Received: by 10.223.176.46 with SMTP id f43csp313995wra;
        Thu, 18 Jan 2018 18:02:44 -0800 (PST)
X-Google-Smtp-Source: ACJfBotA5k/9r06azL5AQ4V17ldw8CFwfFD8arXXv8dvtiVBaIFR3WCiH28lSAxiIirEVkdl8Pde
X-Received: by 10.101.100.204 with SMTP id t12mr39050053pgv.135.1516327364143;
        Thu, 18 Jan 2018 18:02:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516327364; cv=none;
        d=google.com; s=arc-20160816;
        b=dakj8lv7N7weONIfmVPylfpq9QH6xF9AW2beN1yv5GcB4x8IFOh6HmkX4i/zKiAiaj
         GtgvEA0l61y6Q/jzH+RoQTooeTPj/B8fVAfzAMnbhXtmrzXRNllxtQDoG/V9MNNkeUWt
         dQlbycxs2T7gS1Lht/EKuUI4qeRpXGJJtmzNAU4Vgob4I9OupNlaxNXW2paxP1LMDPPS
         jFSi5Cnds5fKAOcOLaN0shCk9qTJmxCDmsebnGI/EwWAR8Zt/IInz6z05YtsYlgZQXwa
         1YTYQVIQj6g/SVUvYTL8MrStxUQu9AE63K4h+9mCk21gQx3irbaZlkPkrJLu5T7x70MT
         YzKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :references:date:mime-version:cc:to:from:subject:message-id
         :arc-authentication-results;
        bh=f0vV506eogdZe/QJYpxhcqBeFd423Yg7y4a0V6bH2wQ=;
        b=DW9KKDXja1ZZtQkbIWxlUX/4ZeMTeaql+UzcrkLA0wVSQjq1HSQh51jIsD6peEeeSt
         K5pu9gL+Wv1TA0VPElh3/AG7MQbR7NdwCFrsl0wEHs822grh6fBDUrnWkh9HL4cdc1yn
         x2GnvQ9lHoM33ZmgCkynp5S5/8xH/RMRZULk6Tnbq6tR1iwHt1hoN8H1CdW0NsEVaab1
         rg4XKYgd9BAcKJA1Fo/+IcANSCmjnRCmpD6gDF1Ah1UltesdQsiW4uQBKWEqRhYw204U
         O2zdmsPHPq4aDgK4iOELz/MniPLnbWUiuw9tx7XmwKfTYlAHluKVMMtbAp+LhDNNQgxt
         nUoA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t203si7183092pgb.758.2018.01.18.18.02.29;
        Thu, 18 Jan 2018 18:02:44 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755283AbeASCBo (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Thu, 18 Jan 2018 21:01:44 -0500
Received: from www262.sakura.ne.jp ([202.181.97.72]:28421 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755022AbeASCBi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Jan 2018 21:01:38 -0500
Received: from fsav301.sakura.ne.jp (fsav301.sakura.ne.jp [153.120.85.132])
        by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w0J21Y6O099991;
        Fri, 19 Jan 2018 11:01:34 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav301.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav301.sakura.ne.jp);
 Fri, 19 Jan 2018 11:01:34 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav301.sakura.ne.jp)
Received: from www262.sakura.ne.jp (localhost [127.0.0.1])
        by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id w0J21YSn099983;
        Fri, 19 Jan 2018 11:01:34 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: (from i-love@localhost)
        by www262.sakura.ne.jp (8.14.5/8.14.5/Submit) id w0J21YEM099982;
        Fri, 19 Jan 2018 11:01:34 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Message-Id: <201801190201.w0J21YEM099982@www262.sakura.ne.jp>
X-Authentication-Warning: www262.sakura.ne.jp: i-love set sender to penguin-kernel@i-love.sakura.ne.jp using -f
Subject: Re: [mm 4.15-rc8] Random oopses under memory pressure.
From:   Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To:     "Kirill A. Shutemov" <kirill@shutemov.name>,
        torvalds@linux-foundation.org
Cc:     Dave Hansen <dave.hansen@linux.intel.com>,
        kirill.shutemov@linux.intel.com, akpm@linux-foundation.org,
        hannes@cmpxchg.org, iamjoonsoo.kim@lge.com,
        mgorman@techsingularity.net, tony.luck@intel.com, vbabka@suse.cz,
        mhocko@kernel.org, aarcange@redhat.com, hillf.zj@alibaba-inc.com,
        hughd@google.com, oleg@redhat.com, peterz@infradead.org,
        riel@redhat.com, srikar@linux.vnet.ibm.com, vdavydov.dev@gmail.com,
        mingo@kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org,
        x86@kernel.org
MIME-Version: 1.0
Date:   Fri, 19 Jan 2018 11:01:34 +0900
References: <d8347087-18a6-1709-8aa8-3c6f2d16aa94@linux.intel.com> <20180118154026.jzdgdhkcxiliaulp@node.shutemov.name>
In-Reply-To: <20180118154026.jzdgdhkcxiliaulp@node.shutemov.name>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Kirill A. Shutemov wrote:
> Something like this?
> 
> 
> From 251e124630da82482e8b320c73162ce89af04d5d Mon Sep 17 00:00:00 2001
> From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
> Date: Thu, 18 Jan 2018 18:24:07 +0300
> Subject: [PATCH] mm, page_vma_mapped: Fix pointer arithmetics in check_pte()
> 
> Tetsuo reported random crashes under memory pressure on 32-bit x86
> system and tracked down to change that introduced
> page_vma_mapped_walk().
> 
> The root cause of the issue is the faulty pointer math in check_pte().
> As ->pte may point to an arbitrary page we have to check that they are
> belong to the section before doing math. Otherwise it may lead to weird
> results.
> 
> It wasn't noticed until now as mem_map[] is virtually contiguous on flatmem or
> vmemmap sparsemem. Pointer arithmetic just works against all 'struct page'
> pointers. But with classic sparsemem, it doesn't.
> 
> Let's restructure code a bit and add necessary check.
> 
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
> Fixes: ace71a19cec5 ("mm: introduce page_vma_mapped_walk()")
> Cc: stable@vger.kernel.org

