From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8CE0C8303C for ; Mon, 7 Jul 2025 12:27:09 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 43BD76B03F9; Mon, 7 Jul 2025 08:27:09 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3ECFA6B03FA; Mon, 7 Jul 2025 08:27:09 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2DBA16B03FB; Mon, 7 Jul 2025 08:27:09 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 1CB136B03F9 for ; Mon, 7 Jul 2025 08:27:09 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id A99F71D938F for ; Mon, 7 Jul 2025 12:27:08 +0000 (UTC) X-FDA: 83637393336.19.B491798 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf17.hostedemail.com (Postfix) with ESMTP id 5B47640011 for ; Mon, 7 Jul 2025 12:27:06 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="PNf/4sKk"; spf=pass (imf17.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1751891226; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=wY8lE8wC8eAfhb8ll785VUJiuBffYyzCALhS+n19wVM=; b=G2nofrDdjX+2mL1bLh66WgHCin0sYkl3hYLIEW7Z2JPW+SMUIH9VdoCum01v4cpaB8o7Ha F8UK9Ms1WXjNl5jlYmA42O81Y/e7eh/aSws4YwGT3j4QhOEe0Ji/0dL5ESNaChQ+4J3e0u PAvDuDvhKHRCBVIsa+ZP1pbGiXqflws= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="PNf/4sKk"; spf=pass (imf17.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1751891226; a=rsa-sha256; cv=none; b=B4s8WCyIc4GWAne30Oo5bHTVr8Ni5s1CPd+xTHX7ItzkLDzs+dKMw/SKKPjFNJEZKe4J+V bi8vH0XcDs47m6XdC/2VCEGBlUIEyhDmTQ4LWL5U2N3pfcLyzQUSwqc6SfZE3u91KRAnuK S1DgYM98d2qkExiazJOtLPu59NpDVfk= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1751891225; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=wY8lE8wC8eAfhb8ll785VUJiuBffYyzCALhS+n19wVM=; b=PNf/4sKkOPTlyqFbD56VPbg9gAvylEcRDKPi3oyYJy2h6pWNR2tnCo4khBp1L/oI5Tnswz O0WxsNiE55uzBIv8aqJ6ySxxRYuCD2dCxzFPy7ahMpJ2noQEG7sm46FkOBh9r8Yv2ajAk2 FCiDCre5D7PAJ5X+1NV4P33tHt4hyb4= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-519-TAx3I1AnOkaqG8ncE3pNmQ-1; Mon, 07 Jul 2025 08:27:04 -0400 X-MC-Unique: TAx3I1AnOkaqG8ncE3pNmQ-1 X-Mimecast-MFC-AGG-ID: TAx3I1AnOkaqG8ncE3pNmQ_1751891223 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-3a4f858bc5eso2275831f8f.0 for ; Mon, 07 Jul 2025 05:27:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751891223; x=1752496023; h=content-transfer-encoding:in-reply-to:organization:autocrypt :content-language:from:references:cc:to:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=wY8lE8wC8eAfhb8ll785VUJiuBffYyzCALhS+n19wVM=; b=cszeAxaLtTOgBJRhlWp8hD0kgMNzEy7lp40mZRsngZgNKyy0aEvUYSezgh8klUSrXO 66iNw3j4xA2/MeP7dqE//rlItQS/DCY4bQ1hXmVdHHtWmeUgbcFIvB+fZ9QAYe4wSY3z SfltZN29xTZnZgnLXjrv7gPYMxImO+y4HAfSD4KMR4a7fdHEtS7M/WOePsHbMnTqoDQm WUSr4yHWvryRtvbfSVLah/n2nqaYFeI3nWx8T5w1XTipRMn+AAGqQD1ScYpgJ5Zz6oQE r2UMLGhH1h04prtmGPdbhO0IrfwBZHjQplkQ31XY6hAD2RUDLT3s7JmiEC9F7bLV876D saiw== X-Forwarded-Encrypted: i=1; AJvYcCX4ouChslO5S9m9hV83WOz05VV6d0yogN9ToJ/1qobifIrwq6W8vuQTTOrNPikGPjE5PLvQVgyxmw==@kvack.org X-Gm-Message-State: AOJu0YxbFZ0E02REk7c1/9cF8gj3qZ+nEa36c8NW2xyxT1MSrxI/mGtP bkZFGnj2g5ul7vCqVZPR+Ui8EE2vqcnGZyG+YwF5AcA/vFwqV3PmmmGee6hy1lYMzzSvemTvhXt RJWlte/UbWryQtq900bE5V4qY+2jtMXfSqfat7UHp8P0fEojKzyMG X-Gm-Gg: ASbGncs0OCLu+KMNb79ZtraHSlh48A7gBcbN/tFyEmE2a5FK163LDi9yXunKMb0x6Ih QDJg3d/c+H0Rx8OSC8aR9BEf7Z1ixtX04itAevdMr+YcRAXfha//pb8IcMBb5ghd8Bdx9AO9mEq OSvhM/TebP5+rPUSo1aU6PYI7HCEoOC8bPJpELmNC5T7byHZVophZcXzSRcGg6ZuXPVx/AMinbw yVmya7ehcuV/FOomqmxxjR4mmPTNpytq13JQJqiCdpHSbpKrGRiV8NpS7NRA0jdx4NqN8Z/HnV0 Tk5rL3h4Zk3L61CzVKFYZhnfbJQ0dAMHplbSNuLIpYeezMuJzR15S7LwJQWiA9B/dZF4f/elLRS eQ3yh677Jn0Kch16dfWCl8wWvt/guOOW1cBtDpQk8d8Y0NMSx6w== X-Received: by 2002:a05:6000:24c9:b0:3a5:541c:b40f with SMTP id ffacd0b85a97d-3b49700c57cmr9811119f8f.9.1751891223281; Mon, 07 Jul 2025 05:27:03 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHGg0YwhBPmAg1bf9YjDTrSJkMLz1ztSLKmgPprux2EAywCbSdveDKfoeqqEqisiVJiYs3rJg== X-Received: by 2002:a05:6000:24c9:b0:3a5:541c:b40f with SMTP id ffacd0b85a97d-3b49700c57cmr9811087f8f.9.1751891222801; Mon, 07 Jul 2025 05:27:02 -0700 (PDT) Received: from ?IPV6:2003:d8:2f38:1d00:657c:2aac:ecf5:5df8? (p200300d82f381d00657c2aacecf55df8.dip0.t-ipconnect.de. [2003:d8:2f38:1d00:657c:2aac:ecf5:5df8]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3b4708d0a5csm9878091f8f.29.2025.07.07.05.27.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 07 Jul 2025 05:27:02 -0700 (PDT) Message-ID: Date: Mon, 7 Jul 2025 14:27:01 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH -next] mm/memory: fix null pointer dereference in fault_dirty_shared_page To: Lorenzo Stoakes , Yuntao