[PATCH] mm: Fix a null ptr deref with CONFIG_DEBUG_VM enabled in wp_page_reuse

* [PATCH] mm: Fix a null ptr deref with CONFIG_DEBUG_VM enabled in wp_page_reuse
@ 2022-07-27 19:14 Zack Rusin
  2022-07-27 19:24 ` Matthew Wilcox
  0 siblings, 1 reply; 3+ messages in thread
From: Zack Rusin @ 2022-07-27 19:14 UTC (permalink / raw)
  To: dri-devel
  Cc: Miaohe Lin, Jan Kara, David Hildenbrand, NeilBrown, Yang Shi,
	banackm, Michal Hocko, David Howells, linux-mm, Khalid Aziz,
	Don Dutile, Liang Zhang, Christoph Hellwig, mombasawalam,
	Andrea Arcangeli, Minchan Kim, Rik van Riel, Hugh Dickins,
	Matthew Wilcox (Oracle),
	Mike Rapoport, Jason Gunthorpe, David Rientjes,
	Pedro Demarchi Gomes, Jann Horn, John Hubbard, Shakeel Butt,
	Peter Xu, Muchun Song, Suren Baghdasaryan, Vlastimil Babka,
	Hongchen Zhang, Oleg Nesterov, krastevm, Nadav Amit,
	Andrew Morton, Roman Gushchin, Kirill A. Shutemov, Mike Kravetz

From: Zack Rusin <zackr@vmware.com>

Write page faults on last references might not have a valid page anymore.
wp_page_reuse has always dealt with that scenario by making
sure the page isn't null (or the reference was shared) before doing
anything with it. Recently added checks in VM_BUG_ON (enabled by the
CONFIG_DEBUG_VM option) use PageAnon helpers which assume the passed
page is never null, before making sure there is a valid page to work
with.

Move the VM_BUG_ON, which unconditionally uses the page, after the
code that checks that we have a valid one.

Fixes a kernel oops, which is easy to reproduce with 3D apps on arm64 and
x86 on kernels with CONFIG_DEBUG_VM set:

Unable to handle kernel paging request at virtual address dfff800000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004
  CM = 0, WnR = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] SMP
CPU: 0 PID: 2396 Comm: Xwayland Tainted: G     U            5.19.0-rc2-vmwgfx #28
Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.20138482.BA64.2207201941 07/20/2022
pstate: 10400005 (nzcV daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : _compound_head+0x24/0xd0
lr : wp_page_reuse+0x8c/0x544
sp : ffff800013637aa0
x29: ffff800013637aa0 x28: ffff00002a28b730 x27: ffff800013637cc8
x26: 0000000000000000 x25: ffff800013637d00 x24: ffff00000c742168
x23: 1ffff000026c6fa0 x22: ffff000013ce59a0 x21: ffff00002a28b730
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 1ffff000026c6f22 x13: 65676170206c6c75 x12: ffff600019dc772f
x11: 1fffe00019dc772e x10: ffff600019dc772e x9 : ffff8000085b1a78
x8 : ffff0000cee3b977 x7 : 0000000000000001 x6 : ffff600019dc772e
x5 : ffff0000cee3b970 x4 : ffff600019dc772f x3 : 1ffff000026c6f99
x2 : 0000000000000001 x1 : dfff800000000000 x0 : 0000000000000008
Call trace:
 _compound_head+0x24/0xd0
 wp_page_reuse+0x8c/0x544
 finish_mkwrite_fault+0x1a0/0x274
 do_wp_page+0x6cc/0x1000
 __handle_mm_fault+0xdc8/0x2620
 handle_mm_fault+0x21c/0x530
 do_page_fault+0x250/0xa40
 do_mem_abort+0x78/0x1b4
 el0_da+0x80/0x1c0
 el0t_64_sync_handler+0xf8/0x140
 el0t_64_sync+0x1a0/0x1a4
Code: aa0003f3 91002000 f2fbffe1 d343fc02 (38e16841)
---[ end trace 0000000000000000 ]---

Fixes: 6c287605fd56 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive")
Signed-off-by: Zack Rusin <zackr@vmware.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Don Dutile <ddutile@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Liang Zhang <zhangliang5@huawei.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Nadav Amit <namit@vmware.com>
Cc: Oded Gabbay <oded.gabbay@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: NeilBrown <neilb@suse.de>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Hongchen Zhang <zhanghongchen@loongson.cn>
Cc: linux-mm@kvack.org
---
 mm/memory.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mm/memory.c b/mm/memory.c
index 7a089145cad4..3e28c652cf60 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3043,15 +3043,16 @@ static inline void wp_page_reuse(struct vm_fault *vmf)
 	pte_t entry;
 
 	VM_BUG_ON(!(vmf->flags & FAULT_FLAG_WRITE));
-	VM_BUG_ON(PageAnon(page) && !PageAnonExclusive(page));
 
 	/*
 	 * Clear the pages cpupid information as the existing
 	 * information potentially belongs to a now completely
 	 * unrelated process.
 	 */
-	if (page)
+	if (page) {
+		VM_BUG_ON(PageAnon(page) && !PageAnonExclusive(page));
 		page_cpupid_xchg_last(page, (1 << LAST_CPUPID_SHIFT) - 1);
+	}
 
 	flush_cache_page(vma, vmf->address, pte_pfn(vmf->orig_pte));
 	entry = pte_mkyoung(vmf->orig_pte);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread