From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB5F4C07E9A for ; Wed, 14 Jul 2021 09:55:07 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 6541261358 for ; Wed, 14 Jul 2021 09:55:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6541261358 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=oracle.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 7870A6B006C; Wed, 14 Jul 2021 05:55:07 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 70FEC6B0083; Wed, 14 Jul 2021 05:55:07 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4ED6E6B0085; Wed, 14 Jul 2021 05:55:07 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0251.hostedemail.com [216.40.44.251]) by kanga.kvack.org (Postfix) with ESMTP id 231426B006C for ; Wed, 14 Jul 2021 05:55:07 -0400 (EDT) Received: from smtpin11.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 1F0142CBDC for ; Wed, 14 Jul 2021 09:55:06 +0000 (UTC) X-FDA: 78360735012.11.56D0189 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by imf15.hostedemail.com (Postfix) with ESMTP id 8D31DD0000B4 for ; Wed, 14 Jul 2021 09:55:05 +0000 (UTC) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16E9pLdB023717; Wed, 14 Jul 2021 09:55:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=corp-2020-01-29; bh=v49PGh5CrHC3DcVcWtb9zjxMVucKWuLiP4Cct7LOy4E=; b=tB+3x2XadS74T8yLCLANMVD5qe7ea0SNn8Ervx6kkpvVxRQ6NwfzFrZwo8i1+hdUXXvk CwAoMeeHvB6Gwu87Yryt3FBskdkqqCnf5+q2Bg9iEWHg6YdcTzSV2uGRRSeC79YENYFG sMw7EBAT5QnJ6JuopOYrrb9iA5Y+bpiEXVs6EMmKkqvBW31WTp5Vu22f+KqAOt4eqlxu AgeBFAiNfm0EG1Ec+2cZpI766BVnIxz1gGUqHoWtbhoKMgRl6asUPZaxhstpgOKREhmV AmcneRqjyb/QSM9dACbkV6FUsa3npyrv3U2vSUjum2/wAv2vR2Nrj4iG8bDxsx01inVu Xw== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 39rqkb4d3s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Jul 2021 09:55:03 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 16E9swZl063919; Wed, 14 Jul 2021 09:55:02 GMT Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2174.outbound.protection.outlook.com [104.47.58.174]) by userp3020.oracle.com with ESMTP id 39qnb2usva-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Jul 2021 09:55:01 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JnhfQhJrBoeFswiGMTeupotwC+MjYGBTd+wc7clEv/4roUPO3G4LsPWK5w8C5lrSkxsQ6J8Poi1Eun6rpVTwtF4Hvnd2d1Azq7Q7hrC8tb3Eb61KJpObQFRCF7f03W0WCjmmpj0s9/k/1+IN6+DsK1dCSCBqOdf4bBaIL1HRV0lDJ6WKGK55EEK4Cum0inXbZa4Uhe6XqFz3C6UVrNn5xait/gQQTwEvhEUa7fsr776qixE8HGVUkQmFCYFDy0SAedWl150HCutn+u0ClijMi3J1bofH+9y2iDk8C70PWMefu6tGVjIOC7nkIgK8kxhxmpRIPLrzmfZi4BQmZGaoqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v49PGh5CrHC3DcVcWtb9zjxMVucKWuLiP4Cct7LOy4E=; b=QCEvLIEM6kb9IRXfTC3c2JyeuS7ij6/+w3B/9PPBMUCsTR3m/UTcH0rWO6FbhjdiDv5x2VYGvBuOtKjPngKtgXoZaqGxnFgTrulj3mTRuglUjMFnk8f58uBgl01Pgf+63VRz8x79n7D+QA36HzGnCQi5lh24cmqxjft9glbOUkNiRO0mXAs5xArmmOauDkEzqjg5gVW2N2yePV6gzKQW5qnrr5sWwhpbAel1qE/aRtiyKWVeeZ/wk9yN+sgyzJKaHIn1flyFi1Wzbu6Vlynq55Gj2Nabi1XdGe5sKGF63HQQ54Dfus+B4ZZhuyRsWZ7bpdJRaBv5zaQj/QuZ+q0PvQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v49PGh5CrHC3DcVcWtb9zjxMVucKWuLiP4Cct7LOy4E=; b=B4WURPiIO9FnO1wIsiqCepJk1766vdlR0J90q4cZ6tlpJaZAwsddI0sxJffMbfsAHcXB9s/FscLKuNUmQtgSFMdGlTvJBTzbX+iX97t3Ty5aAqNnAqlABQQyel2Fg+AfXGdDhNdlt9T2n6QacUxzsPHY5ngtvY/e33d33Iu4UDQ= Received: