From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25D30C02198 for ; Fri, 14 Feb 2025 08:32:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 984A2280006; Fri, 14 Feb 2025 03:32:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 931876B0089; Fri, 14 Feb 2025 03:32:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7F8C6280006; Fri, 14 Feb 2025 03:32:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 633BE6B0088 for ; Fri, 14 Feb 2025 03:32:00 -0500 (EST) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id DC80E12217D for ; Fri, 14 Feb 2025 08:31:59 +0000 (UTC) X-FDA: 83117882358.19.FA36C0C Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by imf05.hostedemail.com (Postfix) with ESMTP id D4A7F100005 for ; Fri, 14 Feb 2025 08:31:56 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=RZX0gKsM; spf=pass (imf05.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.214.172 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1739521917; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=1N9/dh1gKenUxv/OYzR+uI9tVKa+QsTNdZz3DDWPEPs=; b=a0OyVr8YYQSmIXkho3o0UZXLvtsfeMmYVWxp4pdxO6MncUVPXwod0NR4KmlwlQn9XNV/MC aVM+ntyDhcZVg/2uzRNFeMg0sO7dUyqb0jEUPLMyVZEGbpvqcAdtjdWJIBfYH54irHr82F 6YkQbJ51wJPR6fELcV4r/Iq6KkNbtkM= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=RZX0gKsM; spf=pass (imf05.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.214.172 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1739521917; a=rsa-sha256; cv=none; b=A9NU1xulT7tj1VcvC/DHrZwP+ZULN5pzIzqMxeAdhOUripI8502ztuXzr0+xakyiAm5so2 F2G8ebt6IqGpG109LwaT39uMR6b03sIgwcabJwkFLtVUzDoaNTKxUOpeubnI2DJpqnxOG2 jleF6P/ra3ujRA/9ZOBLh+i/wpTY77E= Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-219f8263ae0so29631275ad.0 for ; Fri, 14 Feb 2025 00:31:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1739521915; x=1740126715; darn=kvack.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=1N9/dh1gKenUxv/OYzR+uI9tVKa+QsTNdZz3DDWPEPs=; b=RZX0gKsMvqs4VZFfD+bNpNw1r631eE5D4KupGoKaFcxXbRE0mPXPDcFru3WE+s9JMp hM8bvIOIwxqZSKF4Ng8HZ3H2rxn+e2Pl2hsGYurA+LkHu0zDUUE2VG4u3Z0GRqAu1cfu rSKNyUIgprpDarMWbyMM9PvPzPYrXFuVDaSjjSR2a+2YYdtTU3ZTE8whhN0J3T0UuPBx 055bI+W3Td35hcJq9XuAVfwWzczLhOzIAoJa4m1fuSAEbQW8+aDNx2hMTOJt9m0Iug5y kbLyG/33SqPl65J7Euvm745uQ3joqI8cMi+/ehdQhQfPXeYLAFmjdXD2ggE0NtBnbrur Xf+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739521915; x=1740126715; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1N9/dh1gKenUxv/OYzR+uI9tVKa+QsTNdZz3DDWPEPs=; b=GcgE0CVpeNrpU2FgqhZVM6dx1Sq7u3r16bIRcSmGbs9ee0RnUq0yDgq2cZbuJxIUDn IR65jR46dx5kO2D31JWoVOhbUAQNQsY39M+iDMtVXP9+YZRigsP0dg2+ON1g03B0p0Vb eLLLinUa5r9U3ptu4I73SxssmoIBouSgn94dOC53L/lODNvCcuFBxSX9Ve3jTr+i4gdx MHpXxsmZId9GR0J8iomKGo9jQGkbtEMbViMbTbU2+eOueAi/Zpf0gpkCHTR+/rGWw7G1 6hzKn/7DKtfnfP5YiONa1KDnKDgW+20szP7Uvm3YRF6/x4LIrgt6mMJn65NwZbLezAGx UmAg== X-Forwarded-Encrypted: i=1; AJvYcCUHPfGjyNTCrqHzQ7wrdYBfw1zjWZEpkwlRphRuUSwkoGNu6/Y2v5JNKp2KsWV0Voc60JTi0NcvdQ==@kvack.org X-Gm-Message-State: AOJu0YyiAjbsk6eqmGZTEM6aYhWqqEFN39Pm3tD0jkBCBMmLGsW8CoPn H1YSDi+Sw9yTDlktCPCKBu29rkyoPn/joyQNSTu+X/NXMF6s5HoX28y9YYywS6g= X-Gm-Gg: ASbGncudBEGqOaxL3pMDJw5Czz3nZasIw20gRfWxFGxeUv4YcHwfRsie6NIgCYsTRHA