From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AEF65C54E90 for ; Thu, 22 May 2025 11:50:53 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 516136B0089; Thu, 22 May 2025 07:50:53 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4EE576B008A; Thu, 22 May 2025 07:50:53 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3DD7B6B008C; Thu, 22 May 2025 07:50:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 22E706B0089 for ; Thu, 22 May 2025 07:50:53 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 6D636141124 for ; Thu, 22 May 2025 11:50:52 +0000 (UTC) X-FDA: 83470377144.05.A5150E4 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf17.hostedemail.com (Postfix) with ESMTP id F33144000C for ; Thu, 22 May 2025 11:50:49 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=irwFkRwR; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=qIw0Zecc; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=irwFkRwR; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=qIw0Zecc; spf=pass (imf17.hostedemail.com: domain of osalvador@suse.de designates 195.135.223.130 as permitted sender) smtp.mailfrom=osalvador@suse.de; dmarc=pass (policy=none) header.from=suse.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747914650; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=aqfFb7aK5wWv+PjAW7cUNT1XItHnqm9XAvP8CT8uiFI=; b=BDv4drKUcznu+8awfKMxvx8Sg0u7zteLTt968GboXvy+dSNB5Q+0SNkDHRBMgeYZLBwtRr HYBI0wSDyZ082ktwd1l4NcgZwCPszzuZl9h8hfEb3+EDp1CkRqr+PQxo4PjTGE1+n8XEz6 U6n/OLM7b/wV8IDtBZS+izD1oU40Hjc= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=irwFkRwR; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=qIw0Zecc; dkim=pass header.d=suse.de header.s=susede2_rsa header.b=irwFkRwR; dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=qIw0Zecc; spf=pass (imf17.hostedemail.com: domain of osalvador@suse.de designates 195.135.223.130 as permitted sender) smtp.mailfrom=osalvador@suse.de; dmarc=pass (policy=none) header.from=suse.de ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747914650; a=rsa-sha256; cv=none; b=XUf8/IQoKF6h3AdJxyXXrTKH43LLMLvy9ySB7exbP4PJLM25hH6tXGXDfv6AeNniSuIMSc W6oxEpj0LI+Ky2DBT8mRiKCAGPzOrPQIc+cxxI6WfUBcVUnk092/5y9c6MuysK/zUz2Q2Q PTjqH08NQW0TFtUmkqO5QZq3CvyxAa0= Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 4B41221747; Thu, 22 May 2025 11:50:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1747914648; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=aqfFb7aK5wWv+PjAW7cUNT1XItHnqm9XAvP8CT8uiFI=; b=irwFkRwR78YdAdBzJhnPdhCYe4TwWr4Zd6Q39WUs0NGaRcgybXIGFSlQtjIE9xzvGvsKeN bOdxhYYj9kqnrzkRF910A60PkCgsgX/d3iMx9BPxjrgRZ5bHNhvX9eWw0EzEPyBK7BlWVj VmwA3ipshvx/3UIXy1S4YG4hcS9TpOE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1747914648; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=aqfFb7aK5wWv+PjAW7cUNT1XItHnqm9XAvP8CT8uiFI=; b=qIw0ZeccYt35p1CAYOgTazsYXc7LIbDJLJqYHRfL0f/CiyGjYfLRZvpnhE3nA9rWAHS/6E p5jcztEBttJ6x3AQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1747914648; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=aqfFb7aK5wWv+PjAW7cUNT1XItHnqm9XAvP8CT8uiFI=; b=irwFkRwR78YdAdBzJhnPdhCYe4TwWr4Zd6Q39WUs0NGaRcgybXIGFSlQtjIE9xzvGvsKeN bOdxhYYj9kqnrzkRF910A60PkCgsgX/d3iMx9BPxjrgRZ5bHNhvX9eWw0EzEPyBK7BlWVj VmwA3ipshvx/3UIXy1S4YG4hcS9TpOE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1747914648; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=aqfFb7aK5wWv+PjAW7cUNT1XItHnqm9XAvP8CT8uiFI=; b=qIw0ZeccYt35p1CAYOgTazsYXc7LIbDJLJqYHRfL0f/CiyGjYfLRZvpnhE3nA9rWAHS/6E p5jcztEBttJ6x3AQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 21507137B8; Thu, 22 May 2025 11:50:48 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id p+hqB5gPL2izYwAAD6G6ig (envelope-from ); Thu, 22 May 2025 11:50:48 +0000 Date: Thu, 22 May 2025 13:50:46 +0200 From: Oscar Salvador To: yangge1116@126.com Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, 21cnbao@gmail.com, david@redhat.com, baolin.wang@linux.alibaba.com, muchun.song@linux.dev, liuzixing@hygon.cn Subject: Re: [PATCH] mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios Message-ID: References: <1747884137-26685-1-git-send-email-yangge1116@126.