Liu Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, mhocko@suse.com, surenb@google.com, rppt@kernel.org, vbabka@suse.cz, Liam.Howlett@oracle.com, akpm@linux-foundation.org References: <20250707105118.413056-1-liuyuntao12@huawei.com> <2b716e2f-0642-49df-a955-abfe0525cefd@lucifer.local> From: David Hildenbrand Autocrypt: addr=david@redhat.com; keydata= xsFNBFXLn5EBEAC+zYvAFJxCBY9Tr1xZgcESmxVNI/0ffzE/ZQOiHJl6mGkmA1R7/uUpiCjJ dBrn+lhhOYjjNefFQou6478faXE6o2AhmebqT4KiQoUQFV4R7y1KMEKoSyy8hQaK1umALTdL QZLQMzNE74ap+GDK0wnacPQFpcG1AE9RMq3aeErY5tujekBS32jfC/7AnH7I0v1v1TbbK3Gp XNeiN4QroO+5qaSr0ID2sz5jtBLRb15RMre27E1ImpaIv2Jw8NJgW0k/D1RyKCwaTsgRdwuK Kx/Y91XuSBdz0uOyU/S8kM1+ag0wvsGlpBVxRR/xw/E8M7TEwuCZQArqqTCmkG6HGcXFT0V9 PXFNNgV5jXMQRwU0O/ztJIQqsE5LsUomE//bLwzj9IVsaQpKDqW6TAPjcdBDPLHvriq7kGjt WhVhdl0qEYB8lkBEU7V2Yb+SYhmhpDrti9Fq1EsmhiHSkxJcGREoMK/63r9WLZYI3+4W2rAc UucZa4OT27U5ZISjNg3Ev0rxU5UH2/pT4wJCfxwocmqaRr6UYmrtZmND89X0KigoFD/XSeVv jwBRNjPAubK9/k5NoRrYqztM9W6sJqrH8+UWZ1Idd/DdmogJh0gNC0+N42Za9yBRURfIdKSb B3JfpUqcWwE7vUaYrHG1nw54pLUoPG6sAA7Mehl3nd4pZUALHwARAQABzSREYXZpZCBIaWxk ZW5icmFuZCA8ZGF2aWRAcmVkaGF0LmNvbT7CwZgEEwEIAEICGwMGCwkIBwMCBhUIAgkKCwQW AgMBAh4BAheAAhkBFiEEG9nKrXNcTDpGDfzKTd4Q9wD/g1oFAl8Ox4kFCRKpKXgACgkQTd4Q 9wD/g1oHcA//a6Tj7SBNjFNM1iNhWUo1lxAja0lpSodSnB2g4FCZ4R61SBR4l/psBL73xktp rDHrx4aSpwkRP6Epu6mLvhlfjmkRG4OynJ5HG1gfv7RJJfnUdUM1z5kdS8JBrOhMJS2c/gPf wv1TGRq2XdMPnfY2o0CxRqpcLkx4vBODvJGl2mQyJF/gPepdDfcT8/PY9BJ7FL6Hrq1gnAo4 3Iv9qV0JiT2wmZciNyYQhmA1V6dyTRiQ4YAc31zOo2IM+xisPzeSHgw3ONY/XhYvfZ9r7W1l pNQdc2G+o4Di9NPFHQQhDw3YTRR1opJaTlRDzxYxzU6ZnUUBghxt9cwUWTpfCktkMZiPSDGd KgQBjnweV2jw9UOTxjb4LXqDjmSNkjDdQUOU69jGMUXgihvo4zhYcMX8F5gWdRtMR7DzW/YE BgVcyxNkMIXoY1aYj6npHYiNQesQlqjU6azjbH70/SXKM5tNRplgW8TNprMDuntdvV9wNkFs 9TyM02V5aWxFfI42+aivc4KEw69SE9KXwC7FSf5wXzuTot97N9Phj/Z3+jx443jo2NR34XgF 89cct7wJMjOF7bBefo0fPPZQuIma0Zym71cP61OP/i11ahNye6HGKfxGCOcs5wW9kRQEk8P9 M/k2wt3mt/fCQnuP/mWutNPt95w9wSsUyATLmtNrwccz63XOwU0EVcufkQEQAOfX3n0g0fZz Bgm/S2zF/kxQKCEKP8ID+Vz8sy2GpDvveBq4H2Y34XWsT1zLJdvqPI4af4ZSMxuerWjXbVWb T6d4odQIG0fKx4F8NccDqbgHeZRNajXeeJ3R7gAzvWvQNLz4piHrO/B4tf8svmRBL0ZB5P5A 2uhdwLU3NZuK22zpNn4is87BPWF8HhY0L5fafgDMOqnf4guJVJPYNPhUFzXUbPqOKOkL8ojk CXxkOFHAbjstSK5Ca3fKquY3rdX3DNo+EL7FvAiw1mUtS+5GeYE+RMnDCsVFm/C7kY8c2d0G NWkB9pJM5+mnIoFNxy7YBcldYATVeOHoY4LyaUWNnAvFYWp08dHWfZo9WCiJMuTfgtH9tc75 7QanMVdPt6fDK8UUXIBLQ2TWr/sQKE9xtFuEmoQGlE1l6bGaDnnMLcYu+Asp3kDT0w4zYGsx 