from BLAPR10MB4835.namprd10.prod.outlook.com (2603:10b6:208:331::11) by MN2PR10MB4349.namprd10.prod.outlook.com (2603:10b6:208:1d4::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21; Wed, 14 Jul 2021 09:54:56 +0000 Received: from BLAPR10MB4835.namprd10.prod.outlook.com ([fe80::5833:5ab2:944c:7360]) by BLAPR10MB4835.namprd10.prod.outlook.com ([fe80::5833:5ab2:944c:7360%9]) with mapi id 15.20.4331.021; Wed, 14 Jul 2021 09:54:56 +0000 Subject: Re: [PATCH v1] mm/hugetlb: fix refs calculation from unaligned @vaddr To: Mike Kravetz Cc: Andrew Morton , linux-mm@kvack.org References: <20210713152440.28650-1-joao.m.martins@oracle.com> <1d7eac17-8758-63bb-a0ac-968723af6e2d@oracle.com> From: Joao Martins Message-ID: Date: Wed, 14 Jul 2021 10:54:51 +0100 In-Reply-To: <1d7eac17-8758-63bb-a0ac-968723af6e2d@oracle.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-ClientProxiedBy: LO4P123CA0381.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:18f::8) To BLAPR10MB4835.namprd10.prod.outlook.com (2603:10b6:208:331::11) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [192.168.1.67] (94.61.1.144) by LO4P123CA0381.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:18f::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.21 via Frontend Transport; Wed, 14 Jul 2021 09:54:55 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 12655e7b-4d4b-4586-fa94-08d946ad6f59 X-MS-TrafficTypeDiagnostic: MN2PR10MB4349: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Pl3b2SSG9IhhhUe/7O5V5GYwPq3WIa/gFzFqYErPBPwAIPWQWpm6G4K/34cd/ZHzDEsV+5XKLpmGGEQLV43CSVmW6rmsSMFnnVAzH1HzTFUdVXEKk6vOR0nHEAncB1FkjhQ2wd9A43OBWyC3DfQNM9FK1IjsTEOvrE9rZJmhnP7FvNaW6nzYmPfBxCjZlWyz+QiTpko+uqLdX/fNnjqDUP1PZ8yZ5xN7RsTieLy7+Skrxtd3nytJoYsp4995lgCBmdaufqAkWwtv+TDhmoRxUv91z+7epdHVw/U6Gcz5fBkdgyEsLj1Ozm/V210Cv9Kbcco+1itgTvfplfV3jn1dixYjtl9Csj3d8aqICJ720+Pcyl10emdR8eci0Ufs5x65FpHn0+jOPtOLuWprPcnNlgVkw6HTHtsZB7zvBXaKXiPPF+9ROlg21JUq2UMm1zegoXGzQxypSPr+0VsCd9VXIg+e95PrBbc+VYHJHgYHfan8AGsomZlA27R8E1Ge+t3us5IiCKkc0St2aP6HXPIdaFVzLrqUt15xt6ci/OWo4eIDyfixnZI70B9vJ1vA2S4D77tphQw5tAx9+FVYFeUUrrkkgCtv/uNZdBL2i8X5K3e9hR0T+PXoR/0mutJBmBn8pMmULik2fcamLzCnYIjWvLRVsPGqbBVmpnsI0JpiUHx5ZFMzzbXtI8TQ8OdcTbKX7zBKYts0fbpRpaRluB4/+g== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BLAPR10MB4835.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(366004)(346002)(396003)(136003)(376002)(38100700002)(6486002)(66476007)(66946007)(26005)(36756003)(8936002)(5660300002)(53546011)(8676002)(6636002)(86362001)(37006003)(66556008)(186003)(31686004)(956004)(2616005)(6666004)(83380400001)(478600001)(31696002)(316002)(6862004)(4326008)(2906002)(16576012)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?YWFJcnlGRXkrck9MS2JSdGtSNXFybldhUmlFWFhYMEpkTTNFWFFuVytKcUxI?= =?utf-8?B?aXJkM0h3RUpTSzZTRkJJaWhOVVE1OXBzRUdYc2tYUDc2WGdSQnYrQjBmdk92?= =?utf-8?B?L1Y3NC95TU56dzJaQVJPUGF3VXBxNFB1TEhkNmE2emNkRU1HdWEzRjc1M3dX?= =?utf-8?B?SFhpL2VNcjRPK1Vsc0Q4UUdXT1VodmhQRkVCbFJwbXhwM2QxK0dTVnJPNVJF?= =?utf-8?B?Rm1saDVkVi9UT0tGVGFLS2lvVnkybzFEcjRoUVh2Q3hBbVcvM293VlozQ005?= =?utf-8?B?ak90S1VDaEtPRDdFaGNPd2F2VzFlU0RRNlhuQi9YVDZ6bXFabzRWREdRV1d3?= =?utf-8?B?MU4zQkNRNXZ4VmtwdjRwRGpWM2NTUzh2WGpWRVVUU1Vya29memVDR1AwcEU5?= =?utf-8?B?RFBydzJZWDQ5MVFwVVdkZ1JpRHAySFF1U0lLUlBXMXlHRXF5NkFLWFRlSno0?= =?utf-8?B?TXU0azdzcmZRKzFTZFhiTmpVTDgveEt5alRKOHFpaWl5eXpHUGJxTEhPV1lz?= =?utf-8?B?eEV4dFIxeGRCaXJtd3lJOVZmdW1HTUpiUWp6V09Ea0pHT0JSNExtdmM0aVdq?= =?utf-8?B?bHMvVFVzK2g4UElHS0RDc3NtYlRpL09RNCsxdFEza2ZEQVlwZHFWaEtoTS9D?= =?utf-8?B?R2trNWVqSmZkODB3UGwzTUNxTSt1M0JxaVIxOFV6anQ1NUVXUnZoNXlyL1Rt?= =?utf-8?B?cWE5R0FWbTR1SkgzZFlvN2UxbzJocU9qV2NmYzdHa2VlZFBXWHpXdEpXbnJu?= =?utf-8?B?TXgzNVUxMnpUZE9RV05mUWx4S0E5aWhmdDFUbmxKV2M0YkViRkNYcUQ1UXJj?= =?utf-8?B?THhmdFdDMjNodGFKR0dnVnJobzJPRS9FZmlhUXVBTmtaQlV6SkxWTUF1SDFC?= =?utf-8?B?Zy9DSHZwZXA4N3lteG1hQTRmdFRRVDN4MTN3ckVreG9BMUpFaTQyZHBUYlNO?= =?utf-8?B?YmhTcnlqOGovL1FqVjlQck4zclJyMlVrWWpZaThRNnRCRUJIMHQ5d3ZvVEI2?= =?utf-8?B?d2ljdVpIc2ZWMFBlWWQzSXp4MlhDdUZQTjFzV0FSRFlUdEpGalEzdWF0Tyt4?= =?utf-8?B?bXZkVG5tbTJzdWFLRUhJRmkzdW42eHp2a3JDUTQ3ay93ekNiK3NON013WCs4?= =?utf-8?B?SHQ5SHFiZzdsenRpQzlOVzN1TFcvZmZ4ejlXMG4vWFNBYzMyYnBCczU2UFBP?= =?utf-8?B?a1VEKzN3RmF2UXFCNENiQW5VcExsKzFpQ0JPYzdxZTZpUnllYmozSUQ0SGVN?= =?utf-8?B?SVVCU3NjNFRwMzJ6NnZsTkZzTUJkYXJYUy9qeG9lcmtBN1lnM3pzYmMwM0NW?= =?utf-8?B?d280VWRZZ1VyN2F4WjZRbjFKMzBnaE10NlYyb25SRTl0aFh6aW1Fd01yZTU2?= =?utf-8?B?b2I3b3BWRUdxeWNFQ0FyWkdnODd6OEpPYkZYQkRUOTFDZjBJcTlyV1dSSm1i?= =?utf-8?B?c0NiT3BPdS8zcXJiVHZFS2pRUHk2clEzQmF0Zk11WUZjQlliVGNVOGl0M2t5?= =?utf-8?B?MTFhTFczOTlKUDFsNGJWV2xpTVN2L1BDNzlkRUc4WU11bmFGdW9mUmZNMi9k?= =?utf-8?B?a0p4RWxyK3ViSnlLdFRFQmtiVHgzYWZraHhQdFRsQzEzbnYvZU5IRjlzeGl4?= =?utf-8?B?U0V2NTkwVkVJSy83NmkraEpJRjMvUzQ3dEVxYVJsMy9mSkhIejFDQ3dMQ0ti?= =?utf-8?B?YkdVR1JYZHh4ZW1DckJrczhQN0hmQlRLK29UUnNGenZXbXhXdnVBVWowV3dD?= =?utf-8?Q?WB88koxvZdazfkqQOc4b/qdxjVuM7xOKvA1vnhW?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 12655e7b-4d4b-4586-fa94-08d946ad6f59 X-MS-Exchange-CrossTenant-AuthSource: BLAPR10MB4835.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Jul 2021 09:54:56.3171 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: INwdWPe5pf4hCXAv83VlS6ipftEnv76kpt5Kwgw55zalI8c0qm9qdpyF9NfPxkSWdKme0Ya/K4/VJLBNUbB/4e4JXCVZBenn/jrGSda6B7k= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR10MB4349 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10044 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 bulkscore=0 malwarescore=0 spamscore=0 suspectscore=0 adultscore=0 mlxlogscore=999 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107140065 X-Proofpoint-ORIG-GUID: YG6MwslNRdzLuFbbbazuskVLMtJw6n9k X-Proofpoint-GUID: YG6MwslNRdzLuFbbbazuskVLMtJw6n9k Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=oracle.com header.s=corp-2020-01-29 header.b=tB+3x2Xa; dkim=pass