From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1472C369AB for ; Fri, 18 Apr 2025 23:53:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 62CF86B0005; Fri, 18 Apr 2025 19:53:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5D97A6B0006; Fri, 18 Apr 2025 19:53:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4A1A56B0007; Fri, 18 Apr 2025 19:53:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 2987E6B0005 for ; Fri, 18 Apr 2025 19:53:43 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 6D9B7BEE0A for ; Fri, 18 Apr 2025 23:53:44 +0000 (UTC) X-FDA: 83348819568.02.90A2569 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf01.hostedemail.com (Postfix) with ESMTP id 17A9740003 for ; Fri, 18 Apr 2025 23:53:41 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=RK+lAKyS; spf=pass (imf01.hostedemail.com: domain of gshan@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=gshan@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1745020422; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+h/Vp0gMyIMKcL+uPWAU540HesIREHi5pomWL/DZBmY=; b=TfEjrk6J3fbF4g2etDAXplMmB+LMKv51I9HGBiZ/v4ZXvDfsWm/DToQ/X1eNxUlHKylK9H F9gc/nvapE5QKRLDRMOwrCT4UzffUBYhbK+90XoFtBVkPcLqFlEjLklGdnfrHhT6qpa0MY CY1FkABvVRQj5EGuOAXxp/X4+fWdCRE= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=RK+lAKyS; spf=pass (imf01.hostedemail.com: domain of gshan@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=gshan@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1745020422; a=rsa-sha256; cv=none; b=sruOr08eKIs6HNihgCo/CVEQIq7uEJ9lU2GQd46yIAvxZg1mJ+tf+hEkdgNh7b+BNT73Eo jxs47gFzIqUIW7AuG1cI/L9g9nlbbwVSa0jIfPd7IZoTsxLEeFIejRcgsj8yYUukrISDkV 4obv2naWU5la8t6L8uD13dMauKMNvsA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1745020421; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+h/Vp0gMyIMKcL+uPWAU540HesIREHi5pomWL/DZBmY=; b=RK+lAKySjnvRKAswnewzHdHaUZwXOZnqRIi+EqJLG5ucoEWsJZ1NtaZ6D40CVh79F6vqMT z8+NDsoyey3q2CiZwOqMJNEWnD5bZ9O4vnAwfW3hSqkyjFqZtCyIRQrWgn/1NPC+Ar8Bh6 YJwwKODHc7tggkBnitwurKuLIJ0ISTA= Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com [209.85.214.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-295-Zq_wmqn4OMWKmjXseXNNVg-1; Fri, 18 Apr 2025 19:53:39 -0400 X-MC-Unique: Zq_wmqn4OMWKmjXseXNNVg-1 X-Mimecast-MFC-AGG-ID: Zq_wmqn4OMWKmjXseXNNVg_1745020419 Received: by mail-pl1-f200.google.com with SMTP id d9443c01a7336-2242ade807fso36528695ad.2 for ; Fri, 18 Apr 2025 16:53:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745020419; x=1745625219; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+h/Vp0gMyIMKcL+uPWAU540HesIREHi5pomWL/DZBmY=; b=qGDDKAd/Yj+d0O7rfr7eBBUxX3Q859C8jtK8NDQxxyk4D2M9pwSDW06q/SYisMVA3y aKBPr53WJypEK+SoIie3fjWRwmsvmS7eTeTrw3iq0ETn9xxqbapWrxFslOKnStBkd1+U Un5/D/bO6lyWmQkpX7bvLtkH0jWAMf3/h1yksQfPh43AKAG4bOuuBtZdBc7LxrnLtrFx 1wrRoasC/gGtTEYNgWzVrC6jkxeNb85PwNkFX0fHcItfUpF6V6C41F+J0i9rt3jVuJK2 xd+GYThfHL94IIph23nTliUxmnLBfShmFTbBJaqBujXdFfIM4AVWP8u5wyXXT1C7OU6X SBHw== X-Forwarded-Encrypted: i=1; AJvYcCU6DFU+mTV1WcNw6BVrKvvkRAwIpaldt8gX40S28mRiGnrf3wEqCr4VVtienhO4diYJUtVaViXxTw==@kvack.org X-Gm-Message-State: AOJu0YzTjrsJ/ZqCElwLXiLPaAExZSWJd/qe9l15sBny7fU3mMtxjW3q cASfjsWJ4fqdppoKmDe/IfPDR1gsgxllGOBXBu5ULFwjorZHgVCAFUrVTAf3fLTfZm8AiVlAn4u DvwEUAP2yCWzmBpSP/w9RFgNzxPRjD1894UsAprdEOhpXhV0R X-Gm-Gg: ASbGnct7eMwO2lxuo+lzWTx2S4O8qQWt8T4qGahnGqRyq2j3bvN/crKbTOGv4l9IknY P3klRVfkXvrYi/Zm/TuibiSM7ocRUmf+6VfEDtL0Oql3uiFTSuwkZ1y9yspkOtYCHXC9jA7j+D3 sy+hdBl8rN5GifUJJrNWTG1jvxGmiI2Ft8I68iL9B8D7fsrjs6DxDTSPg3ogrpy4XdTK8oWlB4i qBAd3f0BllTbQi7aQ7MsWh4HiJ/2wdXrmTYl8mHA2Llogm9df6pJggAJX7FTUAGliH2gA14at1G uJdcPhKJKjL4 X-Received: by 2002:a17:902:d58b:b0:223:6254:b4ba with SMTP id