QXMvmN53hobUgpJdogBH2OBYMH8iF9TuBEXjpMZ+fiafBCeoOgL4FNUlPOhMv+RQHOMSrgJCbGC gdzhiP2tnVlRBXpK5KBw12HTunNa7dQ6kiSckn41Y+r+cHTlxPYrBQqLVbi2COVx41ybrpjBjUr OS2EsyAShLUKq0ypQoSubXhBdnMlcfTg4+/BdvXogpEYwjIOt8Ap8y6JSt6v3hJKvNTuPAUSgSh joXb1pmAx/7cuDwOzUbbQ3kInP5qdHIPXHFSc8hC X-Google-Smtp-Source: AGHT+IFish6SuWBlkvc7bmWP37Y6+7Yh+XXEUSCWODRR3jA2THJeF+j5+UDYBR8TSK0wMeZq/qTgUg== X-Received: by 2002:a17:902:ec83:b0:220:ce37:e31f with SMTP id d9443c01a7336-220ce37e53fmr85586195ad.17.1739521915507; Fri, 14 Feb 2025 00:31:55 -0800 (PST) Received: from [10.84.150.121] ([63.216.146.179]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2fbf9757365sm4588023a91.0.2025.02.14.00.31.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 14 Feb 2025 00:31:55 -0800 (PST) Message-ID: Date: Fri, 14 Feb 2025 16:31:48 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] arm: pgtable: fix NULL pointer dereference issue Content-Language: en-US To: David Hildenbrand Cc: linux@armlinux.org.uk, ezra@easyb.ch, hughd@google.com, ryan.roberts@arm.com, akpm@linux-foundation.org, muchun.song@linux.dev, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Ezra Buehler , stable@vger.kernel.org References: <20250214030349.45524-1-zhengqi.arch@bytedance.com> From: Qi Zheng In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: D4A7F100005 X-Stat-Signature: 8oihs7rxx961gw1n4hqbzen6irhqzoj8 X-Rspam-User: X-HE-Tag: 1739521916-425828 X-HE-Meta: U2FsdGVkX1+9znCPTCH/WRe7Khz9+JMGU1pAFGFy0mKWZrbLqcp/GYKtBJ+v7xavI5lR3FnxhlZpK44Y0E8L+DJKoEKRGhiY+Ji9raj79lbTrAQpCO64VmaXB8ADXCGDVob+umWekVVJMfBF8XrMHbEbq8Yw59ETRz3qovKbwPW/1ucB3H7dDgd82jtlPh6Io87GIGAnAg14aXNe/ILUMFIJFdwoc7UBLJ0csF4x4g6cy/4e+8iJxiQKXrq7421jD1AzntOv50MpyhPOKiiGLyMfXlty4QBiGqWRxWgbqEwl26C0KpJ1AYZ9LyxdSrIk3yEzMwKAZUh98a6J27o+FVQokxwo/I+cRalIcg9f31vcEt/M6WZNVzsl1E3VV6q2fYXS3vsAZLEHXHJcZj5Lg8J7BcgCW14pzKNvDHaG0PuTX/JCYUIEUR9ogLfgr7QWvnigmc5Pwx8aylSgcWcc1SsMv/zcy5EVTEGaSHVd8zahzpm8VwadvIIjOyhuvciHYIAnNQ2Yk6HryxLgXETwtmHIDVpYo1qUk74d3cDIOpDMmlDVDDzYTs5iLCWG6/Z+DLkh/m6XI39rpdEyALPskzcuk5uK3q0EyuPn7kNXQfxYkF4FpZu0WgrZlf4h9FL7yahND5g7v3baVbWlmPnUp8cYVotAN4HoEqkqVwKm/kLp/wRvQPKy9T5nzuoTC37dSDHut/hrQFTF4jggyC4Sfh+HhvkPonJGkSlgO25TIzzNvtp3SoQGguUM3X47DXHLksXboNO/fMS/53DEaCSEJtf5KKHyzvfwv+YPh+I3pkMVW1K7O0VRkfaJi7wsjbyn2m6YD+2GSoPgoDZcE92wVKpH8i/iA1yCp6JnPgWqO0UM11ZF9gzKAdYiVSm3OvT1fKHHgvdg+YP1AYk82Kb1ZVsYodUcLUnIyZNVi5xIWbspZRIG5ejhwaBat4nJ6rKwcxvwYM/sZAUZ/3XxM47 GdJaYYsa 04mYuFCzRJqrMu2Xo5vHCwwWsNY6Ml64cKv3VjHs2KuUy5SWhfAS+djGLhtH8Mgh0ZHMZvzADhXKBFTmKIxUht6EX3OMWsZnbjyjupJ3G9L92BUdP5a0492HP/blGUuXd1CncjafzeuKoMDx0Ff7mr2XfzLKLT+uHMG9Ybk10UK2KhtZ/Caae0JmG8kGWXEKrT4hfF1VYqM7PJzDYJsHl4uhOihD6H19LqoXoVkWGrMGXxtr/ZDcfI6iCFbhvyh9jJ8a5MV1OgFOyh3HFQ5OKHZhGrmfFavmDlBbR05sXh/xBQWB5/ILWUWgNmwcxFbFCQlCdODb2KEHq65cZdA98tMZKyOzSwOKRPXjYjMgNni7Jggm5cSZHNabw8LHYoCOwbMkX64+VrxwtmaRmtPQJPUR7VcHhm3EY2easjfNQ7MwxKU4R+esvRtBIGAdi6cbZAa1aZOc4c4vwnzYGOHlVQGFpLbUXjrLjfiLFQess8NxvPzlfIdTKWjjn3qzls3pw4ZOvsBUUELC94lA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2025/2/14 16:11, David Hildenbrand wrote: > On 14.02.25 04:03, Qi Zheng wrote: >> When update_mmu_cache_range() is called by update_mmu_cache(), the vmf >> parameter is NULL, which will cause a NULL