5r6XQVRH4+5N6eHZiaeYtFOujp5n+pjBaQK7wUUjDilPQ5QMzIuCL4YjVoylWiBNknvQWBXS lQCWmavOT9sttGQXdPCC5ynI+1ymZC1ORZKANLnRAb0NH/UCzcsstw2TAkFnMEbo9Zu9w7Kv AxBQXWeXhJI9XQssfrf4Gusdqx8nPEpfOqCtbbwJMATbHyqLt7/oz/5deGuwxgb65pWIzufa N7eop7uh+6bezi+rugUI+w6DABEBAAHCwXwEGAEIACYCGwwWIQQb2cqtc1xMOkYN/MpN3hD3 AP+DWgUCXw7HsgUJEqkpoQAKCRBN3hD3AP+DWrrpD/4qS3dyVRxDcDHIlmguXjC1Q5tZTwNB boaBTPHSy/Nksu0eY7x6HfQJ3xajVH32Ms6t1trDQmPx2iP5+7iDsb7OKAb5eOS8h+BEBDeq 3ecsQDv0fFJOA9ag5O3LLNk+3x3q7e0uo06XMaY7UHS341ozXUUI7wC7iKfoUTv03iO9El5f XpNMx/YrIMduZ2+nd9Di7o5+KIwlb2mAB9sTNHdMrXesX8eBL6T9b+MZJk+mZuPxKNVfEQMQ a5SxUEADIPQTPNvBewdeI80yeOCrN+Zzwy/Mrx9EPeu59Y5vSJOx/z6OUImD/GhX7Xvkt3kq Er5KTrJz3++B6SH9pum9PuoE/k+nntJkNMmQpR4MCBaV/J9gIOPGodDKnjdng+mXliF3Ptu6 3oxc2RCyGzTlxyMwuc2U5Q7KtUNTdDe8T0uE+9b8BLMVQDDfJjqY0VVqSUwImzTDLX9S4g/8 kC4HRcclk8hpyhY2jKGluZO0awwTIMgVEzmTyBphDg/Gx7dZU1Xf8HFuE+UZ5UDHDTnwgv7E th6RC9+WrhDNspZ9fJjKWRbveQgUFCpe1sa77LAw+XFrKmBHXp9ZVIe90RMe2tRL06BGiRZr jPrnvUsUUsjRoRNJjKKA/REq+sAnhkNPPZ/NNMjaZ5b8Tovi8C0tmxiCHaQYqj7G2rgnT0kt WNyWQQ== Organization: Red Hat In-Reply-To: <2b716e2f-0642-49df-a955-abfe0525cefd@lucifer.local> X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: CEnfxV0Wb7qtKeSFogALGzNDzAv5UHFUZolbtjgG4BM_1751891223 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 5B47640011 X-Stat-Signature: 1obds3q7nqcnuqo9tqpji96qypwieaiy X-Rspam-User: X-Rspamd-Server: rspam05 X-HE-Tag: 1751891226-848315 X-HE-Meta: U2FsdGVkX192IbhaMKZOVc6Co8tIf/KjzGyjgyusZ3PS/ecOApoFp3K+AUmNb9Eo8C4+SlQbghbSXXLzZ7JA1hqH0yTZwXdKN+4h/HlZpqrzkCTdsJ3Saffn0KwXBeqcflq8hs1Y0co1qVeBUl7D6ZaRCsefci1ueFoxcR/RvKK9p0OTeC9OTbntZ0mbr2TPl2pFaesfmTHQTrDRO3ev1g057FSKr0DrYvvvsEaFegC6g0qTQNFm7QDdtiDVSKxoa4Bwn/BEBXgXZCnMcUfb7ErNHeGArkxWI7DKm1DoYAj29LhwzlmS8mZQPPnjXhPXQwGcd7VHzK7+wd78I7vEQLO/T9e/YNpegAKX4K+mglXA5RbRwmiknUwOehRAuluf4bkhBthaaNJ8elGHBCWxnh/k5bcocwBfKWuoDrEhSFzhOZbOtM39Yjv7hJnAcIi8QFWVgnlc3d8I8638maIQnT4I/kYpKjH2oB8PvKzibdr+eFjYbRnn0XW++Wf/rRvmYUSlIxGy9iA9ZkccUnk6ZY3t1RBZsIVBRv5ybRfAtRp6Y7Xf73TsyYQ7sXswuiuzuw1dVesP43woY0bu3fJ7Ei1KfaQZfdJ2cp9YUoRKshuoiKvEt09/ZmMaFM7zDaQizOVokwTcl4iZpAv2LoQecoZiLnNUhs/wmTiJhtlcwJ6MTer0eHRZymkbqs89CWPnL0bmXM5p2E+SYtKqDVRA4fPK0IC+YcOKXM5we8Htxt+ZlNwqo1isDY73jzX6Sy3IpOol5YbztIljpnQqar4pUT9o6vZQZxNZLVyjk3qchoWs6Ld3rv2JkwioATovGPtEEMOMZCCLMXxgpHj7SPjPRqir6lxPPZIvYpKS/9c8eCdqzP7RibuCVSkA5LZEqqFoJDKzCLgW0cNx2FpgLtpi3v+PqmKky3xee97qX2rQ/TCavdGjh3zf+QrPa6xMIcBQkJy542AKE3kkCDCPrla