From: Mike Rapoport <rppt@kernel.org>
To: Sean Christopherson <seanjc@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
"Darrick J . Wong" <djwong@kernel.org>,
Stephen <stephenackerman16@gmail.com>
Subject: Re: [PATCH] mm: Fix NULL page->mapping dereference in page_is_secretmem()
Date: Sun, 10 Oct 2021 08:29:48 +0300 [thread overview]
Message-ID: <YWJ6TH2KZ4K1U80g@kernel.org> (raw)
In-Reply-To: <20211007231502.3552715-1-seanjc@google.com>
On Thu, Oct 07, 2021 at 04:15:02PM -0700, Sean Christopherson wrote:
> Check for a NULL page->mapping before dereferencing the mapping in
> page_is_secretmem(), as the page's mapping can be nullified while gup()
> is running, e.g. by reclaim or truncation.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000068
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP NOPTI
> CPU: 6 PID: 4173897 Comm: CPU 3/KVM Tainted: G W
> RIP: 0010:internal_get_user_pages_fast+0x621/0x9d0
> Code: <48> 81 7a 68 80 08 04 bc 0f 85 21 ff ff 8 89 c7 be
> RSP: 0018:ffffaa90087679b0 EFLAGS: 00010046
> RAX: ffffe3f37905b900 RBX: 00007f2dd561e000 RCX: ffffe3f37905b934
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffe3f37905b900
> ...
> CR2: 0000000000000068 CR3: 00000004c5898003 CR4: 00000000001726e0
> Call Trace:
> get_user_pages_fast_only+0x13/0x20
> hva_to_pfn+0xa9/0x3e0
> try_async_pf+0xa1/0x270
> direct_page_fault+0x113/0xad0
> kvm_mmu_page_fault+0x69/0x680
> vmx_handle_exit+0xe1/0x5d0
> kvm_arch_vcpu_ioctl_run+0xd81/0x1c70
> kvm_vcpu_ioctl+0x267/0x670
> __x64_sys_ioctl+0x83/0xa0
> do_syscall_64+0x56/0x80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Cc: Mike Rapoport <rppt@kernel.org>
> Cc: linux-mm@kvack.org
> Reported-by: Darrick J. Wong <djwong@kernel.org>
> Reported-by: Stephen <stephenackerman16@gmail.com>
> Tested-by: Darrick J. Wong <djwong@kernel.org>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
> ---
> include/linux/secretmem.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h
> index 21c3771e6a56..988528b5da43 100644
> --- a/include/linux/secretmem.h
> +++ b/include/linux/secretmem.h
> @@ -23,7 +23,7 @@ static inline bool page_is_secretmem(struct page *page)
> mapping = (struct address_space *)
> ((unsigned long)page->mapping & ~PAGE_MAPPING_FLAGS);
>
> - if (mapping != page->mapping)
> + if (!mapping || mapping != page->mapping)
> return false;
>
> return mapping->a_ops == &secretmem_aops;
> --
> 2.33.0.882.g93a45727a2-goog
>
--
Sincerely yours,
Mike.
prev parent reply other threads:[~2021-10-10 5:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-07 23:15 [PATCH] mm: Fix NULL page->mapping dereference in page_is_secretmem() Sean Christopherson
2021-10-08 10:46 ` David Hildenbrand
2021-10-08 14:17 ` Sean Christopherson
2021-10-10 5:29 ` Mike Rapoport [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YWJ6TH2KZ4K1U80g@kernel.org \
--to=rppt@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=djwong@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=seanjc@google.com \
--cc=stephenackerman16@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.