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1747884137-26685-1-git-send-email-yangge1116@126.com> X-Rspamd-Action: no action X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: F33144000C X-Stat-Signature: 7snwcbgfga479q7yw6gmppm36pna4k51 X-Rspam-User: X-HE-Tag: 1747914649-331147 X-HE-Meta: U2FsdGVkX18hXOcze0CfhdLeMsz+P1pEvBTyLtdTuPjWXbsYmUxO+qBALO2UUIqftsnF5Fi2VEYC5qkwV8Ewk0J295zupmo66f1PLcmlUQijfhZmijgMmZI24j04thvqv6A27M0t1shu+WLuziBwr8TDMhfWpQX1CvPeKO7htYm7O1HWA4BAtArCBzwB+4yh0X+J8bqPR12vgZJ9DuaLVxvslVdzPQ429yGalvVjvss4svxt7kYygXx2zhIypI7G1Taxf48hoQFfGtOsWpFynAYJP7vPqg8ABRTcHDc6NSKqc7sQTLYXpEsJwhz3gc3A/xywmSvDm3qIMlAU9mI/0nMOqtKDAA0YC6gzKqf4Gv28Eu9AhBa3T9FlerbtXAsLdozZT1If1cR5gtzlwnaHy3nd7MutV+gShyRMPzJpbstIN8f7n0XxlUJymvQl/DCjtO+mkM8JW4UVUOrqeCGsGuNj9ZYnAGoIGL5xmN08vEXxO9+1MUt1O+ubQBQMT1DGkGzgUfe3n79Xs1mnXGcmeNlH7rXwfMmHqC5wfoo2wYqh+uc3woQdTO3+CBk7+4IhX8uw+vX9EaD28gQLXbMfh/UBUca5BpuFtS29OeYZVK10+k6Dp7pRSAzuaInJK+HmlQ+NLLv+I6foJvPY6qehGBJppp1HnzJ6/IAOyeESELaOrzNhaEuIbefq1Y6tPxFpNvj+JQCFrWEIPvAa/CmscJ4q4kKHLgCb5dpgAT8QBGKPaznQZIC5tjX5IEeSJAxwt2Oe53KcCuBXLtWomJl0F5ena0itOsny8WcM0GvfPbbOFjp9Ta8sU1gckX/CF8Mtrsf3NXyufm4UT+r2aqh9I2Cc5Ps4WphiDBPHucMTm59x3MuV12FrMOT3+S12rPOA0vsHgjJmMNMcC2mNO+m7yIp23N2gEc5FMqjdreL/ANkfwvu4rszZhOiRQJZKnMZcW6NCFCinz1KI5aKLs8A ca/oHP/b R0thp0FlT9M7Ku0pqcsxahI3tLPXarApquk8iZkZZTsH1IxYR6BVUl01+Cb2nRy3fkN02ixHrrYkIjYT2DP4cfOi53IgKyE4RpJ6Q4D8qcWyQ7vVrbJG9ZeVbhFnBZxSVtLbaBwdUyiahlSyD9JmYKOp1c0LudOyAPXWx/0GzVU3DitGCfB5yRj/61GpbQ6Goh4xo24CnWM5qtZmAH3XToxK+EUoz1oFOSNXDhWEaERj30nSN+QICIGLNKrdrm1VPrg6cTqcaSvqgmvqIUd+djPShMHKLjjUhyVjuCyk+Ut/+cAaEgys3UOVs+2HqnlzQkxRil3mjwLo3Sm3mF52fsn+WNnCxAY3eBqMF X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, May 22, 2025 at 11:22:17AM +0800, yangge1116@126.com wrote: > From: Ge Yang > > A kernel crash was observed when replacing free hugetlb folios: > > BUG: kernel NULL pointer dereference, address: 0000000000000028 > PGD 0 P4D 0 > Oops: Oops: 0000 [#1] SMP NOPTI > CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) > RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 > RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 > RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 > RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 > RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 > R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 > R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 > FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 > Call Trace: > > replace_free_hugepage_folios+0xb6/0x100 > alloc_contig_range_noprof+0x18a/0x590 > ? srso_return_thunk+0x5/0x5f > ? down_read+0x12/0xa0 > ? srso_return_thunk+0x5/0x5f > cma_range_alloc.constprop.0+0x131/0x290 > __cma_alloc+0xcf/0x2c0 > cma_alloc_write+0x43/0xb0 > simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 > debugfs_attr_write+0x46/0x70 > full_proxy_write+0x62/0xa0 > vfs_write+0xf8/0x420 > ? srso_return_thunk+0x5/0x5f > ? filp_flush+0x86/0xa0 > ? srso_return_thunk+0x5/0x5f > ? filp_close+0x1f/0x30 > ? srso_return_thunk+0x5/0x5f > ? do_dup2+0xaf/0x160 > ? srso_return_thunk+0x5/0x5f > ksys_write+0x65/0xe0 > do_syscall_64+0x64/0x170 > entry_SYSCALL_64_after_hwframe+0x76/0x7e > > There is a potential race between __update_and_free_hugetlb_folio() > and replace_free_hugepage_folios(): > > CPU1 CPU2 > __update_and_free_hugetlb_folio replace_free_hugepage_folios > folio_test_hugetlb(folio) > -- It's still hugetlb folio. > > __folio_clear_hugetlb(folio) > hugetlb_free_folio(folio) > h = folio_hstate(folio) > -- Here, h is NULL pointer > > When the above race condition occurs, folio_hstate(folio) returns > NULL, and subsequent access to this NULL pointer will cause the > system to crash. To resolve this issue, execute folio_hstate(folio) > under the protection of the hugetlb_lock lock, ensuring that > folio_hstate(folio) does not return NULL. > > Fixes: 04f13d241b8b ("mm: replace free hugepage folios after migration") > Signed-off-by: Ge Yang > Cc: Reviewed-by: Oscar Salvador -- Oscar Salvador SUSE Labs