IyWDcCND qETJ4HgrwDH3qQACITFM4Z2se2R064hz672+riwP6vPK/1+eo5uLyhuQ3ZRsm+rjt2wvBrbClnYs/oz77x4vh4o1zKA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 07.07.25 13:14, Lorenzo Stoakes wrote: > On Mon, Jul 07, 2025 at 10:51:18AM +0000, Yuntao Liu wrote: >> Page mapping with "VM_READ|VM_WRITE|VM_MAYREAD|VM_MAYWRITE|VM_SHARED", >> the first time accessing this address through a write operation will >> trigger a do_shared_fault, if mapping is anonymous, it can lead to a >> null pointer dereference. > > How can it be anonymous with VM_SHARED set? This would be a far, far bigger > bug. > >> >> [ 23.232336][ T195] Call trace: >> [ 23.232542][ T195] file_update_time+0x2c/0xd8 >> [ 23.232801][ T195] fault_dirty_shared_page+0x1a0/0x220 >> [ 23.233099][ T195] do_shared_fault+0xe8/0x240 >> [ 23.233374][ T195] do_fault+0x78/0x240 >> [ 23.233629][ T195] handle_pte_fault+0x1f0/0x3f0 >> [ 23.233905][ T195] __handle_mm_fault+0x2b0/0x548 >> [ 23.234186][ T195] handle_mm_fault+0xd4/0x2f8 >> [ 23.234462][ T195] do_page_fault+0x2f0/0x5f8 >> [ 23.234727][ T195] do_translation_fault+0x8c/0xc8 >> [ 23.235021][ T195] do_mem_abort+0x68/0x100 >> [ 23.235283][ T195] el0_da+0x4c/0x1a8 >> [ 23.235551][ T195] el0t_64_sync_handler+0xe4/0x158 >> [ 23.235861][ T195] el0t_64_sync+0x37c/0x380 > > How have you obtained this? Are you somehow injecting invalid state here? > >> >> Signed-off-by: Yuntao Liu >> --- >> mm/memory.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/mm/memory.c b/mm/memory.c >> index eaf98d518289..8106ef8a5036 100644 >> --- a/mm/memory.c >> +++ b/mm/memory.c >> @@ -3412,7 +3412,7 @@ static vm_fault_t fault_dirty_shared_page(struct vm_fault *vmf) >> mapping = folio_raw_mapping(folio); >> folio_unlock(folio); >> >> - if (!page_mkwrite) >> + if (!page_mkwrite && vma->vm_file) > > The function is ltierally fault_dirty_shared_page(), how are we arriving > here with !vma->vm_file? IIRC, MAP_ANON |MAP_SHARED would have done a shmem_zero_setup(). mm/mmap.c still has the comment "mmap_region() will call shmem_zero_setup() to create a file". I think this was moved to __mmap_new_vma(). Is there any (error) path where we could not call that by accident? -- Cheers, David / dhildenb