pointer dereference issue in >> adjust_pte(): >> >> Unable to handle kernel NULL pointer dereference at virtual address >> 00000030 when read >> Hardware name: Atmel AT91SAM9 >> PC is at update_mmu_cache_range+0x1e0/0x278 >> LR is at pte_offset_map_rw_nolock+0x18/0x2c >> Call trace: >>   update_mmu_cache_range from remove_migration_pte+0x29c/0x2ec >>   remove_migration_pte from rmap_walk_file+0xcc/0x130 >>   rmap_walk_file from remove_migration_ptes+0x90/0xa4 >>   remove_migration_ptes from migrate_pages_batch+0x6d4/0x858 >>   migrate_pages_batch from migrate_pages+0x188/0x488 >>   migrate_pages from compact_zone+0x56c/0x954 >>   compact_zone from compact_node+0x90/0xf0 >>   compact_node from kcompactd+0x1d4/0x204 >>   kcompactd from kthread+0x120/0x12c >>   kthread from ret_from_fork+0x14/0x38 >> Exception stack(0xc0d8bfb0 to 0xc0d8bff8) >> >> To fix it, do not rely on whether 'ptl' is equal to decide whether to >> hold >> the pte lock, but decide it by whether CONFIG_SPLIT_PTE_PTLOCKS is >> enabled. In addition, if two vmas map to the same PTE page, there is no >> need to hold the pte lock again, otherwise a deadlock will occur. Just >> add >> the need_lock parameter to let adjust_pte() know this information. >> >> Reported-by: Ezra Buehler >> Closes: >> https://lore.kernel.org/lkml/CAM1KZSmZ2T_riHvay+7cKEFxoPgeVpHkVFTzVVEQ1BO0cLkHEQ@mail.gmail.com/ >> Fixes: fc9c45b71f43 ("arm: adjust_pte() use pte_offset_map_rw_nolock()") >> Cc: stable@vger.kernel.org >> Signed-off-by: Qi Zheng >> --- >> Changes in v2: >>   - change Ezra's email address (Ezra Buehler) >>   - some cleanups (David Hildenbrand) >> >>   arch/arm/mm/fault-armv.c | 38 ++++++++++++++++++++++++++------------ >>   1 file changed, 26 insertions(+), 12 deletions(-) >> >> diff --git a/arch/arm/mm/fault-armv.c b/arch/arm/mm/fault-armv.c >> index 2bec87c3327d2..ea4c4e15f0d31 100644 >> --- a/arch/arm/mm/fault-armv.c >> +++ b/arch/arm/mm/fault-armv.c >> @@ -62,7 +62,7 @@ static int do_adjust_pte(struct vm_area_struct *vma, >> unsigned long address, >>   } >>   static int adjust_pte(struct vm_area_struct *vma, unsigned long >> address, >> -              unsigned long pfn, struct vm_fault *vmf) >> +              unsigned long pfn, bool need_lock) >>   { >>       spinlock_t *ptl; >>       pgd_t *pgd; >> @@ -99,12 +99,11 @@ static int adjust_pte(struct vm_area_struct *vma, >> unsigned long address, >>       if (!pte) >>           return 0; >> -    /* >> -     * If we are using split PTE locks, then we need to take the page >> -     * lock here.  Otherwise we are using shared mm->page_table_lock >> -     * which is already locked, thus cannot take it. >> -     */ >> -    if (ptl != vmf->ptl) { >> +    if (need_lock) { >> +        /* >> +         * Use nested version here to indicate that we are already >> +         * holding one similar spinlock. >> +         */ >>           spin_lock_nested(ptl, SINGLE_DEPTH_NESTING); >>           if (unlikely(!pmd_same(pmdval, pmdp_get_lockless(pmd)))) { >>               pte_unmap_unlock(pte, ptl); >> @@ -114,7 +113,7 @@ static int adjust_pte(struct vm_area_struct *vma, >> unsigned long address, >>       ret = do_adjust_pte(vma, address, pfn, pte); >> -    