From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2E2ACF34AD for ; Thu, 3 Oct 2024 21:06:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 387586B0371; Thu, 3 Oct 2024 17:06:23 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 310346B0378; Thu, 3 Oct 2024 17:06:23 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 188736B0373; Thu, 3 Oct 2024 17:06:23 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id F1C966B0371 for ; Thu, 3 Oct 2024 17:06:22 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 9EACFAC251 for ; Thu, 3 Oct 2024 21:06:22 +0000 (UTC) X-FDA: 82633524204.25.F5E0C62 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf02.hostedemail.com (Postfix) with ESMTP id 850328001D for ; Thu, 3 Oct 2024 21:06:19 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=Chog5XJg; spf=pass (imf02.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727989539; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=co1Cdmbng7qJPNFfC9PHo94sETHhYGaYZfEnWlL7fpI=; b=yh8NAbLGQ8AGOSBZMLSMa7FZbnhccJRPinYCRsdV/50m8oblqE/hcjciSh5XVOKr28Giin 6yhtzSKa2MALqka7EIl2ZR9FCig3QZ4jbDZbCDFtiAXsPUFYNErH4e69YstKMIwWfDC5kU jJEfjAdyXhKUeZtF6HN9Jm3m2IdOGsA= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=Chog5XJg; spf=pass (imf02.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727989539; a=rsa-sha256; cv=none; b=6rFjnvylC4GkH+/bd6RW89UnBIbUqtzxqz9B5Nzv4uLA9oRO72gYARtu8bl2OvqimufvUw eg5rB6QirZb/eX4AhvksRHspF+ZMqsmrzZJ6nttNZTlnOv297RNXRP5PDdxxqPoFyjCZXL SqalnUD1UQrjHQBj3LKwGpC/DCcIgi8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1727989578; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=co1Cdmbng7qJPNFfC9PHo94sETHhYGaYZfEnWlL7fpI=; b=Chog5XJgluHHjRAlj8d4CQpP/xtfxA5cFBTHfXiCW9N7WfA/nChes32Ufch81PZYWlQFBV pr/QaZ2KgmUApMWRHOMjKDHkMucF8ifHR04xWKJLkNnT/8/UEzmP7fQAoDhWsdsJdwFoea IJD1DFzGBP1wuMaAcJVY4MYLEW+glUg= Received: from mail-yw1-f199.google.com (mail-yw1-f199.google.com [209.85.128.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-270-XfNpE1l0On-BC0ndeSBVWQ-1; Thu, 03 Oct 2024 17:06:17 -0400 X-MC-Unique: XfNpE1l0On-BC0ndeSBVWQ-1 Received: by mail-yw1-f199.google.com with SMTP id 00721157ae682-6d7124939beso24657197b3.2 for ; Thu, 03 Oct 2024 14:06:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727989577; x=1728594377; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=co1Cdmbng7qJPNFfC9PHo94sETHhYGaYZfEnWlL7fpI=; b=tOrpgqwhWVdsheanaBk6kGl+YSJV/NglhbyHk3qW23VYjyXzEjf3ROwFKeEBp5QJEt pMxKT9ol2mzPFwNnsMFsq3mYYDGHbicIWmEOrBhV0qWZ9TY04lznO5YDK/suYwFqSYvX