* [PATCH] mm: fix kernel NULL pointer dereference in page_vma_mapped_walk
@ 2022-04-07  6:40 zhenwei pi
  2022-04-07  9:31 ` Muchun Song
  2022-04-07 13:54 ` Matthew Wilcox
  0 siblings, 2 replies; 5+ messages in thread
From: zhenwei pi @ 2022-04-07  6:40 UTC (permalink / raw)
  To: akpm; +Cc: linux-mm, linux-kernel, willy, zhenwei pi
size_to_hstate(4K) returns NULL pointer, this leads kernel BUG in
function page_vma_mapped_walk.
 BUG: kernel NULL pointer dereference, address: 0000000000000028
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 102a8b067 P4D 102a8b067 PUD 102a88067 PMD 0
 Oops: 0000 [#1] PREEMPT SMP NOPTI
 CPU: 0 PID: 16 Comm: kworker/0:1 Kdump: loaded Tainted: G   M        E     5.18.0-rc1.bm.1-amd64 #3
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
 Workqueue: events mce_gen_pool_process
 RIP: 0010:page_vma_mapped_walk+0x4aa/0x850
 Code: 8b 77 20 48 89 c2 4c 89 ef e8 b2 c4 02 00 49 89 c4 48 89 43 30 48 85 c0 0f 84 a7 fd ff ff 48 89 ef e8 fa 9c 02 00 49 8d 7d 74 <83> 78 28 09 0f 84 1e 03 00 00 48 89 7b 38 e8 a3 cc 60 00 48 89 df
 RSP: 0018:ffffc9000008bc58 EFLAGS: 00010246
 RAX: 0000000000000000 RBX: ffffc9000008bca0 RCX: 0000000000000009
 RDX: 0000000000200000 RSI: ffffffff82b4a460 RDI: ffff88810ac5c3f4
 RBP: 0000000000001000 R08: 0000000000001000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000007 R12: ffff888072cafd10
 R13: ffff88810ac5c380 R14: ffff888101afc440 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff88823fc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000028 CR3: 0000000106ca2002 CR4: 0000000000772ef0
 PKRU: 55555554
 Call Trace:
  <TASK>
  ? preempt_count_add+0x68/0xa0
  page_mapped_in_vma+0xb4/0x230
  collect_procs.part.35+0x11b/0x440
  hwpoison_user_mappings+0x165/0x5b0
  ? zone_pcp_enable+0x16/0x30
  memory_failure+0xbea/0xd90
  ? _printk+0x58/0x6f
  uc_decode_notifier+0x4b/0xd0
  blocking_notifier_call_chain+0x60/0x90
  mce_gen_pool_process+0x3c/0x60
  process_one_work+0x1c2/0x390
  ? process_one_work+0x390/0x390
  worker_thread+0x30/0x360
  ? process_one_work+0x390/0x390
  kthread+0xe6/0x110
  ? kthread_complete_and_exit+0x20/0x20
  ret_from_fork+0x1f/0x30
  </TASK>
Fixes: 2aff7a4755bed ("mm: Convert page_vma_mapped_walk to work on PFNs")
Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
---
 mm/page_vma_mapped.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c
index 1187f9c1ec5b..a39ec23581c9 100644
--- a/mm/page_vma_mapped.c
+++ b/mm/page_vma_mapped.c
@@ -163,7 +163,7 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
 		return not_found(pvmw);
 
 	if (unlikely(is_vm_hugetlb_page(vma))) {
-		unsigned long size = pvmw->nr_pages * PAGE_SIZE;
+		unsigned long size = huge_page_size(hstate_vma(vma));
 		/* The only possible mapping was handled on last iteration */
 		if (pvmw->pte)
 			return not_found(pvmw);
-- 
2.25.1
^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] mm: fix kernel NULL pointer dereference in page_vma_mapped_walk
  2022-04-07  6:40 [PATCH] mm: fix kernel NULL pointer dereference in page_vma_mapped_walk zhenwei pi
@ 2022-04-07  9:31 ` Muchun Song
  2022-04-07 13:54 ` Matthew Wilcox
  1 sibling, 0 replies; 5+ messages in thread
From: Muchun Song @ 2022-04-07  9:31 UTC (permalink / raw)
  To: zhenwei pi
  Cc: Andrew Morton, Linux Memory Management List, LKML, Matthew Wilcox
On Thu, Apr 7, 2022 at 2:43 PM zhenwei pi <pizhenwei@bytedance.com> wrote:
>
> size_to_hstate(4K) returns NULL pointer, this leads kernel BUG in
> function page_vma_mapped_walk.
