From patchwork Tue Jun 6 23:36:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rafael Aquini X-Patchwork-Id: 13269860 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A702AC7EE2F for ; Tue, 6 Jun 2023 23:37:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D7D8D8E0002; Tue, 6 Jun 2023 19:37:29 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D060C8E0001; Tue, 6 Jun 2023 19:37:29 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BA76E8E0002; Tue, 6 Jun 2023 19:37:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id A99F38E0001 for ; Tue, 6 Jun 2023 19:37:29 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 780B51408E8 for ; Tue, 6 Jun 2023 23:37:29 +0000 (UTC) X-FDA: 80873937018.10.E5AFC32 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf22.hostedemail.com (Postfix) with ESMTP id CC82EC0004 for ; Tue, 6 Jun 2023 23:37:26 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=KSZ93sM0; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf22.hostedemail.com: domain of aquini@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=aquini@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1686094647; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=j899oAscb6cex41LPnjVmfNp2o1cfXB+0VQl+ebVWlM=; b=lBJ+7mIlFDchdbyUBRjyEdkNmJK3Z+h4IoDdfhIaRyknX7k4MhKhIdQc5UDyje1tnXOv43 6tYab0h+GK0xRsWXMD0Gop5EOmw4JZheZhv7e+HV2VDtRg8P00rEq+HhQ+vYBSCVLJgIYz AM+Qh6LL42dl/i1Ycb+LqWKd+Xxq8BM= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=KSZ93sM0; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf22.hostedemail.com: domain of aquini@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=aquini@redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686094647; a=rsa-sha256; cv=none; b=e02w+Bs6RVhm8/z+0gprux5ja/MmaZ9U9jvSVc4o/FcLpYE20pLlnnUt+c6vNerG2X/RK7 hvkL0P8g/Hlju0454j44MKxr6UCDRnLfKH873F2oIpAulo0OrrcE/RUIRhIDpuzU1cuEmY kfpaUBtcY1HaVayaaktcaaEbk1g0lxs= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1686094646; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=j899oAscb6cex41LPnjVmfNp2o1cfXB+0VQl+ebVWlM=; b=KSZ93sM0ib1d4GMOyjFBrGStdrQI/eqQEsa0S/NQNpXuNujINHRwZ9+3270xtqxl1oJI0n G6xH209lCQqKfZtFBHZEW22i0cUfiBve3sLa3FTqDSz6KC3uZL1qykqq2AgeItqwAgA7Q2 nttPLu6x6PsRQv4V//MYRFfGXlOgqYc= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-21-2SyWs4g3OyWkn5jowNs9ig-1; Tue, 06 Jun 2023 19:37:23 -0400 X-MC-Unique: 2SyWs4g3OyWkn5jowNs9ig-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8F9D280120A; Tue, 6 Jun 2023 23:37:22 +0000 (UTC) Received: from optiplex-lnx.redhat.com (unknown [10.22.17.159]) by smtp.corp.redhat.com (Postfix) with ESMTP id D6C8A40CFD46; Tue, 6 Jun 2023 23:37:13 +0000 (UTC) From: Rafael Aquini To: Andrew Morton , Yafang Shao Cc: linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org, linux-mm@kvack.org, stable@vger.kernel.org, Aristeu Rozanski , Rafael Aquini Subject: [PATCH] writeback: fix dereferencing NULL mapping->host on writeback_page_template Date: Tue, 6 Jun 2023 19:36:13 -0400 Message-Id: <20230606233613.1290819-1-aquini@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Rspamd-Queue-Id: CC82EC0004 X-Rspam-User: X-Rspamd-Server: rspam04 X-Stat-Signature: ese1sjqzb18nh67nqmmsr99kimekijfu X-HE-Tag: 1686094646-87329 X-HE-Meta: U2FsdGVkX1/92u8bc3iInqqG8ngdfpLvSuQzoWYu62yz6yiFLLTNHrWGK7yIsq4vM0vWHA6o46grYSw6EuhXsjQbzgHLbkZXBCozIxPpBc6vi47OI+kPSCrITrWFcS9abGk1wNMCiLNSJ6DFSDUH4sMREKAWBicBn/2QE7qsrofWJkMIF/Qnjh0ENhWwJ6BtFQADyINxNg8SVEOLS8SBeY0taFSUz0YvGX1vExO2O6Wbj7yfCLrR5U6Y9v6nmxcsOxPtCGKPwlyAY5VjKJ3+sIpUHdu4mZJ9Lvj+KYsY2rNz0ZRn8XFqtG85e9aSJYmza9gQsBuxlvxrhzfLQnXgRN/sIxSxhs2Ol0juG4RF8Uccn5r8dg6UAwI3qlcf3HDCOvDwVSGDcmQdjW8XxW/CPS7GoajvsmG+6lUA0iEbHqjmtz5qBrj0BAVxgJg9ZgWCLv21SNqSv1b0hgCus27IY+Rc85Xsmdkx6fSNfBLkGo1Bz2SA+wzPwdFPVuZf1tmvDHZX8pCllNdLzLDfwXeHL9VSj5KPUA1hvDIe7tSRZpI5+o4JsDwcu0sNBPdkD8BiXFNnBW3ZSGx4mfpkKipG4J+bozKvPz9L77kPSrCSgkyZlF/RKAqOi5BFHHUdt/fVt1g6fhhyhl8QEY0gn3pPEEJrMDlxzaQ0fqnWNH1UyX1Y3Ynil9gXkCDpw/StGiyOdpjXV+CEQR/Q1MgXcL6bgvR9eR2pe7WFpskWCWnPLOgDasoKoL3j8kReohYySqGgasY2HmIo4z33kbLWSskd2zCyH0ga43VNL/DzYpDcIVSs4gm4WOEBAX6BBMXWvb3s4VOAb8TBAtjcrU1iMsOv4RoRZ5HAjxl0XnHZS083qvXtlHxQlWSh6gucesknj/GYzPnvlh9zyZftx9K+2P55np/Cp+LvrfL4Zq+KcFcjz3emCkBQuWmkFKK7SxxCeAg3PBIyVr3LgwtDyRkNhS0 SbVpZEy3 CSY1SQMBmSufPlmIFvhtnTYcCo+TyjC6LK53CKLxjGWFVyi43xp4dKmrLv2P9tJXjOZuLGrdqtyRUMdQyAgUC80u2RrdU2P0kOzE2RXMnpekzCu1Dl5CQbRq+ZJtnCl6SM2h389Kk4qhWM7aBAYhcb/vvn7KE8IgZZ2R6Ts+Ium7qCjnJPPV7TrObwHyBxpQNzB1tFM18FT88mLjexdX/BN8to5hqLl26O7DIKxsfaISHwcDfYyxGHTWyQXhebirpmuhhU4CLNKSVk4DoVFe+M0ileVr1fwdaNErb X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: When commit 19343b5bdd16 ("mm/page-writeback: introduce tracepoint for wait_on_page_writeback()") repurposed the writeback_dirty_page trace event as a template to create its new wait_on_page_writeback trace event, it ended up opening a window to NULL pointer dereference crashes due to the (infrequent) occurrence of a race where an access to a page in the swap-cache happens concurrently with the moment this page is being written to disk and the tracepoint is enabled: BUG: kernel NULL pointer dereference, address: 0000000000000040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000010ec0a067 P4D 800000010ec0a067 PUD 102353067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 1320 Comm: shmem-worker Kdump: loaded Not tainted 6.4.0-rc5+ #13 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230301gitf80f052277c8-1.fc37 03/01/2023 RIP: 0010:trace_event_raw_event_writeback_folio_template+0x76/0xf0 Code: 4d 85 e4 74 5c 49 8b 3c 24 e8 06 98 ee ff 48 89 c7 e8 9e 8b ee ff ba 20 00 00 00 48 89 ef 48 89 c6 e8 fe d4 1a 00 49 8b 04 24 <48> 8b 40 40 48 89 43 28 49 8b 45 20 48 89 e7 48 89 43 30 e8 a2 4d RSP: 0000:ffffaad580b6fb60 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff90e38035c01c RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff90e38035c044 RBP: ffff90e38035c024 R08: 0000000000000002 R09: 0000000000000006 R10: ffff90e38035c02e R11: 0000000000000020 R12: ffff90e380bac000 R13: ffffe3a7456d9200 R14: 0000000000001b81 R15: ffffe3a7456d9200 FS: 00007f2e4e8a15c0(0000) GS:ffff90e3fbc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000040 CR3: 00000001150c6003 CR4: 0000000000170ee0 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x76/0x170 ? kernelmode_fixup_or_oops+0x84/0x110 ? exc_page_fault+0x65/0x150 ? asm_exc_page_fault+0x22/0x30 ? trace_event_raw_event_writeback_folio_template+0x76/0xf0 folio_wait_writeback+0x6b/0x80 shmem_swapin_folio+0x24a/0x500 ? filemap_get_entry+0xe3/0x140 shmem_get_folio_gfp+0x36e/0x7c0 ? find_busiest_group+0x43/0x1a0 shmem_fault+0x76/0x2a0 ? __update_load_avg_cfs_rq+0x281/0x2f0 __do_fault+0x33/0x130 do_read_fault+0x118/0x160 do_pte_missing+0x1ed/0x2a0 __handle_mm_fault+0x566/0x630 handle_mm_fault+0x91/0x210 do_user_addr_fault+0x22c/0x740 exc_page_fault+0x65/0x150 asm_exc_page_fault+0x22/0x30 This problem arises from the fact that the repurposed writeback_dirty_page trace event code was written assuming that every pointer to mapping (struct address_space) would come from a file-mapped page-cache object, thus mapping->host would always be populated, and that was a valid case before commit 19343b5bdd16. The swap-cache address space (swapper_spaces), however, doesn't populate its ->host (struct inode) pointer, thus leading to the crashes in the corner-case aforementioned. commit 19343b5bdd16 ended up breaking the assignment of __entry->name and __entry->ino for the wait_on_page_writeback tracepoint -- both dependent on mapping->host carrying a pointer to a valid inode. The assignment of __entry->name was fixed by commit 68f23b89067f ("memcg: fix a crash in wb_workfn when a device disappears"), and this commit fixes the remaining case, for __entry->ino. Fixes: 19343b5bdd16 ("mm/page-writeback: introduce tracepoint for wait_on_page_writeback()") Signed-off-by: Rafael Aquini Reviewed-by: Yafang Shao --- include/trace/events/writeback.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/trace/events/writeback.h b/include/trace/events/writeback.h index 86b2a82da546..54e353c9f919 100644 --- a/include/trace/events/writeback.h +++ b/include/trace/events/writeback.h @@ -68,7 +68,7 @@ DECLARE_EVENT_CLASS(writeback_folio_template, strscpy_pad(__entry->name, bdi_dev_name(mapping ? inode_to_bdi(mapping->host) : NULL), 32); - __entry->ino = mapping ? mapping->host->i_ino : 0; + __entry->ino = (mapping && mapping->host) ? mapping->host->i_ino : 0; __entry->index = folio->index; ),