From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01429C10F25 for ; Wed, 11 Mar 2020 07:45:23 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B59E820578 for ; Wed, 11 Mar 2020 07:45:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LAIlcIwr" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B59E820578 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 505E36B0003; Wed, 11 Mar 2020 03:45:22 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4B6826B0006; Wed, 11 Mar 2020 03:45:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3CC646B0007; Wed, 11 Mar 2020 03:45:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0130.hostedemail.com [216.40.44.130]) by kanga.kvack.org (Postfix) with ESMTP id 21C8A6B0003 for ; Wed, 11 Mar 2020 03:45:22 -0400 (EDT) Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id A96D08E4A for ; Wed, 11 Mar 2020 07:45:21 +0000 (UTC) X-FDA: 76582296042.01.slave13_68f895bbaf327 X-HE-Tag: slave13_68f895bbaf327 X-Filterd-Recvd-Size: 4544 Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by imf26.hostedemail.com (Postfix) with ESMTP for ; Wed, 11 Mar 2020 07:45:21 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id h8so712468pgs.9 for ; Wed, 11 Mar 2020 00:45:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=2DaPORnabKa7l3EYloS0IchtmMoOHjH5Lw7tLE7rT3w=; b=LAIlcIwruDmHQ1Nn0nRwAbuWPAM3CQeVTL09tEIT0uBTBY9XZIE8BdzNRi3etn+IuW khBs4D+/rlJ02iyOiyTgW1EBgbv3wJJmT8dX5pa+/leXtXrtkwb7E9lrnbvuGtBKNklc UOp8k6+KbQdjC9nQdr2FtK324wDUiRxTJ9eRDAJreh6UCEpiuWfZCp7PmiovQNO79o0o 48XPRGWVbFDtyw0XUnE9c+t5iVHjTB58G4z1hbnNKJiKtDvVAuEyOdeMGC2PlV74XIOH 9l4D5kD8YRaZ2V36mXoJeJZXHbymIkiQGXGO1QV4zNnNyHvdmt0S6ELFx9EsBw4EygMn M82g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=2DaPORnabKa7l3EYloS0IchtmMoOHjH5Lw7tLE7rT3w=; b=t3IDodRVhxn56JwjKlq4bcsT0MRrzZJweWQq/HAfMFCpKlHgVTDPkh83fkzzB3Fd2K KvJc6gU42u7Ng3jGv0x/JY6f/uy+F91/IE+m+UiZQRwsHinObfHDy5DZw5qzn6JYwfdg 98IvrIGSq5ZG5TzQ08rTFeT+Sy7+KKW8gy0GJ7APImpyi5Z1EF/hXbtCg0/KHDjtSehf xweEv7EYOJHpvv/7s4EK3Ox8TKL1fYVJa2maeAIMiRDh/2viD/KU45ZooGgDot1Ufe1s e/GO1gwcznkfFR+ogheVQrhdk2UVAYOvtxkcHwDPUBhSupA9RrX4y3VsfMYCqwbuPm7i l70w== X-Gm-Message-State: ANhLgQ0SGUAy5FyRHUzbLXSTtt9cjyxOA0Unt8DivCI2JDMHspSc5hXD 411ZrrYM1k6ZzsGObU/vgI8= X-Google-Smtp-Source: ADFU+vuWmUcjgL6pvoSRuVaS7q6z2eK6057fd/SjHV+KusL8cGHyAU5KLeufgdvIhQVG4V8HjWI5sw== X-Received: by 2002:a63:3d45:: with SMTP id k66mr1642702pga.56.1583912720321; Wed, 11 Mar 2020 00:45:20 -0700 (PDT) Received: from localhost ([43.224.245.179]) by smtp.gmail.com with ESMTPSA id j5sm9996536pfe.32.2020.03.11.00.45.18 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Wed, 11 Mar 2020 00:45:19 -0700 (PDT) From: qiwuchen55@gmail.com To: akpm@linux-foundation.org Cc: linux-mm@kvack.org, chenqiwu Subject: [PATCH] mm/rmap: ensure the validity of mapping vma which referenced an anon page Date: Wed, 11 Mar 2020 15:45:13 +0800 Message-Id: <1583912713-30778-1-git-send-email-qiwuchen55@gmail.com> X-Mailer: git-send-email 1.9.1 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: chenqiwu When finding all the mapping vmas for an anon page by anon_vma, there is a panic risk that one mapping vma or its vm_mm has been released by someone. Like the following crash during kswapd reclaiming pages: Unable to handle kernel NULL pointer dereference at virtual address 00000048 PC is at page_vma_mapped_walk+0x54/0x16c LR is at page_referenced_one+0x44/0x140 [......] CPU: 1 PID: 161 Comm: kswapd0 Call trace: [] el1_da+0x24/0x3c [] page_vma_mapped_walk+0x54/0x16c [] page_referenced_one+0x44/0x140 [] rmap_walk_anon+0x124/0x168 [] page_referenced+0x144/0x190 [] shrink_active_list+0x25c/0x478 [] kswapd+0x7b0/0x9c8 [] kthread+0x154/0x18c [] ret_from_fork+0x10/0x18 The PC is pointed to the following code line: bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) { struct mm_struct *mm = pvmw->vma->vm_mm; ...... pgd = pgd_offset(mm, pvmw->address); //PC ...... } Because the current pvmw->vma->vm_mm is a kernel NULL pointer, which causing crash when pgd_offset() dereferences the mm pointer. This patch fixes the problem by ensuring that both the mapping vma and its vm_mm are valid. If not, we just continue to traverse the anon_vma->rb_root to avoid the potential junk pointer dereference. Signed-off-by: chenqiwu --- mm/rmap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/rmap.c b/mm/rmap.c index b3e3819..fc42ca2 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1863,6 +1863,9 @@ static void rmap_walk_anon(struct page *page, struct rmap_walk_control *rwc, if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg)) continue; + if (!vma && !vma->vm_mm) + continue; + if (!rwc->rmap_one(page, vma, address, rwc->arg)) break; if (rwc->done && rwc->done(page)) -- 1.9.1