>
>  BUG: kernel NULL pointer dereference, address: 0000000000000028
>  #PF: supervisor read access in kernel mode
>  #PF: error_code(0x0000) - not-present page
>  PGD 102a8b067 P4D 102a8b067 PUD 102a88067 PMD 0
>  Oops: 0000 [#1] PREEMPT SMP NOPTI
>  CPU: 0 PID: 16 Comm: kworker/0:1 Kdump: loaded Tainted: G   M        E     5.18.0-rc1.bm.1-amd64 #3
>  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
>  Workqueue: events mce_gen_pool_process
>  RIP: 0010:page_vma_mapped_walk+0x4aa/0x850
>  Code: 8b 77 20 48 89 c2 4c 89 ef e8 b2 c4 02 00 49 89 c4 48 89 43 30 48 85 c0 0f 84 a7 fd ff ff 48 89 ef e8 fa 9c 02 00 49 8d 7d 74 <83> 78 28 09 0f 84 1e 03 00 00 48 89 7b 38 e8 a3 cc 60 00 48 89 df
>  RSP: 0018:ffffc9000008bc58 EFLAGS: 00010246
>  RAX: 0000000000000000 RBX: ffffc9000008bca0 RCX: 0000000000000009
>  RDX: 0000000000200000 RSI: ffffffff82b4a460 RDI: ffff88810ac5c3f4
>  RBP: 0000000000001000 R08: 0000000000001000 R09: 0000000000000000
>  R10: 0000000000000000 R11: 0000000000000007 R12: ffff888072cafd10
>  R13: ffff88810ac5c380 R14: ffff888101afc440 R15: 0000000000000000
>  FS:  0000000000000000(0000) GS:ffff88823fc00000(0000) knlGS:0000000000000000
>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>  CR2: 0000000000000028 CR3: 0000000106ca2002 CR4: 0000000000772ef0
>  PKRU: 55555554
>  Call Trace:
>   <TASK>
>   ? preempt_count_add+0x68/0xa0
>   page_mapped_in_vma+0xb4/0x230
>   collect_procs.part.35+0x11b/0x440
>   hwpoison_user_mappings+0x165/0x5b0
>   ? zone_pcp_enable+0x16/0x30
>   memory_failure+0xbea/0xd90
>   ? _printk+0x58/0x6f
>   uc_decode_notifier+0x4b/0xd0
>   blocking_notifier_call_chain+0x60/0x90
>   mce_gen_pool_process+0x3c/0x60
>   process_one_work+0x1c2/0x390
>   ? process_one_work+0x390/0x390
>   worker_thread+0x30/0x360
>   ? process_one_work+0x390/0x390
>   kthread+0xe6/0x110
>   ? kthread_complete_and_exit+0x20/0x20
>   ret_from_fork+0x1f/0x30
>   </TASK>
>
> Fixes: 2aff7a4755bed ("mm: Convert page_vma_mapped_walk to work on PFNs")
> Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
Good catch.
Reviewed-by: Muchun Song <songmuchun@bytedance.com>
Thanks.
^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] mm: fix kernel NULL pointer dereference in page_vma_mapped_walk
  2022-04-07  6:40 [PATCH] mm: fix kernel NULL pointer dereference in page_vma_mapped_walk zhenwei pi
  2022-04-07  9:31 ` Muchun Song
@ 2022-04-07 13:54 ` Matthew Wilcox
  2022-04-07 14:17   ` Matthew Wilcox
  1 sibling, 1 reply; 5+ messages in thread
From: Matthew Wilcox @ 2022-04-07 13:54 UTC (permalink / raw)
  To: zhenwei pi; +Cc: akpm, linux-mm, linux-kernel
On Thu, Apr 07, 2022 at 02:40:08PM +0800, zhenwei pi wrote:
> size_to_hstate(4K) returns NULL pointer, this leads kernel BUG in
> function page_vma_mapped_walk.
Yes, I think this is the right fix.  It's not immediately obvious from
the bug and the patch, but what's going on is:
page_mapped_in_vma() sets nr_pages to 1.  This is correct because we
usually only want to know about the precise page, and not about the
folio containing it.  But hugetlbfs is special (... in so many ways ...)
and actually wants to work on the entire folio.  We could set nr_pages
specially for hugetlb pages, but it's better to ignore it in
page_vma_mapped_walk() for the hugetlb case.
I'll fix up the changelog and add it to my pile of fixes that I'm
sending tomorrow.
https://git.infradead.org/users/willy/pagecache.git/shortlog/refs/heads/for-next
> diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c
> index 1187f9c1ec5b..a39ec23581c9 100644
> --- a/mm/page_vma_mapped.c
> +++ b/mm/page_vma_mapped.c
> @@ -163,7 +163,7 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
>  		return not_found(pvmw);
>  
>  	if (unlikely(is_vm_hugetlb_page(vma))) {
> -		unsigned long size = pvmw->nr_pages * PAGE_SIZE;
> +		unsigned long size = huge_page_size(hstate_vma(vma));
>  		/* The only possible mapping was handled on last iteration */
>  		if (pvmw->pte)
>  			return not_found(pvmw);
> -- 
> 2.25.1
> 
^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] mm: fix kernel NULL pointer dereference in page_vma_mapped_walk
  2022-04-07 13:54 ` Matthew Wilcox
@ 2022-04-07 14:17   ` Matthew Wilcox
  2022-04-08  1:17     ` zhenwei pi
  0 siblings, 1 reply; 5+ messages in thread
From: Matthew Wilcox @ 2022-04-07 14:17 UTC (permalink / raw)
  To: zhenwei pi; +Cc: Mike Kravetz, akpm, linux-mm, linux-kernel
On Thu, Apr 07, 2022 at 02:54:42PM +0100, Matthew Wilcox wrote:
> On Thu, Apr 07, 2022 at 02:40:08PM +0800, zhenwei pi wrote:
> > size_to_hstate(4K) returns NULL pointer, this leads kernel BUG in
> > function page_vma_mapped_walk.
> 
> Yes, I think this is the right fix.  It's not immediately obvious from
> the bug and the patch, but what's going on is:
> 
> page_mapped_in_vma() sets nr_pages to 1.  This is correct because we
> usually only want to know about the precise page, and not about the
> folio containing it.  But hugetlbfs is special (... in so many ways ...)
> and actually wants to work on the entire folio.  We could set nr_pages
> specially for hugetlb pages, but it's better to ignore it in
> page_vma_mapped_walk() for the hugetlb case.
> 
> I'll fix up the changelog and add it to my pile of fixes that I'm
> sending tomorrow.
> https://git.infradead.org/users/willy/pagecache.git/shortlog/refs/heads/for-next
I looked over the patch in context, and realised we now don't need to
call size_to_hstate since we're getting the hstate from the VMA.
https://git.infradead.org/users/willy/pagecache.git/commitdiff/98ea02597b9967c0817d29fee2f96d21b9e59ca5
^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Re: [PATCH] mm: fix kernel NULL pointer dereference in page_vma_mapped_walk
  2022-04-07 14:17   ` Matthew Wilcox
@ 2022-04-08  1:17     ` zhenwei pi
  0 siblings, 0 replies; 5+ messages in thread
From: zhenwei pi @ 2022-04-08  1:17 UTC (permalink / raw)
  To: Matthew Wilcox; +Cc: Mike Kravetz, akpm, linux-mm, linux-kernel
On 4/7/22 22:17, Matthew Wilcox wrote:
> On Thu, Apr 07, 2022 at 02:54:42PM +0100, Matthew Wilcox wrote:
>> On Thu, Apr 07, 2022 at 02:40:08PM +0800, zhenwei pi wrote:
>>> size_to_hstate(4K) returns NULL pointer, this leads kernel BUG in
>>> function page_vma_mapped_walk.
>>
>> Yes, I think this is the right fix.  It's not immediately obvious from
>> the bug and the patch, but what's going on is:
>>
>> page_mapped_in_vma() sets nr_pages to 1.  This is correct because we
>> usually only want to know about the precise page, and not about the
>> folio containing it.  But hugetlbfs is special (... in so many ways ...)
>> and actually wants to work on the entire folio.  We could set nr_pages
>> specially for hugetlb pages, but it's better to ignore it in
>> page_vma_mapped_walk() for the hugetlb case.
>>
>> I'll fix up the changelog and add it to my pile of fixes that I'm
>> sending tomorrow.
>> https://git.infradead.org/users/willy/pagecache.git/shortlog/refs/heads/for-next
> 
> I looked over the patch in context, and realised we now don't need to
> call size_to_hstate since we're getting the hstate from the VMA.
> 
> https://git.infradead.org/users/willy/pagecache.git/commitdiff/98ea02597b9967c0817d29fee2f96d21b9e59ca5
> 
Thanks!
-- 
zhenwei pi
^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-04-08  1:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-04-07  6:40 [PATCH] mm: fix kernel NULL pointer dereference in page_vma_mapped_walk zhenwei pi
2022-04-07  9:31 ` Muchun Song
2022-04-07 13:54 ` Matthew Wilcox
2022-04-07 14:17   ` Matthew Wilcox
2022-04-08  1:17     ` zhenwei pi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).