From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DBBF9C433F5 for ; Thu, 17 Mar 2022 10:27:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5F25F8D0001; Thu, 17 Mar 2022 06:27:29 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 57B8E6B0073; Thu, 17 Mar 2022 06:27:29 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 41DC88D0001; Thu, 17 Mar 2022 06:27:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0032.hostedemail.com [216.40.44.32]) by kanga.kvack.org (Postfix) with ESMTP id 2FC1F6B0072 for ; Thu, 17 Mar 2022 06:27:29 -0400 (EDT) Received: from smtpin18.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id D0280A3271 for ; Thu, 17 Mar 2022 10:27:28 +0000 (UTC) X-FDA: 79253501376.18.061F132 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf18.hostedemail.com (Postfix) with ESMTP id 5EA151C0019 for ; Thu, 17 Mar 2022 10:27:28 +0000 (UTC) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 8537060B00; Thu, 17 Mar 2022 10:27:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7B87EC340E9; Thu, 17 Mar 2022 10:27:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647512847; bh=PHP6S3dI7b3gP6O+zTX+gf829xwqATOvb6De/sjjp70=; h=Subject:To:Cc:From:Date:In-Reply-To:From; b=PM6NyYIMmdFfXIsJXzJRpQ2v/H0gF/StkbPI9M4XzXvQmCCqgg/ziv6iHBD3hI5Ap J8ym24+fF7Lav+4Z3Huz/bWDfZhbB26h4LBgAc0SVWC8x/D0xL8LHpBG6DqRa/CNj/ hOvK1hIMNhjjtgnKz45K9NV9ZhvctnAT+Yg/VGhM= Subject: Patch "mm: fix dereference a null pointer in migrate[_huge]_page_move_mapping()" has been added to the 4.19-stable tree To: david@redhat.com,gregkh@linuxfoundation.org,linux-mm@kvack.org,liqiong@nfschina.com Cc: From: Date: Thu, 17 Mar 2022 11:27:15 +0100 In-Reply-To: <20220217115416.55835-1-liqiong@nfschina.com> Message-ID: <164751283597127@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 X-stable: commit X-Patchwork-Hint: ignore X-Rspamd-Queue-Id: 5EA151C0019 X-Rspam-User: Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=linuxfoundation.org header.s=korg header.b=PM6NyYIM; dmarc=pass (policy=none) header.from=linuxfoundation.org; spf=pass (imf18.hostedemail.com: domain of gregkh@linuxfoundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org X-Stat-Signature: mqd4uuk1n77s8pn1gmz9a7ogsum97c4s X-Rspamd-Server: rspam04 X-HE-Tag: 1647512848-649754 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: This is a note to let you know that I've just added the patch titled mm: fix dereference a null pointer in migrate[_huge]_page_move_mappin= g() to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=3Dlinux/kernel/git/stable/stable-queue.g= it;a=3Dsummary The filename of the patch is: mm-fix-dereference-a-null-pointer-in-migrate_page_move_mapping.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >From liqiong@nfschina.com Thu Mar 17 11:25:02 2022 From: liqiong Date: Thu, 17 Feb 2022 19:54:16 +0800 Subject: mm: fix dereference a null pointer in migrate[_huge]_page_move_m= apping() To: david@redhat.com, gregkh@linuxfoundation.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, liqiong , stable@vger.kernel.org Message-ID: <20220217115416.55835-1-liqiong@nfschina.com> From: liqiong Upstream doesn't use radix tree any more in migrate.c, no need this patch= . The two functions look up a slot and dereference the pointer, If the pointer is null, the kernel would crash and dump. The 'numad' service calls 'migrate_pages' periodically. If some slots being replaced (Cache Eviction), the radix_tree_lookup_slot() returns a null pointer that causes kernel crash. "numad": crash> bt [exception RIP: migrate_page_move_mapping+337] Introduce pointer checking to avoid dereference a null pointer. Cc: # linux-4.19.y Signed-off-by: liqiong Signed-off-by: Greg Kroah-Hartman --- mm/migrate.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/mm/migrate.c +++ b/mm/migrate.c @@ -472,6 +472,10 @@ int migrate_page_move_mapping(struct add =20 pslot =3D radix_tree_lookup_slot(&mapping->i_pages, page_index(page)); + if (pslot =3D=3D NULL) { + xa_unlock_irq(&mapping->i_pages); + return -EAGAIN; + } =20 expected_count +=3D hpage_nr_pages(page) + page_has_private(page); if (page_count(page) !=3D expected_count || @@ -590,6 +594,10 @@ int migrate_huge_page_move_mapping(struc xa_lock_irq(&mapping->i_pages); =20 pslot =3D radix_tree_lookup_slot(&mapping->i_pages, page_index(page)); + if (pslot =3D=3D NULL) { + xa_unlock_irq(&mapping->i_pages); + return -EAGAIN; + } =20 expected_count =3D 2 + page_has_private(page); if (page_count(page) !=3D expected_count || Patches currently in stable-queue which might be from liqiong@nfschina.co= m are queue-4.19/mm-fix-dereference-a-null-pointer-in-migrate_page_move_mapping= .patch