From: Andrew Morton <akpm@linux-foundation.org>
To: Sourav Panda <souravpanda@google.com>
Cc: muchun.song@linux.dev, osalvador@suse.de, david@kernel.org,
surenb@google.com, fvdl@google.com, gthelen@google.com,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] mm/hugetlb: Fix null nodemask in alloc_fresh_hugetlb_folio
Date: Sun, 5 Jul 2026 12:04:11 -0700 [thread overview]
Message-ID: <20260705120411.c7a34ec212cb5ae4e0939076@linux-foundation.org> (raw)
In-Reply-To: <20260705175119.440599-1-souravpanda@google.com>
On Sun, 5 Jul 2026 17:51:19 +0000 Sourav Panda <souravpanda@google.com> wrote:
> alloc_buddy_hugetlb_folio_with_mpol() can pass a NULL nodemask to
> alloc_fresh_hugetlb_folio() as a fallback to allocate from all
> nodes. If order is gigantic, alloc_fresh_hugetlb_folio() propagates
> the NULL nodemask down to hugetlb_cma_alloc_frozen_folio() which blindly
> dereferences it in for_each_node_mask(), leading to a null pointer
> dereference.
>
> Similarly, if the CMA allocation fails, the fallback
> alloc_contig_frozen_pages() is also called with a NULL nodemask,
> which may cause issues.
>
> Fix this by explicitly checking if nodemask is NULL in
> alloc_fresh_hugetlb_folio() and defaulting to
> cpuset_current_mems_allowed. This ensures that both the CMA and
> contiguous allocators receive a valid nodemask safely using a seqcount
> loop to prevent torn reads.
>
> From a userspace perspective, this bug allows an unprivileged user to
> crash the kernel (trigger a panic) by requesting a gigantic hugepage
> allocation with MPOL_PREFERRED_MANY on a system where CMA is only
> configured on a subset of NUMA nodes.
ow.
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -1864,6 +1864,18 @@ static struct folio *alloc_fresh_hugetlb_folio(struct hstate *h,
> gfp_t gfp_mask, int nid, nodemask_t *nmask)
> {
> struct folio *folio;
> + nodemask_t local_node_mask;
> +
> + if (!nmask) {
> + unsigned int cpuset_mems_cookie;
> +
> + do {
> + cpuset_mems_cookie = read_mems_allowed_begin();
> + local_node_mask = cpuset_current_mems_allowed;
> + } while (read_mems_allowed_retry(cpuset_mems_cookie));
> +
> + nmask = &local_node_mask;
> + }
For my edification, is there anything which prevents
cpuset_current_mems_allowed from changing after it has been read? So
we end up with a folio on an inappropriate node? Or does that not
really matter much.
cpuset_current_mems_allowed is a nasty thing. It looks like a simple
global variable, but appearances can be deceptive:
#ifdef ...
#define cpuset_current_mems_allowed (current->mems_allowed)
#else
#define cpuset_current_mems_allowed (node_states[N_MEMORY])
#endif
Thanks, I'll queue this for a bit of testing and shall await reviewer
input.
next prev parent reply other threads:[~2026-07-05 19:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-05 17:51 [PATCH v3] mm/hugetlb: Fix null nodemask in alloc_fresh_hugetlb_folio Sourav Panda
2026-07-05 19:04 ` Andrew Morton [this message]
2026-07-06 6:17 ` Muchun Song
2026-07-06 6:55 ` Sourav Panda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705120411.c7a34ec212cb5ae4e0939076@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=david@kernel.org \
--cc=fvdl@google.com \
--cc=gthelen@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=muchun.song@linux.dev \
--cc=osalvador@suse.de \
--cc=souravpanda@google.com \
--cc=surenb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox