Linux-mm Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Andrew Morton <akpm@linux-foundation.org>
To: Sourav Panda <souravpanda@google.com>
Cc: muchun.song@linux.dev, osalvador@suse.de, david@kernel.org,
	surenb@google.com, fvdl@google.com, gthelen@google.com,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] mm/hugetlb: Fix null nodemask in alloc_fresh_hugetlb_folio
Date: Sun, 5 Jul 2026 12:04:11 -0700	[thread overview]
Message-ID: <20260705120411.c7a34ec212cb5ae4e0939076@linux-foundation.org> (raw)
In-Reply-To: <20260705175119.440599-1-souravpanda@google.com>

On Sun,  5 Jul 2026 17:51:19 +0000 Sourav Panda <souravpanda@google.com> wrote:

> alloc_buddy_hugetlb_folio_with_mpol() can pass a NULL nodemask to
> alloc_fresh_hugetlb_folio() as a fallback to allocate from all
> nodes. If order is gigantic, alloc_fresh_hugetlb_folio() propagates
> the NULL nodemask down to hugetlb_cma_alloc_frozen_folio() which blindly
> dereferences it in for_each_node_mask(), leading to a null pointer
> dereference.
> 
> Similarly, if the CMA allocation fails, the fallback
> alloc_contig_frozen_pages() is also called with a NULL nodemask,
> which may cause issues.
> 
> Fix this by explicitly checking if nodemask is NULL in
> alloc_fresh_hugetlb_folio() and defaulting to
> cpuset_current_mems_allowed. This ensures that both the CMA and
> contiguous allocators receive a valid nodemask safely using a seqcount
> loop to prevent torn reads.
> 
> From a userspace perspective, this bug allows an unprivileged user to
> crash the kernel (trigger a panic) by requesting a gigantic hugepage
> allocation with MPOL_PREFERRED_MANY on a system where CMA is only
> configured on a subset of NUMA nodes.

ow.

> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -1864,6 +1864,18 @@ static struct folio *alloc_fresh_hugetlb_folio(struct hstate *h,
>  		gfp_t gfp_mask, int nid, nodemask_t *nmask)
>  {
>  	struct folio *folio;
> +	nodemask_t local_node_mask;
> +
> +	if (!nmask) {
> +		unsigned int cpuset_mems_cookie;
> +
> +		do {
> +			cpuset_mems_cookie = read_mems_allowed_begin();
> +			local_node_mask = cpuset_current_mems_allowed;
> +		} while (read_mems_allowed_retry(cpuset_mems_cookie));
> +
> +		nmask = &local_node_mask;
> +	}

For my edification, is there anything which prevents
cpuset_current_mems_allowed from changing after it has been read?  So
we end up with a folio on an inappropriate node?  Or does that not
really matter much.


cpuset_current_mems_allowed is a nasty thing.  It looks like a simple
global variable, but appearances can be deceptive:

#ifdef ...
#define cpuset_current_mems_allowed (current->mems_allowed)
#else
#define cpuset_current_mems_allowed (node_states[N_MEMORY])
#endif


Thanks, I'll queue this for a bit of testing and shall await reviewer
input.



  reply	other threads:[~2026-07-05 19:04 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-05 17:51 [PATCH v3] mm/hugetlb: Fix null nodemask in alloc_fresh_hugetlb_folio Sourav Panda
2026-07-05 19:04 ` Andrew Morton [this message]
2026-07-06  6:17 ` Muchun Song
2026-07-06  6:55   ` Sourav Panda

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260705120411.c7a34ec212cb5ae4e0939076@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=david@kernel.org \
    --cc=fvdl@google.com \
    --cc=gthelen@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=muchun.song@linux.dev \
    --cc=osalvador@suse.de \
    --cc=souravpanda@google.com \
    --cc=surenb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox