Please, fix syzbot crash: kernel BUG in filemap_unaccount_folio

Please, fix syzbot crash: kernel BUG in filemap_unaccount_folio

[Andrey Kalachev]

Hi all.

The upstream kernels late than v6.10-rc6 has the patch:

   7d79cd784470 udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap

That patch stop reproducing syzbot crashes [1], [2].
The reproducer code [3] still crash longterm & stable kernel versions v5.4-v6.6.
Here the 7d79cd784470 backports below.
Patch v6.6 just cherry-picked, patch for v5.4-v6.1 has minor change described
in the patch note.

Regards,
AK

[1] https://syzkaller.appspot.com/bug?extid=3d218f7b6c5511a83a79
[2] https://syzkaller.appspot.com/bug?extid=17a207d226b8a5fb0fd9
[3] https://syzkaller.appspot.com/text?tag=ReproC&x=10c0b8c0580000

Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com
Reported-by: syzbot+17a207d226b8a5fb0fd9@syzkaller.appspotmail.com

[PATCH v6.6] udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap

[Andrey Kalachev]

From: Vivek Kasireddy <vivek.kasireddy@intel.com>

[ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ]

Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings
would be managed without using struct page.

And, in the vm_fault handler, use vmf_insert_pfn to share the page's pfn
to userspace instead of directly sharing the page (via struct page *).

Link: https://lkml.kernel.org/r/20240624063952.1572359-6-vivek.kasireddy@intel.com
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Suggested-by: David Hildenbrand <david@redhat.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Dave Airlie <airlied@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Hugh Dickins <hughd@google.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Dongwon Kim <dongwon.kim@intel.com>
Cc: Junxiao Chang <junxiao.chang@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Shuah Khan <shuah@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com
---
 drivers/dma-buf/udmabuf.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index c40645999648..820c993c8659 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -35,12 +35,13 @@ static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf)
 	struct vm_area_struct *vma = vmf->vma;
 	struct udmabuf *ubuf = vma->vm_private_data;
 	pgoff_t pgoff = vmf->pgoff;
+	unsigned long pfn;
 
 	if (pgoff >= ubuf->pagecount)
 		return VM_FAULT_SIGBUS;
-	vmf->page = ubuf->pages[pgoff];
-	get_page(vmf->page);
-	return 0;
+
+	pfn = page_to_pfn(ubuf->pages[pgoff]);
+	return vmf_insert_pfn(vma, vmf->address, pfn);
 }
 
 static const struct vm_operations_struct udmabuf_vm_ops = {
@@ -56,6 +57,7 @@ static int mmap_udmabuf(struct dma_buf *buf, struct vm_area_struct *vma)
 
 	vma->vm_ops = &udmabuf_vm_ops;
 	vma->vm_private_data = ubuf;
+	vm_flags_set(vma, VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
 	return 0;
 }
 
-- 
2.30.2

[PATCH v5.4-v6.1] udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap

[Andrey Kalachev]

From: Vivek Kasireddy <vivek.kasireddy@intel.com>

[ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ]

Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings
would be managed without using struct page.

And, in the vm_fault handler, use vmf_insert_pfn to share the page's pfn
to userspace instead of directly sharing the page (via struct page *).

Link: https://lkml.kernel.org/r/20240624063952.1572359-6-vivek.kasireddy@intel.com
Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
Suggested-by: David Hildenbrand <david@redhat.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Dave Airlie <airlied@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Hugh Dickins <hughd@google.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Dongwon Kim <dongwon.kim@intel.com>
Cc: Junxiao Chang <junxiao.chang@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Shuah Khan <shuah@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com
[ Andrey: Backport required minor change: replace call
to vm_flags_set() in mmap_udmabuf() by direct
modification of the vma->vm_flags, because the set
of vm_flags_*() functions is not in this versions. ]
Signed-off-by: Andrey Kalachev <kalachev@swemel.ru>
---
 drivers/dma-buf/udmabuf.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index 2bcdb935a3ac..e57d57a10bb0 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -33,12 +33,13 @@ static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf)
 	struct vm_area_struct *vma = vmf->vma;
 	struct udmabuf *ubuf = vma->vm_private_data;
 	pgoff_t pgoff = vmf->pgoff;
+	unsigned long pfn;
 
 	if (pgoff >= ubuf->pagecount)
 		return VM_FAULT_SIGBUS;
-	vmf->page = ubuf->pages[pgoff];
-	get_page(vmf->page);
-	return 0;
+
+	pfn = page_to_pfn(ubuf->pages[pgoff]);
+	return vmf_insert_pfn(vma, vmf->address, pfn);
 }
 
 static const struct vm_operations_struct udmabuf_vm_ops = {
@@ -54,6 +55,7 @@ static int mmap_udmabuf(struct dma_buf *buf, struct vm_area_struct *vma)
 
 	vma->vm_ops = &udmabuf_vm_ops;
 	vma->vm_private_data = ubuf;
+	vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
 	return 0;
 }
 
-- 
2.30.2

Re: [PATCH v5.4-v6.1] udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 7d79cd784470395539bda91bf0b3505ff5b2ab6d

WARNING: Author mismatch between patch and upstream commit:
Backport author: Andrey Kalachev <kalachev@swemel.ru>
Commit author: Vivek Kasireddy <vivek.kasireddy@intel.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (exact SHA1)
6.6.y | Not found
6.1.y | Not found

Note: The patch differs from the upstream commit:
---
1:  7d79cd7844703 ! 1:  14a0c0b74cf0d udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
    @@ Metadata
      ## Commit message ##
         udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
     
    +    [ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ]
    +
         Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings
         would be managed without using struct page.
     
