From: Zack Rusin <zack@kde.org>
To: dri-devel@lists.freedesktop.org
Cc: Miaohe Lin <linmiaohe@huawei.com>, Jan Kara <jack@suse.cz>,
David Hildenbrand <david@redhat.com>, NeilBrown <neilb@suse.de>,
Yang Shi <shy828301@gmail.com>,
banackm@vmware.com, Michal Hocko <mhocko@kernel.org>,
David Howells <dhowells@redhat.com>,
linux-mm@kvack.org, Khalid Aziz <khalid.aziz@oracle.com>,
Don Dutile <ddutile@redhat.com>,
Liang Zhang <zhangliang5@huawei.com>,
Christoph Hellwig <hch@lst.de>,
mombasawalam@vmware.com, Andrea Arcangeli <aarcange@redhat.com>,
Minchan Kim <minchan@kernel.org>, Rik van Riel <riel@surriel.com>,
Hugh Dickins <hughd@google.com>,
"Matthew Wilcox \(Oracle\)" <willy@infradead.org>,
Mike Rapoport <rppt@linux.ibm.com>,
Jason Gunthorpe <jgg@nvidia.com>,
David Rientjes <rientjes@google.com>,
Pedro Demarchi Gomes <pedrodemargomes@gmail.com>,
Jann Horn <jannh@google.com>, John Hubbard <jhubbard@nvidia.com>,
Shakeel Butt <shakeelb@google.com>, Peter Xu <peterx@redhat.com>,
Muchun Song <songmuchun@bytedance.com>,
Suren Baghdasaryan <surenb@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
Hongchen Zhang <zhanghongchen@loongson.cn>,
Oleg Nesterov <oleg@redhat.com>,
krastevm@vmware.com, Nadav Amit <namit@vmware.com>,
Andrew Morton <akpm@linux-foundation.org>,
Roman Gushchin <guro@fb.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Mike Kravetz <mike.kravetz@oracle.com>
Subject: [PATCH] mm: Fix a null ptr deref with CONFIG_DEBUG_VM enabled in wp_page_reuse
Date: Wed, 27 Jul 2022 15:14:07 -0400 [thread overview]
Message-ID: <20220727191407.1768600-1-zack@kde.org> (raw)
From: Zack Rusin <zackr@vmware.com>
Write page faults on last references might not have a valid page anymore.
wp_page_reuse has always dealt with that scenario by making
sure the page isn't null (or the reference was shared) before doing
anything with it. Recently added checks in VM_BUG_ON (enabled by the
CONFIG_DEBUG_VM option) use PageAnon helpers which assume the passed
page is never null, before making sure there is a valid page to work
with.
Move the VM_BUG_ON, which unconditionally uses the page, after the
code that checks that we have a valid one.
Fixes a kernel oops, which is easy to reproduce with 3D apps on arm64 and
x86 on kernels with CONFIG_DEBUG_VM set:
Unable to handle kernel paging request at virtual address dfff800000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] SMP
CPU: 0 PID: 2396 Comm: Xwayland Tainted: G U 5.19.0-rc2-vmwgfx #28
Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.20138482.BA64.2207201941 07/20/2022
pstate: 10400005 (nzcV daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : _compound_head+0x24/0xd0
lr : wp_page_reuse+0x8c/0x544
sp : ffff800013637aa0
x29: ffff800013637aa0 x28: ffff00002a28b730 x27: ffff800013637cc8
x26: 0000000000000000 x25: ffff800013637d00 x24: ffff00000c742168
x23: 1ffff000026c6fa0 x22: ffff000013ce59a0 x21: ffff00002a28b730
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 1ffff000026c6f22 x13: 65676170206c6c75 x12: ffff600019dc772f
x11: 1fffe00019dc772e x10: ffff600019dc772e x9 : ffff8000085b1a78
x8 : ffff0000cee3b977 x7 : 0000000000000001 x6 : ffff600019dc772e
x5 : ffff0000cee3b970 x4 : ffff600019dc772f x3 : 1ffff000026c6f99
x2 : 0000000000000001 x1 : dfff800000000000 x0 : 0000000000000008
Call trace:
_compound_head+0x24/0xd0
wp_page_reuse+0x8c/0x544
finish_mkwrite_fault+0x1a0/0x274
do_wp_page+0x6cc/0x1000
__handle_mm_fault+0xdc8/0x2620
handle_mm_fault+0x21c/0x530
do_page_fault+0x250/0xa40
do_mem_abort+0x78/0x1b4
el0_da+0x80/0x1c0
el0t_64_sync_handler+0xf8/0x140
el0t_64_sync+0x1a0/0x1a4
Code: aa0003f3 91002000 f2fbffe1 d343fc02 (38e16841)
---[ end trace 0000000000000000 ]---
Fixes: 6c287605fd56 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive")
Signed-off-by: Zack Rusin <zackr@vmware.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Don Dutile <ddutile@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Liang Zhang <zhangliang5@huawei.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Nadav Amit <namit@vmware.com>
Cc: Oded Gabbay <oded.gabbay@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: NeilBrown <neilb@suse.de>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Hongchen Zhang <zhanghongchen@loongson.cn>
Cc: linux-mm@kvack.org
---
mm/memory.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/mm/memory.c b/mm/memory.c
index 7a089145cad4..3e28c652cf60 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3043,15 +3043,16 @@ static inline void wp_page_reuse(struct vm_fault *vmf)
pte_t entry;
VM_BUG_ON(!(vmf->flags & FAULT_FLAG_WRITE));
- VM_BUG_ON(PageAnon(page) && !PageAnonExclusive(page));
/*
* Clear the pages cpupid information as the existing
* information potentially belongs to a now completely
* unrelated process.
*/
- if (page)
+ if (page) {
+ VM_BUG_ON(PageAnon(page) && !PageAnonExclusive(page));
page_cpupid_xchg_last(page, (1 << LAST_CPUPID_SHIFT) - 1);
+ }
flush_cache_page(vma, vmf->address, pte_pfn(vmf->orig_pte));
entry = pte_mkyoung(vmf->orig_pte);
--
2.34.1
next reply other threads:[~2022-07-27 19:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 19:14 Zack Rusin [this message]
2022-07-27 19:24 ` [PATCH] mm: Fix a null ptr deref with CONFIG_DEBUG_VM enabled in wp_page_reuse Matthew Wilcox
2022-07-27 19:31 ` Zack Rusin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220727191407.1768600-1-zack@kde.org \
--to=zack@kde.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=banackm@vmware.com \
--cc=david@redhat.com \
--cc=ddutile@redhat.com \
--cc=dhowells@redhat.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=guro@fb.com \
--cc=hch@lst.de \
--cc=hughd@google.com \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=jgg@nvidia.com \
--cc=jhubbard@nvidia.com \
--cc=khalid.aziz@oracle.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=krastevm@vmware.com \
--cc=linmiaohe@huawei.com \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=mike.kravetz@oracle.com \
--cc=minchan@kernel.org \
--cc=mombasawalam@vmware.com \
--cc=namit@vmware.com \
--cc=neilb@suse.de \
--cc=oleg@redhat.com \
--cc=pedrodemargomes@gmail.com \
--cc=peterx@redhat.com \
--cc=riel@surriel.com \
--cc=rientjes@google.com \
--cc=rppt@linux.ibm.com \
--cc=shakeelb@google.com \
--cc=shy828301@gmail.com \
--cc=songmuchun@bytedance.com \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
--cc=zackr@vmware.com \
--cc=zhanghongchen@loongson.cn \
--cc=zhangliang5@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).