From patchwork Wed Nov 13 08:32:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jinjiang Tu X-Patchwork-Id: 13873291 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67F4ED41C17 for ; Wed, 13 Nov 2024 08:34:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D71656B0096; Wed, 13 Nov 2024 03:34:53 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D212E6B00AC; Wed, 13 Nov 2024 03:34:53 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BC0FB6B00C2; Wed, 13 Nov 2024 03:34:53 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 8A07F6B0096 for ; Wed, 13 Nov 2024 03:34:53 -0500 (EST) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 067531608F0 for ; Wed, 13 Nov 2024 08:34:53 +0000 (UTC) X-FDA: 82780409964.26.0E05AF3 Received: from szxga05-in.huawei.com (szxga05-in.huawei.com [45.249.212.191]) by imf30.hostedemail.com (Postfix) with ESMTP id D9E4380011 for ; Wed, 13 Nov 2024 08:33:29 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf30.hostedemail.com: domain of tujinjiang@huawei.com designates 45.249.212.191 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1731486828; a=rsa-sha256; cv=none; b=KUxYU9a0xUgI8AgyWZI9mQqcihtkq2I+27LEqPv0M6TmUb7pZrtLzFtOlDucXWhxwRXeLG SZ/D/K68lhSkETtpD7igQ15Fn0wV9d+gqM8WRYuDKF68giZi1498tR5kgtekz32faccjeV FF5MDCiSYboZwuVp2+/s5H6CiWSGh2k= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf30.hostedemail.com: domain of tujinjiang@huawei.com designates 45.249.212.191 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1731486828; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=sGnmJCEzDg2uNjvkuB1zUSzAmlGWGgLW02yZwvO7NTU=; b=2ZDYCgcwXfqZBXuh0f4iiLos4s+N3ddZJHzQIFA+7foEecx+KMQ9SauiBxYWCXlbbYo2t3 kxiGmLEUB75Arl9juyqd2o7DsJwNpXTHaZY46Am6gNFZ8atK6z4kghMzIL6Hw6AX4Ffr7N l4OFqEmwYkDyQkIVUgFmsDoWnXHB1gM= Received: from mail.maildlp.com (unknown [172.19.88.214]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4XpGkc25Rlz1jy8j; Wed, 13 Nov 2024 16:32:56 +0800 (CST) Received: from dggpeml500011.china.huawei.com (unknown [7.185.36.84]) by mail.maildlp.com (Postfix) with ESMTPS id 073B21A016C; Wed, 13 Nov 2024 16:34:46 +0800 (CST) Received: from huawei.com (10.175.113.32) by dggpeml500011.china.huawei.com (7.185.36.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Wed, 13 Nov 2024 16:34:45 +0800 From: Jinjiang Tu To: , , , , CC: , , Subject: [PATCH] mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Date: Wed, 13 Nov 2024 16:32:35 +0800 Message-ID: <20241113083235.166798-1-tujinjiang@huawei.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Originating-IP: [10.175.113.32] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To dggpeml500011.china.huawei.com (7.185.36.84) X-Rspam-User: X-Rspamd-Queue-Id: D9E4380011 X-Rspamd-Server: rspam11 X-Stat-Signature: 8k6fzd1z976q7h3dqawkuxaj87c9mtqd X-HE-Tag: 1731486809-364921 X-HE-Meta: U2FsdGVkX1+HTHPeWbsFLrDcgHHw3So1dSGqu3xRCnR7YcM+HA5LkOA7wFoZZyBNRP+IEOGSDtneTtFbopnNisaUSDxNdSkOOOFsac/iAwHbzXP2d6Qt+CNXWOm9v6PysG0a2Hf3jme85d9qpqqqwqIhQwyrXofrqsvBj2Gqriv+dY9chX6JKvrDXJvDMn8CtJEPa5wIpR4CryEtM/Cu4CWoeXU0av3KpDpd6ybdYF6igmbf9RtpZNEo3PZr5AYmL/Tp+O5X7U4n8B0xdstnRjTSCL38GAW+i4ZQdOXR3fTWZFScA5472ZrRIf/FfAobUf38Q34zBeBJgsfZ/W/SluAs/aj6aoN/6MQDoBDxYxZ6pJBnpWIP3RLDltxqfa7E71zqno8zok6rPXs0rtCDWaI224WRJOUZdFw1Sl+j0Fc1JjvdX9eOYEfgRD811FytmYvijCfUwsceMsPttB6GSvIJFBd8Gg2q/oOQvrrUhTDhSORwnsaZNFugS/FxucR/u9nygcE2DjeWpi1v6mOQh9AFp6H4BjdavIhV+d0KQ0hhBu8/8Rb/Sjy+/A0LGbHqsQ+fe37pP0ji8fhuzLa4VPk4lxbap7QSGp6G9aaFOer1imZZNFJ2TBdBdNWpy9x4Nw4cIA/QngDJsCKbFy08NG7UjNnnS+32Rg0fLBIbS1FQKVnMrTp4a139AanHEzDmhrs6LeVyXHs5LHM5JAgSE7oNDqh5fmASz7Jos8Q2upqYFtUFUm1NxT9NPBBFYbXha030emT12wplULgcZMEGevV6PLaQ76rjLX2EfUr6I0lRPSnnVMA1MZhMtjnSHu8ehtdL0QCsXWq3rxRG8AgEHCeosVz950ZmXu2KqUGOBn7BkdcjTAhYQKOGNWu/Aalqwbrnk/PqfD8EV8hTDNyEAqq67aQwyA9SLQyJkX9fvyIAnUa019/1es7UW1fxjP60cJa67NzssmuRoD1G7qL IIMucOIX apG6GkTBkw7bAPAetLxob8ZxQaAzB5akbRKle4fliyX7J+e2vNH/zgOhwpNOGCHunlfYHaO+ZYcUFXzJ6ZaO2mz7FW5ljZ4yPhSKfASmWjxH7DR5cmz/3fO7U3ftrjJ454R7FisUNZyknevKZV19/NCqSbOL6fsF0f6NPP9uggJBklwXRTKaLyhHN8BKQ/PgRCJDh X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: We triggered a NULL pointer dereference for ac.preferred_zoneref->zone in alloc_pages_bulk_noprof() when the task is migrated between cpusets. When cpuset is enabled, in prepare_alloc_pages(), ac->nodemask may be ¤t->mems_allowed. when first_zones_zonelist() is called to find preferred_zoneref, the ac->nodemask may be modified concurrently if the task is migrated between different cpusets. Assuming we have 2 NUMA Node, when traversing Node1 in ac->zonelist, the nodemask is 2, and when traversing Node2 in ac->zonelist, the nodemask is 1. As a result, the ac->preferred_zoneref points to NULL zone. In alloc_pages_bulk_noprof(), for_each_zone_zonelist_nodemask() finds a allowable zone and calls zonelist_node_idx(ac.preferred_zoneref), leading to NULL pointer dereference. __alloc_pages_noprof() fixes this issue by checking NULL pointer in commit ea57485af8f4 ("mm, page_alloc: fix check for NULL preferred_zone") and commit df76cee6bbeb ("mm, page_alloc: remove redundant checks from alloc fastpath"). To fix it, check NULL pointer for preferred_zoneref->zone. Fixes: 387ba26fb1cb ("mm/page_alloc: add a bulk page allocator") Signed-off-by: Jinjiang Tu Reviewed-by: Vlastimil Babka --- mm/page_alloc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index c6c7bb3ea71b..4afe8bc06358 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -4592,7 +4592,8 @@ unsigned long alloc_pages_bulk_noprof(gfp_t gfp, int preferred_nid, gfp = alloc_gfp; /* Find an allowed local zone that meets the low watermark. */ - for_each_zone_zonelist_nodemask(zone, z, ac.zonelist, ac.highest_zoneidx, ac.nodemask) { + z = ac.preferred_zoneref; + for_next_zone_zonelist_nodemask(zone, z, ac.highest_zoneidx, ac.nodemask) { unsigned long mark; if (cpusets_enabled() && (alloc_flags & ALLOC_CPUSET) &&