ykz8ScM4lyq52vucHmLfVVZhY9BUjp4VyHW3DDDcvV2rREuC4rPqlyneTS6igBZI4ZYd Lp/3gSACLNoN4f7VdZ+INJvt8NWWQq912K3rhZ1+PkAHuylPzkMDDfylllWQDTp1PvGN PDIwHwA9RERd6+ZYu9qt70+RA8C5Al7jlYR4f6DGNxuNgPBrWYTrUBXHgadEsKeFs+gU qEGQ== X-Forwarded-Encrypted: i=1; AJvYcCUzyXfwIAxJSFFAc3RHWpy5HI/IGcmx4HjyxLqf1Fwu1BHl1IeOio4wuy682ZRORwWTgl5C+L9vvg==@kvack.org X-Gm-Message-State: AOJu0YyVoijTisgQ0rzhXFuyqBzcL1IAAvXYTGHnaFW58Xb2foW/YxjN OwMmxNDV3oCi1bhcFDCCNFkhVoIe7OFev8YNdOxc7D3+wtADefFeMb50BywSM8vqkBhefk/KTdi nXwxNzgvt0XC0Z9MY8OI2J1jOfwZ39k1d26d5wmEoUZ72cuow X-Received: by 2002:a05:690c:e20:b0:6db:e368:3ff3 with SMTP id 00721157ae682-6e2c72aff7dmr8129567b3.40.1727989577219; Thu, 03 Oct 2024 14:06:17 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFqfS03nDQEpimFlpdc50CpiYA8P/eDMh1b8URFN6pA2GvrN7WtkcL4A8gEhSla9VANYp5P8Q== X-Received: by 2002:a05:690c:e20:b0:6db:e368:3ff3 with SMTP id 00721157ae682-6e2c72aff7dmr8129257b3.40.1727989576930; Thu, 03 Oct 2024 14:06:16 -0700 (PDT) Received: from x1n (pool-99-254-114-190.cpe.net.cable.rogers.com. [99.254.114.190]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7ae6b3dc230sm79033785a.118.2024.10.03.14.06.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:06:15 -0700 (PDT) Date: Thu, 3 Oct 2024 17:06:12 -0400 From: Peter Xu To: Matthew Wilcox Cc: manas18244@iiitd.ac.in, Andrew Morton , Shuah Khan , Anup Sharma , linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+093d096417e7038a689b@syzkaller.appspotmail.com Subject: Re: [PATCH] Fixes: null pointer dereference in pfnmap_lockdep_assert Message-ID: References: <20241003-fix-null-deref-v1-1-0a45df9d016a@iiitd.ac.in> MIME-Version: 1.0 In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-Rspam-User: X-Stat-Signature: s5wgbnc8ebnhfusntxy7dzji9io48hiq X-Rspamd-Queue-Id: 850328001D X-Rspamd-Server: rspam11 X-HE-Tag: 1727989579-463700 X-HE-Meta: U2FsdGVkX18RbiKmEWuwZjYoMjjMpHsXLVVyLl3aPzqyiZ20GvTznV+iPWcIjp0u1QezNUxGFhWQI8wyNQLdd7pP6DPB2GQouXwaxmTaNioEk11ZC9WnSgSRkDqwuAqitziBAtVk2iwBlSci9Mw8CrjTGyxgDx4MU02BHDAjGVsX7s7+bzYHq4AH8hEkWpw2kcei80mWlAO4UX4D9dBVLbD4tvp8dh1bvtyelO5pgs8YGuWnFqereG6Fn4OYpRb2qXKjQh8cn/Ip+h+DNnNABv44PUtbEFpcCBa35tMW7B8Dxf4jP23zh8C/jQi5I6BV+MTCahSn7axANZcDJOUUorVOIHreTuYeky0kDl2GvFB4km0wcjbb0NDMKZEbMSYS34KSJ4OOdwCC3YZeSuSrzQjb324nEieifp7ZmWWyFU1UdXRMCO/TSjwM2pb47giB0/5pW45T9QwR7ufGO/lccZY8naHor4ICup3Npsu1nxu9rQesOO06xnwXvUQesI4bPV7xF9HKsCJDtUcm58LYUU4pweBk68EHtgOTY/TzxBfYrPD4P/K/agBwQYXXfsTses53qfde5eQgvxCc9vW3QiZp0mpLqww1u7LpFqMS1bTHhXhndzgj//VCtKzKZOj/ZwW8fnRlLMIR4c7DRpzY7yp6BtUgXlhf85lhC+HNn0mOmgg4AQ7Dnqr74cZ32mi+rKSyMT5/e1gPp6ndKaoYiL5mE+Xp1jubNPzJpzEER/LrMyt1oQUcWyzQKHPQulMpdxSDtEBW6lVpneADcpXLZMwVVcY+D1AjF2WgSkJ6Qe8dIgOr0RO/TZL5AQriHM+34cjgl4LbmD+5KpNgVhHaPRpyzHO6JJ3b4zJ9iOjrnaLoIgfbIxub8K51OhgVwYlX3uvZamg17KiYWix0bialCMVA4JaCWLpiesGkG1eaApaf9gOVOE+AJ3NvyIfwLqN0n9fwkO4k1ZgyuF8sO3G 