if (ptl != vmf->ptl) >> +    if (need_lock) >>           spin_unlock(ptl); >>       pte_unmap(pte); >> @@ -123,16 +122,18 @@ static int adjust_pte(struct vm_area_struct >> *vma, unsigned long address, >>   static void >>   make_coherent(struct address_space *mapping, struct vm_area_struct >> *vma, >> -          unsigned long addr, pte_t *ptep, unsigned long pfn, >> -          struct vm_fault *vmf) >> +          unsigned long addr, pte_t *ptep, unsigned long pfn) >>   { >>       struct mm_struct *mm = vma->vm_mm; >>       struct vm_area_struct *mpnt; >>       unsigned long offset; >> +    unsigned long pmd_start_addr, pmd_end_addr; > > Nit: reverse christmas tree would make us put this line at the very top. > > Maybe do the initialization directly: > > const unsigned long pmd_start_addr = ALIGN_DOWN(addr, PMD_SIZE); > const unsigned long pmd_end_addr = pmd_start_addr + PMD_SIZE; Agree, will do. > >>       pgoff_t pgoff; >>       int aliases = 0; >>       pgoff = vma->vm_pgoff + ((addr - vma->vm_start) >> PAGE_SHIFT); >> +    pmd_start_addr = ALIGN_DOWN(addr, PMD_SIZE); >> +    pmd_end_addr = pmd_start_addr + PMD_SIZE; >>       /* >>        * If we have any shared mappings that are in the same mm >> @@ -141,6 +142,14 @@ make_coherent(struct address_space *mapping, >> struct vm_area_struct *vma, >>        */ >>       flush_dcache_mmap_lock(mapping); >>       vma_interval_tree_foreach(mpnt, &mapping->i_mmap, pgoff, pgoff) { >> +        /* >> +         * If we are using split PTE locks, then we need to take the pte >> +         * lock. Otherwise we are using shared mm->page_table_lock which >> +         * is already locked, thus cannot take it. >> +         */ >> +        bool need_lock = IS_ENABLED(CONFIG_SPLIT_PTE_PTLOCKS); >> +        unsigned long mpnt_addr; >> + >>           /* >>            * If this VMA is not in our MM, we can ignore it. >>            * Note that we intentionally mask out the VMA >> @@ -151,7 +160,12 @@ make_coherent(struct address_space *mapping, >> struct vm_area_struct *vma, >>           if (!(mpnt->vm_flags & VM_MAYSHARE)) >>               continue; >>           offset = (pgoff - mpnt->vm_pgoff) << PAGE_SHIFT; >> -        aliases += adjust_pte(mpnt, mpnt->vm_start + offset, pfn, vmf); >> +        mpnt_addr = mpnt->vm_start + offset; >> + >> +        /* Avoid deadlocks by not grabbing the same PTE lock again. */ >> +        if (mpnt_addr >= pmd_start_addr && mpnt_addr < pmd_end_addr) >> +            need_lock = false; >> +        aliases += adjust_pte(mpnt, mpnt_addr, pfn, need_lock); >>       } >>       flush_dcache_mmap_unlock(mapping); >>       if (aliases) >> @@ -194,7 +208,7 @@ void update_mmu_cache_range(struct vm_fault *vmf, >> struct vm_area_struct *vma, >>           __flush_dcache_folio(mapping, folio); >>       if (mapping) { >>           if (cache_is_vivt()) >> -            make_coherent(mapping, vma, addr, ptep, pfn, vmf); >> +            make_coherent(mapping, vma, addr, ptep, pfn); >>           else if (vma->vm_flags & VM_EXEC) >>               __flush_icache_all(); >>       } > > > Apart from that LGTM. Hoping it will work :) +1 > > Acked-by: David Hildenbrand Thanks! >