header.d=oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=B4WURPiI; spf=none (imf15.hostedemail.com: domain of joao.m.martins@oracle.com has no SPF policy when checking 205.220.165.32) smtp.mailfrom=joao.m.martins@oracle.com; dmarc=pass (policy=none) header.from=oracle.com X-Stat-Signature: 1za3oi6fky3ogdh81p8jie57oj3thy77 X-Rspamd-Queue-Id: 8D31DD0000B4 X-Rspamd-Server: rspam01 X-HE-Tag: 1626256505-941201 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 7/13/21 9:29 PM, Mike Kravetz wrote: > On 7/13/21 8:24 AM, Joao Martins wrote: >> commit 82e5d378b0e47 ("mm/hugetlb: refactor subpage recording") >> refactored the count of subpages but missed an edge case when @vaddr is >> not aligned to PAGE_SIZE e.g. when close to vma->vm_end. It would then >> errousnly set @refs to 0 and record_subpages_vmas() wouldn't set the >> @pages array element to its value, consequently causing the reported >> null-deref by syzbot. >> >> Fix it by aligning down @vaddr by PAGE_SIZE in @refs calculation. > > Thanks for finding and fixing! > >> >> Reported-by: syzbot+a3fcd59df1b372066f5a@syzkaller.appspotmail.com >> Fixes: 82e5d378b0e47 ("mm/hugetlb: refactor subpage recording") >> Signed-off-by: Joao Martins >> --- >> An alternate approach is to have record_subpages_vmas() iterate while >> addr < vm_end and renaming @refs to nr_pages (which would limit how many >> pages we should store). But I felt that this approach would be slightly >> more convoluted? > > I prefer the approach you have taken in this patch. > OK. >> >> Side-Note: I could add a WARN_ON_ONCE(!refs) and/or create an >> helper like vma_pages() but with a ulong addr argument e.g. >> vma_pages_from(vma, vaddr). > > IIUC, the only way refs could be zero is if there was error in > caluclations within this routine. Correct? Right. Albeit vaddr initialization is originally set with gup() starting address. > IMO, the only reason to add a warning would be if there are any assumptions > based on things outside this routine which could cause refs to be zero. > /me nods >> The syzbot repro no longer reproduces after this patch. Additionally, ran >> the libhugetlbfs tests (which were passing without this), gup_test and an >> extra gup_test extension that take an offset to exercise gup() starting >> address not being page aligned. >> --- >> mm/hugetlb.c | 5 +++-- >> 1 file changed, 3 insertions(+), 2 deletions(-) >> >> diff --git a/mm/hugetlb.c b/mm/hugetlb.c >> index 924553aa8f78..dfc940d5221d 100644 >> --- a/mm/hugetlb.c >> +++ b/mm/hugetlb.c >> @@ -5440,8 +5440,9 @@ long follow_hugetlb_page(struct mm_struct *mm, struct vm_area_struct *vma, >> continue; >> } >> >> - refs = min3(pages_per_huge_page(h) - pfn_offset, >> - (vma->vm_end - vaddr) >> PAGE_SHIFT, remainder); >> + /* vaddr may not be aligned to PAGE_SIZE */ >> + refs = min3(pages_per_huge_page(h) - pfn_offset, remainder, >> + (vma->vm_end - ALIGN_DOWN(vaddr, PAGE_SIZE)) >> PAGE_SHIFT); >> >> if (pages || vmas) >> record_subpages_vmas(mem_map_offset(page, pfn_offset), >> > > Reviewed-by: Mike Kravetz > Thanks!