61GKl1FM QBk2zfYXTjxXOtY0X81QgxmTvtGZgTINt3ks5RhZ9Eg4YFv9A2QKpnXw4/F4wW0CG/f6cyEFUR+yjOQz56K6L/XXgzDvhDUqyJMgU9pkeHzL7leXSZ3mAW5NL14igwaCPCvCW5dal+mGLKPhIxnzjGaw9DcQrLWyCK96moeA5KbK/Kz6StpMBxd4UsRaoQg6h0Gw5GjexK/T55QB+IFyXlnCCmHfjNrqL0oHemtgbxZ63IG4Ibi47cvSffiuR8FY/ZjjbLwqZrNjm+Okg13ym9Gi8+Duv8pRot/sh6eLjrKbFi0ogo6HMZkhVb5f8/OeyKnu83VW8xO9uG+Y+J2sSimxYXP4d3sCgRtapVhmJLOm1MpHtcaTiwLxokvmiPAfWR9YI/kLbV7uo5s/sC7vroeLzd7+ya7NaSnuNlSkbuxnmO0MuTN4qQTkH4BFspBZtbwBQqBNgfpFPY4q6EEQIRT0ceRaFoyEEkGJWBc7oT2xyBjR8any5MATuHbshn6ROT4dO X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Matthew, On Thu, Oct 03, 2024 at 09:31:17PM +0100, Matthew Wilcox wrote: > On Thu, Oct 03, 2024 at 09:31:06PM +0530, Manas via B4 Relay wrote: > > From: Manas > > > > syzbot has pointed to a possible null pointer dereference in > > pfnmap_lockdep_assert. vm_file member of vm_area_struct is being > > dereferenced without any checks. > > > > This fix returns if vm_file member in vm_area_struct is NULL. > > This seems like the wrong fix. It's mmap'ing a file, so vm_file should > not be NULL. Or have I forgotten something very important about how the > MM works? If I read the stack right, the crash was before mmap() of the new vma happens, instead it's during unmap() of one existing vma which existed and overlapped with the new vma's mapping range: follow_phys arch/x86/mm/pat/memtype.c:956 [inline] get_pat_info+0x182/0x3f0 arch/x86/mm/pat/memtype.c:988 untrack_pfn+0x327/0x640 arch/x86/mm/pat/memtype.c:1101 unmap_single_vma+0x1f6/0x2b0 mm/memory.c:1834 unmap_vmas+0x3cc/0x5f0 mm/memory.c:1900 unmap_region+0x214/0x380 mm/vma.c:354 <--------------- here mmap_region+0x22f9/0x2990 mm/mmap.c:1573 do_mmap+0x8f0/0x1000 mm/mmap.c:496 vm_mmap_pgoff+0x1dd/0x3d0 mm/util.c:588 ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:542 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f It looks like the vma that was overwritten by the new file vma mapping could be a VM_PFNMAP vma (I'm guessing vvar or something similar..), that's where untrack_pfn() got kicked off. In this case, the vma being overwritten and to be unmapped can have ->vm_file==NULL (while ->vm_ops non-NULL; /me looking at __install_special_mapping()). Thanks, -- Peter Xu