From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Qft/=DF=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.9 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D9DFAC2D0A8
	for <linux-mm@archiver.kernel.org>; Mon, 28 Sep 2020 10:18:13 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 40AF120BED
	for <linux-mm@archiver.kernel.org>; Mon, 28 Sep 2020 10:18:13 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="cQtCvmir"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 40AF120BED
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=zx2c4.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 76E416B005D; Mon, 28 Sep 2020 06:18:12 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 71D786B0062; Mon, 28 Sep 2020 06:18:12 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 632936B0068; Mon, 28 Sep 2020 06:18:12 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0187.hostedemail.com [216.40.44.187])
	by kanga.kvack.org (Postfix) with ESMTP id 4DC836B005D
	for <linux-mm@kvack.org>; Mon, 28 Sep 2020 06:18:12 -0400 (EDT)
Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 07B471EF1
	for <linux-mm@kvack.org>; Mon, 28 Sep 2020 10:18:12 +0000 (UTC)
X-FDA: 77312070024.20.eye70_2f0a1d027180
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin20.hostedemail.com (Postfix) with ESMTP id E55B0180C07AB
	for <linux-mm@kvack.org>; Mon, 28 Sep 2020 10:18:11 +0000 (UTC)
X-HE-Tag: eye70_2f0a1d027180
X-Filterd-Recvd-Size: 3217
Received: from mail.zx2c4.com (mail.zx2c4.com [192.95.5.64])
	by imf35.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Mon, 28 Sep 2020 10:18:11 +0000 (UTC)
Received: 
	by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTP id d67401c8
	for <linux-mm@kvack.org>;
	Mon, 28 Sep 2020 09:46:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=mime-version
	:references:in-reply-to:from:date:message-id:subject:to:cc
	:content-type; s=mail; bh=/cDJPA+uVkTExsxg1g0sjxHghPU=; b=cQtCvm
	ir5ZdM6+FYUD9nu/iMN6JHl039WOp3CjGv97mkA7B//1xGoUo4LHceBe20quyhiZ
	j6facUcGMe5ThikkqrYcju3xmNxkztLPV0MurUjojmkRXp1nDm4JSpTDk42JXVfO
	mRBTvCXFOY2qokfBcWkaPpPJEcmDu06CsYxKzeygL/3aUfM13p+4K9+39gqtqjtq
	zsByCtOp2INQztRuHZVM6U7uNF8y+Zh1iqB4Jmm0OASQIAfgJ0ozJzv3WyshT4Zb
	sQmNL/2jT1KwzN5nIkAM6XgU0ksKqBn2AHygvGTOFB6OdGs4ELzDh72A7lQZ765R
	X1FPBPzIyGEcR8Nw==
Received: 
	by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id c707ff1e (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO)
	for <linux-mm@kvack.org>;
	Mon, 28 Sep 2020 09:46:43 +0000 (UTC)
Received: by mail-il1-f169.google.com with SMTP id e5so632226ilr.8
        for <linux-mm@kvack.org>; Mon, 28 Sep 2020 03:18:10 -0700 (PDT)
X-Gm-Message-State: AOAM532lphgDaijgDdZyb4NcEUWLVdo8DZXk2cxQ8DSuy2S1k1gHKy5D
	Hb4cwzGB4DxAVGlyvT1sbn5FM6eVeodmYowD+5A=
X-Google-Smtp-Source: ABdhPJxwCebYVRZYRiOo5Ycu/i+iis87iyV5mmfF9PYcRsC9zNKzgWrCiZDzI1BqWrOozXl//DLKVSXT/VozZAmU2m0=
X-Received: by 2002:a05:6e02:6d0:: with SMTP id p16mr491957ils.64.1601288289457;
 Mon, 28 Sep 2020 03:18:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAHmME9odvKzyAG7HgzSE-1gLOfiU=HL1MB5w4z=AwOsjz9WJPA@mail.gmail.com>
 <CAHmME9qPo_MNrVioY=qgOVNxYBVY1_i_eep5wzP-7Akq5fH1Xg@mail.gmail.com>
In-Reply-To: <CAHmME9qPo_MNrVioY=qgOVNxYBVY1_i_eep5wzP-7Akq5fH1Xg@mail.gmail.com>
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Mon, 28 Sep 2020 12:17:58 +0200
X-Gmail-Original-Message-ID: <CAHmME9qBtUuOSEU3Cb9rL7SHaBAwk862VEPdmYcisnSHDERtvQ@mail.gmail.com>
Message-ID: <CAHmME9qBtUuOSEU3Cb9rL7SHaBAwk862VEPdmYcisnSHDERtvQ@mail.gmail.com>
Subject: Re: 5.9-rc7 null ptr deref in __i915_gem_userptr_get_pages_worker
To: Jason Gunthorpe <jgg@ziepe.ca>, Peter Xu <peterx@redhat.com>, 
	Linus Torvalds <torvalds@linux-foundation.org>
Cc: intel-gfx@lists.freedesktop.org, 
	"open list:DRM DRIVERS" <dri-devel@lists.freedesktop.org>, open list <linux-kernel@vger.kernel.org>, 
	Chris Wilson <chris@chris-wilson.co.uk>, Linux-MM <linux-mm@kvack.org>, 
	Andrew Morton <akpm@linux-foundation.org>
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Alright, the failing code seems to be in mm:

        if (flags & FOLL_PIN)
                atomic_set(&current->mm->has_pinned, 1);

Apparently you can't rely on current->mm being valid in this context;
it's null here, hence the +0x64 for has_pinned's offset.

This was added by 008cfe4418b3 ("mm: Introduce mm_struct.has_pinned"),
which is new for rc7 indeed.

The crash goes away when changing that to:

        if ((flags & FOLL_PIN) && current->mm)
                atomic_set(&current->mm->has_pinned, 1);

But I haven't really evaluated whether or not that's racy or if I need
to take locks to do such a thing.