From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A82A6C54E4A for ; Thu, 7 Mar 2024 13:49:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 207916B0186; Thu, 7 Mar 2024 08:49:45 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 18F7E6B0187; Thu, 7 Mar 2024 08:49:45 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 056E96B0188; Thu, 7 Mar 2024 08:49:45 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id E4BD06B0186 for ; Thu, 7 Mar 2024 08:49:44 -0500 (EST) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 8E4E91210D8 for ; Thu, 7 Mar 2024 13:49:44 +0000 (UTC) X-FDA: 81870375888.12.8879D8C Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by imf23.hostedemail.com (Postfix) with ESMTP id B7A8F140008 for ; Thu, 7 Mar 2024 13:49:42 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=linaro.org header.s=google header.b=U+7Yx5H6; dmarc=pass (policy=none) header.from=linaro.org; spf=pass (imf23.hostedemail.com: domain of dan.carpenter@linaro.org designates 209.85.128.51 as permitted sender) smtp.mailfrom=dan.carpenter@linaro.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709819382; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=hXFf8vJ02sSFLz0bqxjvyRzWjH3rVEho76xAnpX/jcU=; b=5frQYCtTZgp3BDoF0GnXD9fuDDWn/rupyWKpLe73xj8l/XByCpjxxAZZ0d7A6aNyH4aE6x RHikkHQgv1cGCB0PIOA5syQ2yTYD+VwGtQj8GzVB78yLhTRfT3LsidvpvxgoN0+ZgYbFdd XZGbBZ+bPfHLrCSI2y7DWMW114GnrYQ= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=linaro.org header.s=google header.b=U+7Yx5H6; dmarc=pass (policy=none) header.from=linaro.org; spf=pass (imf23.hostedemail.com: domain of dan.carpenter@linaro.org designates 209.85.128.51 as permitted sender) smtp.mailfrom=dan.carpenter@linaro.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709819382; a=rsa-sha256; cv=none; b=p95tRu+nFNYsMD+P2cnB9yiYGvgG5Vcjq8MeYDXU2ctpnQuCeXvowyUnh+ytRi6f+oIF3j TRAtbO7l0i8kxgbSdGrNoBiOB3zhk+udlR+NXDLeICUZHUX+pETMNwNs2C5qQgxz1R7Eqz aT3RCqPMzFGDfGfR/gRekumVS/Jy/kE= Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-412e783c94fso7717525e9.1 for ; Thu, 07 Mar 2024 05:49:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1709819381; x=1710424181; darn=kvack.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=hXFf8vJ02sSFLz0bqxjvyRzWjH3rVEho76xAnpX/jcU=; b=U+7Yx5H6/6u9sWZ9Xt1hE9fCuxuizwganFEWsSiMZFNwpA2wqKVSxK2nuXzE1xUruY 6maY/9N3XqMjJcpW0k0PM3pUDmt8w7/99xZRNINskBOXJ8bkx790MQyaTxNa78CV/OYh QW+9w3gRh5ya0LmNQoB7bakoT93BcfNRhz4qnmfva+xPxTdW6uhEq6JbIAne2bA9LNDw qYhIIGaRIyvxD8kcI5IeLYOhUMfqk0S3BgN1XwYXodwZMO918U+GreY/NNJV3tGnob1l A+qo31ZbpcYJGfkpENUOWjcdl9bNS12CgoHu1Hs6Z6OYOX73Dv5xxwjtXOeiflzAE3fD oiPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709819381; x=1710424181; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hXFf8vJ02sSFLz0bqxjvyRzWjH3rVEho76xAnpX/jcU=; b=dFfnM5TVtMdBOBu+zemHlnebmPwKB/6pJsnaxTmscoAcbCYSDvuzd+Vy/uDcpBf6TT V4zuwN94ObFfN3Pmm1x/n4uzC20zsIDBEQ3sWOah8IExxTRlER01MvEyfT3VbiCPk+mC kX9ZoO/3Njkm8HemIWMEKDZjkfJ8qmQIEWJaueQN8Tnv0bBZ9eZkl0lclVAqbFgBR/wU zOL0PeD8JemrCV1fMviC/IagB6iuOf7hksMhVxR8kB/oF9itUZT9pBh55uyfJCKBnxaU N5lZzOaFGo9WxsTY/w76NyV/XI+PVi8imOhi7VFLQsiQZi5XJhCT7x6PZnCVll41b31B 2k8A== X-Gm-Message-State: AOJu0Yz96rm2K79v0gbK6v69b8H/MQXQDyNsH4AAQ4T5XTQcg8GecUXh WUAAc2rkFMEKMkIupYwh2iIj/zPrG63ZE9feWZYRVSzagBKub/f7BeHnRCMg044= X-Google-Smtp-Source: AGHT+IFUiG896Lq59SoyVuqJC42ITmbgF6A6aZ0eh8rmioPUVffOCZNBaB4xQIFc/QlrQnhx8Q/ZyQ== X-Received: by 2002:a05:600c:444d:b0:413:ca0:5cd1 with SMTP id v13-20020a05600c444d00b004130ca05cd1mr1489088wmn.39.1709819380978; Thu, 07 Mar 2024 05:49:40 -0800 (PST) Received: from localhost ([102.222.70.76]) by smtp.gmail.com with ESMTPSA id f15-20020a05600c4e8f00b00412ea52b102sm2858162wmq.34.2024.03.07.05.49.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Mar 2024 05:49:40 -0800 (PST) Date: Thu, 7 Mar 2024 16:49:37 +0300 From: Dan Carpenter To: ziy@nvidia.com Cc: linux-mm@kvack.org Subject: [bug report] mm: huge_memory: enable debugfs to split huge pages to any order Message-ID: <7dda9283-b437-4cf8-ab0d-83c330deb9c0@moroto.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: B7A8F140008 X-Stat-Signature: 16u99xpot9f11uzjntsz9or6juw34r8s X-Rspam-User: X-HE-Tag: 1709819382-348829 X-HE-Meta: U2FsdGVkX1/ay2XgY4FkN0414sqGpEqAE+UN4K0Rz95/BfTEA0ZaDfogic1rciKbMujFmGQ8IdE4sI8eumO23zaMu1zWqF5hxz/De87yg9PWIpPxLolOlt81mSAn7M96jQjyM8Taj7vkf9g04wbR0vxTFXWVyV2+wQrqEs2onDHYAgvFz7lC/fHYI/QSVhk4Q0jhXxyyyOiAH2KJKSFj22vpTbJzNF8fl7bdCQNeO1yXG2GVF3Uj+/XphXXPbrnxcajKH0UblF6+jSRKdEID7JppduoCo6ZKslAGaBi40DB/b7LreEo4NcFFGWMA1d40rCga2KQPcS0mx3c8aq9SMI8oU0N8UD5I7JhSJ+pnm3EVjGaVlra0dsFy1VWVDaVH+nUJF3XHj3FxpcXQvY9DtAlVKDEAv0P8MKwDafMX7mao8id64SbcOwIcESHvur8FFWHDpuAEL6DC/4opodGJidPop1YUqsa2OriB4dflrJ6HsMMOpZd+3F6jXcXIx+bRrU8HOpfQdmfiFN1zKK3NoM7BiGIi49Wd2M0LfAGG1PM/oxn7CdCwCloIdmgspAEXKTsTfuYgzWw03y1avdkfRY63vTcILP3jSMZU3Vos14w2V2MjqefyYTFRFt+vmGs+CcqtcvKSUuMF+9bS7PcK92uMmkIcM2Rrz7jPKyir0WD9d6KKbuxrpFYyMiHL3tiCwekVob5PWuxWCJXRCZJzG4aB5nP8neet1rueWnBwtXuLaNyGEIFdkiuUQ8lanJVV2BaCZx04n4vkBChtgb/hawZYiJZLzU8J8XDvg6noW0fBsDHdKELQHhpgWXaRfTtu/WXKa33BD7xGRNCT5C3trqzIe9k/eOAzAvT0nd8eZBFEt7NM3Ja8uMum2T8JQmA+XVAODBhRNsR9P0Q8bsS2RBpJM8Ij2SV7C6QftFa87iMbqZgxydRUoP+LbGvaiCu/uMZ+FQWOh6O+0XPjuK9 eNg0Hpan 7admS0tXhjAOzBOVH1EqL5+1z2BwTSeXmgc6FEYxrv3RJ3cJry8qwGNaVmNyWeE2qo6ZA3eKXrI6t1iebq6cSUUDTaFyPvJE83FZn82ldbqBnnh30iSkBXgfZOHNJ1O2z9LyPHaRjt3ETZ+NfYPG5B4pRpmEM+rQfh6Z0atwNvTPfrbEXzqQuYhCNHBS8C//r/46w53XatFTgN9WRzrZGRU/kelB66QqUE/6bvzU8qOeOIHhQknhYP4FU7Vu11Iw7HcHS+ooG2BdSBCVG525vdinE8mvatrrC5vvIEHVJwU3n7zkRGiX9DWdK1Tw1XYw5nj0uSg4oIAosrbP7Qh0wQKN7AHnSO69aQsf1 X-Bogosity: Ham, tests=bogofilter, spamicity=0.021569, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hello Zi Yan, Commit fc4d182316bd ("mm: huge_memory: enable debugfs to split huge pages to any order") from Feb 26, 2024 (linux-next), leads to the following Smatch static checker warning: mm/huge_memory.c:2898 __split_huge_page() error: undefined (user controlled) shift '1 << new_order' mm/huge_memory.c 2889 static void __split_huge_page(struct page *page, struct list_head *list, 2890 pgoff_t end, unsigned int new_order) 2891 { 2892 struct folio *folio = page_folio(page); 2893 struct page *head = &folio->page; 2894 struct lruvec *lruvec; 2895 struct address_space *swap_cache = NULL; 2896 unsigned long offset = 0; 2897 int i, nr_dropped = 0; --> 2898 unsigned int new_nr = 1 << new_order; ^^^^^^^^^ The new_order variable comes from the user via debugfs. 2899 int order = folio_order(folio); 2900 unsigned int nr = 1 << order; 2901 2902 /* complete memcg works before add pages to LRU */ 2903 split_page_memcg(head, order, new_order); 2904 2905 if (folio_test_anon(folio) && folio_test_swapcache(folio)) { 2906 offset = swp_offset(folio->swap); 2907 swap_cache = swap_address_space(folio->swap); Here is the debugfs code in split_huge_pages_write() mm/huge_memory.c 3628 3629 ret = sscanf(input_buf, "%d,0x%lx,0x%lx,%d", &pid, &vaddr_start, &vaddr_end, &new_order); ^^^^^^^^^^ We just read new_order 3630 if (ret == 1 && pid == 1) { 3631 split_huge_pages_all(); 3632 ret = strlen(input_buf); 3633 goto out; 3634 } else if (ret != 3 && ret != 4) { 3635 ret = -EINVAL; 3636 goto out; 3637 } 3638 3639 ret = split_huge_pages_pid(pid, vaddr_start, vaddr_end, new_order); ^^^^^^^^^ And pass it directly with no bounds checking. Debugfs code is root only... We used to take a view that if root does something stupid then they get what they deserve. But these days syzbot is fuzz testing stuff even when it's root only and complaining about shift wraps or other undefined behavior. So I feel like it might be easiest to silence this undefined behavior warning now instead of waiting for the syzbot reports to come back to bite us in a couple years. 3640 if (!ret) 3641 ret = strlen(input_buf); 3642 out: 3643 mutex_unlock(&split_debug_mutex); 3644 return ret; 3645 3646 } regards, dan carpenter