshdbZb2w9+S/qVUvoE7QDlzMG3w5Fruej6qFW+yf6Vqnm4eP+M/Cv63EK9oxxmSCNRx+0blu8tGdmCfuqpJaUzBAf/rtpavaMwv1w2H/BVmAC76/C435r1jJ8Bfc2iBd1Yrc7B7rFIw0oQ9tJ2DmEJJ0hig4vYBehSZRdxwsMuk2rV31ZHAdWOx7JX+o2zRbF6qN3a5YsJ+ic/fRjz4HCy2vgvICfR7EvKbqRSAg7aszs5C/6OHtCcYPXgOTGW15djY9ZKOzifdigCI1fjEI1Yqo4AMrF2lcpzVSPS4nasTan66L5/Jbyy2zZiGNhBcoJFC2W2XV+YjIbD6Voqk3fXSACVdHQ+S8T4+obxS8D4Nr/96wF6lcDHr9dSyyLHC0vLfvWv+RXC9sY wIIV96kE q8zFuGSIo6E/SoA6XL9pc73hoiB59xMmjID+LML/VleqO30czaETOXPkAHJFR2xp71iQYudTFCdOAhr6Us6BOeT4oVqsfkhY/hTjfqM4tc2Nob5QkoUkak9UPCuVsb/0qfdmLKltQIxyScRtYElg60IvZEKDxKYXN4MdYZwnuyUP/HkwFzDbYV9bmdRPZ8lYmkqNs+QxqkFCt9vll3cidUQ2VAIKaYqD4KF4RQJMRoJScfU7GqxBHDRUhUTtf1lPsuaLDbRnmf5Zv1u/enKpVN0EyGZZnqeSniYZVC4BI4jZTNTH7xQDfH6QzHAaHNykHjEOoXFQS9PGyHUOLDInhlaJb7Zn2tMM0SpVDEkV/LsVTC/5WgNuTbRcEST6Ekz4EAjX0hmfgXByHuBqR8qzMnu/EpgN0QPtYrmugOOMwKGKahBsoND8iFmsOmlDkZkimIJRb78Wzjh2bJnJ4IGQmPEnLjfFm1mmDJTdcwyLnIXwxubbEsGp3PoSnG5fxLICW88ofXlBCJJ/yRmzfQ9WfEbDCUvWe1CqS8WtIqTRhnN2dFlj8p4mnxbrFLWGqFAjnAShmmBYGHOgbcaLp4D/L4jaiPd3H5OH0HWQU8Z3qarotC/u0d7nGKiLKyV4WJPXEqe1vrrPBcxGkDC76E3fuQppJGNKdwmkMvlFC/FmS/LfQ1VAlUuFeb5cnOqrhcxtJ0PcCUT/+TSDVcmrlLxUBKYimIx9TPHeuGIzd/JOe7mHwqALBPywmGVXa5adsOL/OZHDh X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Aug 12, 2024 at 06:16:06PM +0100, Will Deacon wrote: > Commit 8c61291fd850 ("mm: fix incorrect vbq reference in > purge_fragmented_block") extended the 'vmap_block' structure to contain > a 'cpu' field which is set at allocation time to the id of the > initialising CPU. > > When a new 'vmap_block' is being instantiated by new_vmap_block(), the > partially initialised structure is added to the local 'vmap_block_queue' > xarray before the 'cpu' field has been initialised. If another CPU is > concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it > may perform an out-of-bounds access to the remote queue thanks to an > uninitialised index. > > This has been observed as UBSAN errors in Android: > > | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP > | > | Call trace: > | purge_fragmented_block+0x204/0x21c > | _vm_unmap_aliases+0x170/0x378 > | vm_unmap_aliases+0x1c/0x28 > | change_memory_common+0x1dc/0x26c > | set_memory_ro+0x18/0x24 > | module_enable_ro+0x98/0x238 > | do_init_module+0x1b0/0x310 > > Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the > addition to the xarray. > > Cc: Zhaoyang Huang > Cc: Hailong.Liu > Cc: Uladzislau Rezki (Sony) > Cc: Baoquan He > Cc: Christoph Hellwig > Cc: Lorenzo Stoakes > Cc: Thomas Gleixner > Cc: Andrew Morton > Cc: > Fixes: 8c61291fd850 ("mm: fix incorrect vbq reference in purge_fragmented_block") > Signed-off-by: Will Deacon > --- > > I _think_ the insertion into the free list is ok, as the vb shouldn't be > considered for purging if it's clean. It would be great if somebody more > familiar with this code could confirm either way, however. > > mm/vmalloc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/vmalloc.c b/mm/vmalloc.c > index 6b783baf12a1..64c0a2c8a73c 100644 > --- a/mm/vmalloc.c > +++ b/mm/vmalloc.c > @@ -2626,6 +2626,7 @@ static void *new_vmap_block(unsigned int order, gfp_t gfp_mask) > vb->dirty_max = 0; > bitmap_set(vb->used_map, 0, (1UL << order)); > INIT_LIST_HEAD(&vb->free_list); > + vb->cpu = raw_smp_processor_id(); > > xa = addr_to_vb_xa(va->va_start); > vb_idx = addr_to_vb_idx(va->va_start); > @@ -2642,7 +2643,6 @@ static void *new_vmap_block(unsigned int order, gfp_t gfp_mask) > * integrity together with list_for_each_rcu from read > * side. > */ > - vb->cpu = raw_smp_processor_id(); > vbq = per_cpu_ptr(&vmap_block_queue, vb->cpu); > spin_lock(&vbq->lock); > list_add_tail_rcu(&vb->free_list, &vbq->free); > -- > 2.46.0.76.ge559c4bf1a-goog > Reviewed-by: Uladzislau Rezki (Sony) Makes sense to me. Thank you! -- Uladzislau Rezki