d9443c01a7336-22c53581279mr58727305ad.13.1745020418956; Fri, 18 Apr 2025 16:53:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFyrip1Pzd8BkTMwT9ZS60iZqs7EzZWLS+zXlCELfu4PB6UgO81P4DA6EMlM4UyTwwkyBVHwA== X-Received: by 2002:a17:902:d58b:b0:223:6254:b4ba with SMTP id d9443c01a7336-22c53581279mr58727125ad.13.1745020418641; Fri, 18 Apr 2025 16:53:38 -0700 (PDT) Received: from [192.168.68.55] ([180.233.125.65]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22c50ed0f85sm22505245ad.178.2025.04.18.16.53.33 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 18 Apr 2025 16:53:37 -0700 (PDT) Message-ID: Date: Sat, 19 Apr 2025 09:53:32 +1000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] mm/huge_memory: fix dereferencing invalid pmd migration entry To: David Hildenbrand , Gavin Guo , linux-mm@kvack.org, akpm@linux-foundation.org Cc: willy@infradead.org, ziy@nvidia.com, linmiaohe@huawei.com, hughd@google.com, revest@google.com, kernel-dev@igalia.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20250418085802.2973519-1-gavinguo@igalia.com> From: Gavin Shan In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: IzXpPFqGnpUwr72cqXmFUBqD7qI6qVWbQm0MYKadrs0_1745020419 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Stat-Signature: 1m43iwk9axu3yk94xw9z46p7nad1ynk8 X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 17A9740003 X-Rspam-User: X-HE-Tag: 1745020421-105423 X-HE-Meta: U2FsdGVkX1/hggDKDbxUvboj146V2Gxq5eKnEZ5yM1KLfiPn9GD9wdgUFpUbsP/MHck2KvGPDw81ZEahC7pxN1NBhH/j9d+qjDqtr15RFlXPsHynIMyC4QNiRKCnzNqnUgY9zsys9K54zKKpVgwwc7tVGpcQOK3U5l/UmHaMzaYqEI3YnjCppZaiyDFUGzpXMaXbm5N4+5jKFWtGMUi7Rgjq31wDMm7mXA881PkNaJY6vm4FNujmtln+Nz3IFvsBWPKSyhV7tnFPzVByoOhJrM2DEHBob/WnwzIkEbH4KCxRt8eyMUff8ZHktujrDXAqf1aDIT/36BZfYjy7yXDpFTTPBkEC0pGMAcQl2uHRXKzTtt7at9HzTJz4yqsoMsc3A53S3W7bDy6r4t7D0jTpESkrC4KCTc34kU8F3HoxAluJl9PYYKiS5eOcdDCj55oTLYFxBKSAkURlxsQKivCpJVV9QEjUEhrWv8Ke4HZVNv3XmhM3eX+iOiZWQSGkGYXvdC4QjGSK2kp0g/TlejYJCXUCO2RmTu5+hFlWq53ZB/NryhdPtwm5ozZfFt+6jsWqCEEJ8LkPrRjjGczlm2WiNiPDV+3h4CmdYJuNiVdO/HtGbze2sv/ePaTF681e8tCAdubHkELebgjZh0eeTiLA0XR48wGBnOU0d+EgQbNS3fQl/n2QWugQecosixey5Yll1C38rQUa4H10tE1aWD9dkuCkeFaBpXlfbvDFmAwk8RkLp32ijOiYIKtXPib7b2xZ2SwowsB1yBXDFfqbYI0SiVQy+OAedJpjLrxaNy0OZ7pvm6X1+8KMLjDwHHri0F7lXzZN7aKnLCSALTyMjRd1BE+SGZfgcEp+AQFdOCNJ9Xlw4OmMppApajmbhRV7DPRGCjoDTEzQHXLnLf7Is/iA4d0jWX66IMoIYEGe/Cd69YGaQZc9lW8KPrXZfBQoHT6ZWFpF1IpgcB3GwypGCi0 FmJS38Po UlOohQBnSFsseER9Jh7OP4aOhLYpIo+9ogddHvCozkO/B+uUdzRRiMz6oYwXw0rNjhxBdIopfoGnKPrpJ4Uqhqtd4TV6bxuRIed5FWYJofDCkzwwWvw05lesjmyRZPVEVKqweju88iNS/jeoBp87SZnea0aTZT2leZysPzDBgiPrN/w8Oj1849IgGTna0Mv5sn7+CzSnAJFO3PHDpVm/fNjGkP2q5eYX/KwKAuSLelTOTtFDyGlZtWrPS1h+zegJQPwaPi33J/1QPqub+hIfUHgdvFon8PM7AYvgoJN8+Xgm5cBQytAQjpzshwo5YAmaQcV67zF/WpgL4vz7mcx3IfND7bDgJnJ/B4mmKZzrLQab9HAMSay0Gi9qqkPB6vRGTPldWlGb0QbXnpv2yCWnwS1LGXhuQNUpblcm5DGvCTktyaKXKdRYsS9Wewb2WFoqo6jCULzi/1yHn30nUGL/MepKydO9sHLCr+felzjaKZql1icvA399BMo9RHfMs/M95EgEC4PMSCpeR6rchQu6z7PndJ9uHvrmBHFv/81w+du3aGE/cM1Ww0xxc6JQ9kpVKTDmWrQ7YO9hR8VFkRGXVs+nLHQAM9gMfWpcr7g6NpfbHq7k= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi Gavin, On 4/18/25 8:42 PM, David Hildenbrand wrote: > On 18.04.25 10:58, Gavin Guo wrote: >> When migrating a THP, concurrent access to the PMD migration entry >> during a deferred split scan can lead to a invalid address access, as >> illustrated below. To prevent this page fault, it is necessary to check >> the PMD migration entry and return early. In this context, there is no >> need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the >> equality of the target folio. Since the PMD migration entry is locked, >> it cannot be served as the target. >> >> Mailing list discussion and explanation from