From patchwork Thu Oct 7 23:15:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 12543757 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 151D7C433EF for ; Thu, 7 Oct 2021 23:15:09 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 8F9416128C for ; Thu, 7 Oct 2021 23:15:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8F9416128C Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id A316D6B006C; Thu, 7 Oct 2021 19:15:07 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9E148900002; Thu, 7 Oct 2021 19:15:07 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8A8D96B0072; Thu, 7 Oct 2021 19:15:07 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0172.hostedemail.com [216.40.44.172]) by kanga.kvack.org (Postfix) with ESMTP id 77D746B006C for ; Thu, 7 Oct 2021 19:15:07 -0400 (EDT) Received: from smtpin39.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 30CB32D00A for ; Thu, 7 Oct 2021 23:15:07 +0000 (UTC) X-FDA: 78671199054.39.8A59490 Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) by imf15.hostedemail.com (Postfix) with ESMTP id D94DCD0017FA for ; Thu, 7 Oct 2021 23:15:06 +0000 (UTC) Received: by mail-yb1-f202.google.com with SMTP id b9-20020a5b07890000b0290558245b7eabso10022896ybq.10 for ; Thu, 07 Oct 2021 16:15:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=reply-to:date:message-id:mime-version:subject:from:to:cc; bh=zTDXcunRW0mLz0ta7epTL95M0gXJNpWmqwgTbVFaJlo=; b=jgOqRcer/lpEzXqGWBc2AUrjI5dWQPS0+63PDV5cu9+OBbnbopuJKim6vB8xpjHOFQ z/pIOogU6NQ1lRREz5dI4CdQ+y2/EaZ2VCJXMKHC3dUb1lMLHJxFvTTyYtZhvP0kHYrI oYPYFUgWYETmX9sH1ihAb8OjqP+SI327x7ewSuWhi91sVLO2hF7BJ6Pmx7vYh6vITunW 5Axpvb5sHF1vDqCPNfEELsXcqPuMdGaYaZHcXt6BZzeJTB/TQukG/tQK3wW7G1R/l/z5 4jVSBtKn2waSzi8ghasdXNs3ZbSB25SR7HP89B+6Nnp7A3M9EdlXlgTfRaco+d4bDaew K0fw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:reply-to:date:message-id:mime-version:subject :from:to:cc; bh=zTDXcunRW0mLz0ta7epTL95M0gXJNpWmqwgTbVFaJlo=; b=T6BaF1DLCcGQXKuYf8RE30/fu3wUM9NYCUqC7+Fm9C/4feRpwHDCeqZp/e6+I4Qx5G 8ooApSwPcdLVM5Yk2/sOh1IYj7vR4YLIKzvH9RMYAZw9C10wVruGXz9/suc6Iwhic2Hp RQuBalkdToUwVXy4nkTw7zqVP9ostbQed4C5b+t3N5B2HMqA//WRXsgUNCaNH7kHDmS5 CsQy3G9aXXaQ6uk0dsgrHqg3jspsxOozzWtiERAYANNGeQ5kJYKKk1oXCQ+Y3zePWqsH tSpzOhdBfv0Lu9Ot9il+IG83tpQynPboo9aJZDc3EEb18IFDyB55GXZCrRjeMjWt7q74 8/2g== X-Gm-Message-State: AOAM530HJgaBiro2vhdvcuVhhqTF9ZJTN++Z7vfJOsUZBMZjGWpbq/Hb njk/4sbRtcv11jNlCc1O21A6aQtopaY= X-Google-Smtp-Source: ABdhPJzziD1JO1ZpCg93N4lPos3c4HjXW+5ivjiLOidiS7X79gwf1R9b49iOiTPgtcQqQoeHbHwHQWj7bZ4= X-Received: from seanjc798194.pdx.corp.google.com ([2620:15c:90:200:2783:a5c0:45f5:b0ed]) (user=seanjc job=sendgmr) by 2002:a25:3142:: with SMTP id x63mr7130266ybx.99.1633648506078; Thu, 07 Oct 2021 16:15:06 -0700 (PDT) Reply-To: Sean Christopherson Date: Thu, 7 Oct 2021 16:15:02 -0700 Message-Id: <20211007231502.3552715-1-seanjc@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.882.g93a45727a2-goog Subject: [PATCH] mm: Fix NULL page->mapping dereference in page_is_secretmem() From: Sean Christopherson To: Andrew Morton Cc: linux-kernel@vger.kernel.org, Mike Rapoport , linux-mm@kvack.org, "Darrick J . Wong" , Stephen , Sean Christopherson X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: D94DCD0017FA X-Stat-Signature: 584o3migudoekdzn77wsrxywygnror9o Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=jgOqRcer; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf15.hostedemail.com: domain of 3en9fYQYKCAk1njwslpxxpun.lxvurw36-vvt4jlt.x0p@flex--seanjc.bounces.google.com designates 209.85.219.202 as permitted sender) smtp.mailfrom=3en9fYQYKCAk1njwslpxxpun.lxvurw36-vvt4jlt.x0p@flex--seanjc.bounces.google.com X-HE-Tag: 1633648506-676350 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Check for a NULL page->mapping before dereferencing the mapping in page_is_secretmem(), as the page's mapping can be nullified while gup() is running, e.g. by reclaim or truncation. BUG: kernel NULL pointer dereference, address: 0000000000000068 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 6 PID: 4173897 Comm: CPU 3/KVM Tainted: G W RIP: 0010:internal_get_user_pages_fast+0x621/0x9d0 Code: <48> 81 7a 68 80 08 04 bc 0f 85 21 ff ff 8 89 c7 be RSP: 0018:ffffaa90087679b0 EFLAGS: 00010046 RAX: ffffe3f37905b900 RBX: 00007f2dd561e000 RCX: ffffe3f37905b934 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffe3f37905b900 ... CR2: 0000000000000068 CR3: 00000004c5898003 CR4: 00000000001726e0 Call Trace: get_user_pages_fast_only+0x13/0x20 hva_to_pfn+0xa9/0x3e0 try_async_pf+0xa1/0x270 direct_page_fault+0x113/0xad0 kvm_mmu_page_fault+0x69/0x680 vmx_handle_exit+0xe1/0x5d0 kvm_arch_vcpu_ioctl_run+0xd81/0x1c70 kvm_vcpu_ioctl+0x267/0x670 __x64_sys_ioctl+0x83/0xa0 do_syscall_64+0x56/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Cc: Mike Rapoport Cc: linux-mm@kvack.org Reported-by: Darrick J. Wong Reported-by: Stephen Tested-by: Darrick J. Wong Signed-off-by: Sean Christopherson Reviewed-by: David Hildenbrand Reviewed-by: Mike Rapoport --- include/linux/secretmem.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h index 21c3771e6a56..988528b5da43 100644 --- a/include/linux/secretmem.h +++ b/include/linux/secretmem.h @@ -23,7 +23,7 @@ static inline bool page_is_secretmem(struct page *page) mapping = (struct address_space *) ((unsigned long)page->mapping & ~PAGE_MAPPING_FLAGS); - if (mapping != page->mapping) + if (!mapping || mapping != page->mapping) return false; return mapping->a_ops == &secretmem_aops;