diff mbox series

mm: Fix a null ptr deref with CONFIG_DEBUG_VM enabled in wp_page_reuse

Message ID 20220727191407.1768600-1-zack@kde.org (mailing list archive)
State New, archived
Headers show
Series mm: Fix a null ptr deref with CONFIG_DEBUG_VM enabled in wp_page_reuse | expand

Commit Message

Zack Rusin July 27, 2022, 7:14 p.m. UTC 
From: Zack Rusin <zackr@vmware.com>

Write page faults on last references might not have a valid page anymore.
wp_page_reuse has always dealt with that scenario by making
sure the page isn't null (or the reference was shared) before doing
anything with it. Recently added checks in VM_BUG_ON (enabled by the
CONFIG_DEBUG_VM option) use PageAnon helpers which assume the passed
page is never null, before making sure there is a valid page to work
with.

Move the VM_BUG_ON, which unconditionally uses the page, after the
code that checks that we have a valid one.

Fixes a kernel oops, which is easy to reproduce with 3D apps on arm64 and
x86 on kernels with CONFIG_DEBUG_VM set:

Unable to handle kernel paging request at virtual address dfff800000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004
  CM = 0, WnR = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] SMP
CPU: 0 PID: 2396 Comm: Xwayland Tainted: G     U            5.19.0-rc2-vmwgfx #28
Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.20138482.BA64.2207201941 07/20/2022
pstate: 10400005 (nzcV daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : _compound_head+0x24/0xd0
lr : wp_page_reuse+0x8c/0x544
sp : ffff800013637aa0
x29: ffff800013637aa0 x28: ffff00002a28b730 x27: ffff800013637cc8
x26: 0000000000000000 x25: ffff800013637d00 x24: ffff00000c742168
x23: 1ffff000026c6fa0 x22: ffff000013ce59a0 x21: ffff00002a28b730
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 1ffff000026c6f22 x13: 65676170206c6c75 x12: ffff600019dc772f
x11: 1fffe00019dc772e x10: ffff600019dc772e x9 : ffff8000085b1a78
x8 : ffff0000cee3b977 x7 : 0000000000000001 x6 : ffff600019dc772e
x5 : ffff0000cee3b970 x4 : ffff600019dc772f x3 : 1ffff000026c6f99
x2 : 0000000000000001 x1 : dfff800000000000 x0 : 0000000000000008
Call trace:
 _compound_head+0x24/0xd0
 wp_page_reuse+0x8c/0x544
 finish_mkwrite_fault+0x1a0/0x274
 do_wp_page+0x6cc/0x1000
 __handle_mm_fault+0xdc8/0x2620
 handle_mm_fault+0x21c/0x530
 do_page_fault+0x250/0xa40
 do_mem_abort+0x78/0x1b4
 el0_da+0x80/0x1c0
 el0t_64_sync_handler+0xf8/0x140
 el0t_64_sync+0x1a0/0x1a4
Code: aa0003f3 91002000 f2fbffe1 d343fc02 (38e16841)
---[ end trace 0000000000000000 ]---

Fixes: 6c287605fd56 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive")
Signed-off-by: Zack Rusin <zackr@vmware.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Don Dutile <ddutile@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Liang Zhang <zhangliang5@huawei.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Nadav Amit <namit@vmware.com>
Cc: Oded Gabbay <oded.gabbay@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: NeilBrown <neilb@suse.de>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Hongchen Zhang <zhanghongchen@loongson.cn>
Cc: linux-mm@kvack.org
---
 mm/memory.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Matthew Wilcox July 27, 2022, 7:24 p.m. UTC | #1 
On Wed, Jul 27, 2022 at 03:14:07PM -0400, Zack Rusin wrote:
> From: Zack Rusin <zackr@vmware.com>
> 
> Write page faults on last references might not have a valid page anymore.
> wp_page_reuse has always dealt with that scenario by making
> sure the page isn't null (or the reference was shared) before doing
> anything with it. Recently added checks in VM_BUG_ON (enabled by the
> CONFIG_DEBUG_VM option) use PageAnon helpers which assume the passed
> page is never null, before making sure there is a valid page to work
> with.
> 
> Move the VM_BUG_ON, which unconditionally uses the page, after the
> code that checks that we have a valid one.

Message-ID: <CAHk-=wh_TrgNm6vz7=7CgZppr0UrZ9TwLyb3dgPXyG-w=a8kJQ@mail.gmail.com>
Zack Rusin July 27, 2022, 7:31 p.m. UTC | #2 
On Wed, 2022-07-27 at 20:24 +0100, Matthew Wilcox wrote:
> On Wed, Jul 27, 2022 at 03:14:07PM -0400, Zack Rusin wrote:
> > From: Zack Rusin <zackr@vmware.com>
> > 
> > Write page faults on last references might not have a valid page anymore.
> > wp_page_reuse has always dealt with that scenario by making
> > sure the page isn't null (or the reference was shared) before doing
> > anything with it. Recently added checks in VM_BUG_ON (enabled by the
> > CONFIG_DEBUG_VM option) use PageAnon helpers which assume the passed
> > page is never null, before making sure there is a valid page to work
> > with.
> > 
> > Move the VM_BUG_ON, which unconditionally uses the page, after the
> > code that checks that we have a valid one.
> 
> Message-ID: <CAHk-=wh_TrgNm6vz7=7CgZppr0UrZ9TwLyb3dgPXyG-w=a8kJQ@mail.gmail.com>

Ah, great, thanks.

z
diff mbox series

Patch

diff --git a/mm/memory.c b/mm/memory.c
index 7a089145cad4..3e28c652cf60 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3043,15 +3043,16 @@  static inline void wp_page_reuse(struct vm_fault *vmf)
 	pte_t entry;
 
 	VM_BUG_ON(!(vmf->flags & FAULT_FLAG_WRITE));
-	VM_BUG_ON(PageAnon(page) && !PageAnonExclusive(page));
 
 	/*
 	 * Clear the pages cpupid information as the existing
 	 * information potentially belongs to a now completely
 	 * unrelated process.
 	 */
-	if (page)
+	if (page) {
+		VM_BUG_ON(PageAnon(page) && !PageAnonExclusive(page));
 		page_cpupid_xchg_last(page, (1 << LAST_CPUPID_SHIFT) - 1);
+	}
 
 	flush_cache_page(vma, vmf->address, pte_pfn(vmf->orig_pte));
 	entry = pte_mkyoung(vmf->orig_pte);