Hugh Dickins: >> "An anon_vma lookup points to a location which may contain the folio of >> interest, but might instead contain another folio: and weeding out those >> other folios is precisely what the "folio != pmd_folio((*pmd)" check >> (and the "risk of replacing the wrong folio" comment a few lines above >> it) is for." >> >> BUG: unable to handle page fault for address: ffffea60001db008 >> CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE >> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 >> RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 >> Call Trace: >> >> try_to_migrate_one+0x28c/0x3730 >> rmap_walk_anon+0x4f6/0x770 >> unmap_folio+0x196/0x1f0 >> split_huge_page_to_list_to_order+0x9f6/0x1560 >> deferred_split_scan+0xac5/0x12a0 >> shrinker_debugfs_scan_write+0x376/0x470 >> full_proxy_write+0x15c/0x220 >> vfs_write+0x2fc/0xcb0 >> ksys_write+0x146/0x250 >> do_syscall_64+0x6a/0x120 >> entry_SYSCALL_64_after_hwframe+0x76/0x7e >> >> The bug is found by syzkaller on an internal kernel, then confirmed on >> upstream. >> >> Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") >> Cc: stable@vger.kernel.org >> Signed-off-by: Gavin Guo >> Acked-by: David Hildenbrand >> Acked-by: Hugh Dickins >> Acked-by: Zi Yan >> Link: https://lore.kernel.org/all/20250414072737.1698513-1-gavinguo@igalia.com/ >> --- >> V1 -> V2: Add explanation from Hugh and correct the wording from page >> fault to invalid address access. >> >>   mm/huge_memory.c | 18 ++++++++++++++---- >>   1 file changed, 14 insertions(+), 4 deletions(-) >> Reviewed-by: Gavin Shan >> diff --git a/mm/huge_memory.c b/mm/huge_memory.c >> index 2a47682d1ab7..0cb9547dcff2 100644 >> --- a/mm/huge_memory.c >> +++ b/mm/huge_memory.c >> @@ -3075,6 +3075,8 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, >>   void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, >>                  pmd_t *pmd, bool freeze, struct folio *folio) >>   { >> +    bool pmd_migration = is_pmd_migration_entry(*pmd); >> + >>       VM_WARN_ON_ONCE(folio && !folio_test_pmd_mappable(folio)); >>       VM_WARN_ON_ONCE(!IS_ALIGNED(address, HPAGE_PMD_SIZE)); >>       VM_WARN_ON_ONCE(folio && !folio_test_locked(folio)); >> @@ -3085,10 +3087,18 @@ void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, >>        * require a folio to check the PMD against. Otherwise, there >>        * is a risk of replacing the wrong folio. >>        */ >> -    if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || >> -        is_pmd_migration_entry(*pmd)) { >> -        if (folio && folio != pmd_folio(*pmd)) >> -            return; >> +    if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) { >> +        if (folio) { >> +            /* >> +             * Do not apply pmd_folio() to a migration entry; and >> +             * folio lock guarantees that it must be of the wrong >> +             * folio anyway. >> +             */ >> +            if (pmd_migration) >> +                return; >> +            if (folio != pmd_folio(*pmd)) >> +                return; > > Nit: just re-reading, I would have simply done > > if (pmd_migration || folio != pmd_folio(*pmd) >     return; > > Anyway, this will hopefully get cleaned up soon either way, so I don't particularly mind. :) > If v3 is needed to fix Zi's comments (commit log improvement), it can be improved slightly based on David's suggestion, to avoid another nested if statement. Otherwise, it's fine since it needs to be cleaned up soon. /* * Do not apply pmd_folio() to a migration entry, and folio lock * guarantees that it must be of the wrong folio anyway. */ if (folio && (pmd_migration || folio != pmd_filio(*pmd)) return; Thanks, Gavin