    @@ Commit message
         Cc: Oscar Salvador <osalvador@suse.de>
         Cc: Shuah Khan <shuah@kernel.org>
         Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    +    Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com
    +    [ Andrey: Backport required minor change: replace call
    +    to vm_flags_set() in mmap_udmabuf() by direct
    +    modification of the vma->vm_flags, because the set
    +    of vm_flags_*() functions is not in this versions. ]
    +    Signed-off-by: Andrey Kalachev <kalachev@swemel.ru>
     
      ## drivers/dma-buf/udmabuf.c ##
     @@ drivers/dma-buf/udmabuf.c: static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf)
    @@ drivers/dma-buf/udmabuf.c: static int mmap_udmabuf(struct dma_buf *buf, struct v
      
      	vma->vm_ops = &udmabuf_vm_ops;
      	vma->vm_private_data = ubuf;
    -+	vm_flags_set(vma, VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
    ++	vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
      	return 0;
      }
      
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |
| stable/linux-5.4.y        |  Success    |  Success   |

Re: [PATCH v6.6] udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 7d79cd784470395539bda91bf0b3505ff5b2ab6d

WARNING: Author mismatch between patch and upstream commit:
Backport author: Andrey Kalachev <kalachev@swemel.ru>
Commit author: Vivek Kasireddy <vivek.kasireddy@intel.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (exact SHA1)
6.6.y | Not found

Note: The patch differs from the upstream commit:
---
1:  7d79cd7844703 ! 1:  edc6b0308d474 udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
    @@ Metadata
      ## Commit message ##
         udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
     
    +    [ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ]
    +
         Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings
         would be managed without using struct page.
     
    @@ Commit message
         Cc: Oscar Salvador <osalvador@suse.de>
         Cc: Shuah Khan <shuah@kernel.org>
         Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    +    Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com
     
      ## drivers/dma-buf/udmabuf.c ##
     @@ drivers/dma-buf/udmabuf.c: static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf)
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y        |  Success    |  Success   |

Re: [PATCH v5.4-v6.1] udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 7d79cd784470395539bda91bf0b3505ff5b2ab6d

WARNING: Author mismatch between patch and upstream commit:
Backport author: Andrey Kalachev <kalachev@swemel.ru>
Commit author: Vivek Kasireddy <vivek.kasireddy@intel.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (exact SHA1)
6.6.y | Not found
6.1.y | Not found

Note: The patch differs from the upstream commit:
---
1:  7d79cd7844703 ! 1:  14a0c0b74cf0d udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
    @@ Metadata
      ## Commit message ##
         udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
     
    +    [ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ]
    +
         Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings
         would be managed without using struct page.
     
    @@ Commit message
         Cc: Oscar Salvador <osalvador@suse.de>
         Cc: Shuah Khan <shuah@kernel.org>
         Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    +    Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com
    +    [ Andrey: Backport required minor change: replace call
    +    to vm_flags_set() in mmap_udmabuf() by direct
    +    modification of the vma->vm_flags, because the set
    +    of vm_flags_*() functions is not in this versions. ]
    +    Signed-off-by: Andrey Kalachev <kalachev@swemel.ru>
     
      ## drivers/dma-buf/udmabuf.c ##
     @@ drivers/dma-buf/udmabuf.c: static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf)
    @@ drivers/dma-buf/udmabuf.c: static int mmap_udmabuf(struct dma_buf *buf, struct v
      
      	vma->vm_ops = &udmabuf_vm_ops;
      	vma->vm_private_data = ubuf;
    -+	vm_flags_set(vma, VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP);
    ++	vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
      	return 0;
      }
      
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y        |  Success    |  Success   |
| stable/linux-5.4.y        |  Success    |  Success   |

Re: [PATCH v6.6] udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 7d79cd784470395539bda91bf0b3505ff5b2ab6d

WARNING: Author mismatch between patch and upstream commit:
Backport author: Andrey Kalachev <kalachev@swemel.ru>
Commit author: Vivek Kasireddy <vivek.kasireddy@intel.com>


Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.11.y | Present (exact SHA1)
6.6.y | Not found

Note: The patch differs from the upstream commit:
---
1:  7d79cd7844703 ! 1:  edc6b0308d474 udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
    @@ Metadata
      ## Commit message ##
         udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
     
    +    [ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ]
    +
         Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings
         would be managed without using struct page.
     
    @@ Commit message
         Cc: Oscar Salvador <osalvador@suse.de>
         Cc: Shuah Khan <shuah@kernel.org>
         Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    +    Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com
     
      ## drivers/dma-buf/udmabuf.c ##
     @@ drivers/dma-buf/udmabuf.c: static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf)
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y        |  Success    |  Success   |