From patchwork Tue Dec 28 23:42:57 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 12700661
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 416A9C433FE
	for <linux-mm@archiver.kernel.org>; Tue, 28 Dec 2021 23:43:05 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 58E176B0072; Tue, 28 Dec 2021 18:43:04 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 514B36B0073; Tue, 28 Dec 2021 18:43:04 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 38DD26B0074; Tue, 28 Dec 2021 18:43:04 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0092.hostedemail.com
 [216.40.44.92])
	by kanga.kvack.org (Postfix) with ESMTP id 239D46B0072
	for <linux-mm@kvack.org>; Tue, 28 Dec 2021 18:43:04 -0500 (EST)
Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id D03AC8249980
	for <linux-mm@kvack.org>; Tue, 28 Dec 2021 23:43:03 +0000 (UTC)
X-FDA: 78968831046.07.B9B5389
Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com
 [209.85.210.202])
	by imf22.hostedemail.com (Postfix) with ESMTP id 93F55C0003
	for <linux-mm@kvack.org>; Tue, 28 Dec 2021 23:43:02 +0000 (UTC)
Received: by mail-pf1-f202.google.com with SMTP id
 b17-20020aa78ed1000000b004badf95ccd9so10743278pfr.8
        for <linux-mm@kvack.org>; Tue, 28 Dec 2021 15:43:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=reply-to:date:message-id:mime-version:subject:from:to:cc;
        bh=hxQmFeIwf3esrSd5J2l5mPzvcKGSO/++GjUWx0VZyWk=;
        b=bbNSTV1jXwxK4ma61iX0n9HHBpfFt6kMZ2SWKCKvXd7URYZIAalBesyioxSh9BH/1F
         iDchbU2d/fdnwe6Z58E2S85lGfdWkkrItR1U+oKBrSP7JjNsek5TpkiZX3xGBxr/ymkT
         vMdclFxpH5uyUbjrt6BIu0SeN3WD8xBVC5I+ZIlbSnBaYL2IMTXiet1wfhJ9t0cx8eQb
         IpExaQm5ZSTLvYYk/z1z9+tGmQuMTq78uPUfOqMlxQUX4QS3jNuDCtuIO0rRb0hDrus8
         TkgUe2f/MxDd/BZ4VZkKHl0o4APJWVu9Dj0is+dnTIDN5gj/DPL1qQb8SV5iR8WdA3IS
         yV6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:reply-to:date:message-id:mime-version:subject
         :from:to:cc;
        bh=hxQmFeIwf3esrSd5J2l5mPzvcKGSO/++GjUWx0VZyWk=;
        b=SgpuOooXkZVymPM84wfR5vo1xTXfWshfkUsS89DfY9Cul1maOoYxp4FXc2VhNnCe5V
         UypX4wDGbqjdxLECp3BlvA2Y4Av1yhGT5E54s651Ds/WUrC6GcDcWsbS7gQ9+omcKkmT
         xvgU2gbPJFz83F7pTqM6y036kgfkuBnKl6abtwOyUiTCXT1w01D/9b2FTxfVrvXaVVQ6
         jn32bRDPc3V9rxoelPM0ImP5eo2J3ebyqVuACo7kgdfbvnSorvkuSFKceFfizBjdZLqX
         V0TXed6CT93MmoikUBJmpJ8ccullgCfu6TXee1o9CUJwkpCunGwOT7El36/ZSbqR/37D
         EfWg==
X-Gm-Message-State: AOAM533SOCOpu4pq8mQmPIn1aa9tiZeSRy8HR3H6aHd7lppZDqH6/0wd
	7tJ1Y3qJjKIbQV0LNtJeyMftw0d824o=
X-Google-Smtp-Source: 
 ABdhPJwDpDnZN4cEd+lEACn3LAcXlkvF2YIkyrpOxWsam3E8ZTm3loa/pj0uPGr2k8xnfafdKHayGAtGOIw=
X-Received: from seanjc.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:3e5])
 (user=seanjc job=sendgmr) by 2002:a17:90a:f0cc:: with SMTP id
 fa12mr4771690pjb.134.1640734982346; Tue, 28 Dec 2021 15:43:02 -0800 (PST)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Tue, 28 Dec 2021 23:42:57 +0000
Message-Id: <20211228234257.1926057-1-seanjc@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.34.1.448.ga2b2bfdf31-goog
Subject: [PATCH] hugetlbfs: Fix off-by-one error in hugetlb_vmdelete_list()
From: Sean Christopherson <seanjc@google.com>
To: Mike Kravetz <mike.kravetz@oracle.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	syzbot+4e697fe80a31aa7efe21@syzkaller.appspotmail.com, kvm@vger.kernel.org,
	Paolo Bonzini <pbonzini@redhat.com>, Sean Christopherson <seanjc@google.com>
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: 93F55C0003
X-Stat-Signature: b6dth1jpn4ty6ddr8y18tacfib5ggkn8
Authentication-Results: imf22.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=bbNSTV1j;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf22.hostedemail.com: domain of
 3BqHLYQYKCIs7tp2yrv33v0t.r310x29C-11zAprz.36v@flex--seanjc.bounces.google.com
 designates 209.85.210.202 as permitted sender)
 smtp.mailfrom=3BqHLYQYKCIs7tp2yrv33v0t.r310x29C-11zAprz.36v@flex--seanjc.bounces.google.com
X-HE-Tag: 1640734982-71828
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Pass "end - 1" instead of "end" when walking the interval tree in
hugetlb_vmdelete_list() to fix an inclusive vs. exclusive bug.  The two
callers that pass a non-zero "end" treat it as exclusive, whereas the
interval tree iterator expects an inclusive "last".  E.g. punching a hole
in a file that precisely matches the size of a single hugepage, with a
vma starting right on the boundary, will result in unmap_hugepage_range()
being called twice, with the second call having start==end.

The off-by-one error doesn't cause functional problems as
__unmap_hugepage_range() turns into a massive nop due to short-circuiting
its for-loop on "address < end".  But, the mmu_notifier invocations to
invalid_range_{start,end}() are passed a bogus zero-sized range, which
may be unexpected behavior for secondary MMUs.

The bug was exposed by commit ed922739c919 ("KVM: Use interval tree to do
fast hva lookup in memslots"), currently queued in the KVM tree for 5.17,
which added a WARN to detect ranges with start==end.

Reported-by: syzbot+4e697fe80a31aa7efe21@syzkaller.appspotmail.com
Fixes: 1bfad99ab425 ("hugetlbfs: hugetlb_vmtruncate_list() needs to take a range to delete")
Cc: kvm@vger.kernel.org
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
---

Not sure if this should go to stable@.  It's mostly harmless, and likely
nothing more than a minor performance blip when it's not harmless.

 fs/hugetlbfs/inode.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 49d2e686be74..a7c6c7498be0 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -409,10 +409,11 @@ hugetlb_vmdelete_list(struct rb_root_cached *root, pgoff_t start, pgoff_t end)
 	struct vm_area_struct *vma;
 
 	/*
-	 * end == 0 indicates that the entire range after
-	 * start should be unmapped.
+	 * end == 0 indicates that the entire range after start should be
+	 * unmapped.  Note, end is exclusive, whereas the interval tree takes
+	 * an inclusive "last".
 	 */
-	vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) {
+	vma_interval_tree_foreach(vma, root, start, end ? end - 1 : ULONG_MAX) {
 		unsigned long v_offset;
 		unsigned long v_end;