This patch solves the problem. Thank you.

Tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

> ---
>  mm/page_vma_mapped.c | 66 +++++++++++++++++++++++++++++++++++-----------------
>  1 file changed, 45 insertions(+), 21 deletions(-)
> 
> diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c
> index d22b84310f6d..de195dcdfbd8 100644
> --- a/mm/page_vma_mapped.c
> +++ b/mm/page_vma_mapped.c
> @@ -30,8 +30,28 @@ static bool map_pte(struct page_vma_mapped_walk *pvmw)
>  	return true;
>  }
>  
> +/**
> + * check_pte - check if @pvmw->page is mapped at the @pvmw->pte
> + *
> + * page_vma_mapped_walk() found a place where @pvmw->page is *potentially*
> + * mapped. check_pte() has to validate this.
> + *
> + * @pvmw->pte may point to empty PTE, swap PTE or PTE pointing to arbitrary
> + * page.
> + *
> + * If PVMW_MIGRATION flag is set, returns true if @pvmw->pte contains migration
> + * entry that points to @pvmw->page or any subpage in case of THP.
> + *
> + * If PVMW_MIGRATION flag is not set, returns true if @pvmw->pte points to
> + * @pvmw->page or any subpage in case of THP.
> + *
> + * Otherwise, return false.
> + *
> + */
>  static bool check_pte(struct page_vma_mapped_walk *pvmw)
>  {
> +	struct page *page;
> +
>  	if (pvmw->flags & PVMW_MIGRATION) {
>  #ifdef CONFIG_MIGRATION
>  		swp_entry_t entry;
> @@ -41,37 +61,41 @@ static bool check_pte(struct page_vma_mapped_walk *pvmw)
>  
>  		if (!is_migration_entry(entry))
>  			return false;
> -		if (migration_entry_to_page(entry) - pvmw->page >=
> -				hpage_nr_pages(pvmw->page)) {
> -			return false;
> -		}
> -		if (migration_entry_to_page(entry) < pvmw->page)
> -			return false;
> +
> +		page = migration_entry_to_page(entry);
>  #else
>  		WARN_ON_ONCE(1);
>  #endif
> -	} else {
> -		if (is_swap_pte(*pvmw->pte)) {
> -			swp_entry_t entry;
> +	} else if (is_swap_pte(*pvmw->pte)) {
> +		swp_entry_t entry;
>  
> -			entry = pte_to_swp_entry(*pvmw->pte);
> -			if (is_device_private_entry(entry) &&
> -			    device_private_entry_to_page(entry) == pvmw->page)
> -				return true;
> -		}
> +		/* Handle un-addressable ZONE_DEVICE memory */
> +		entry = pte_to_swp_entry(*pvmw->pte);
> +		if (!is_device_private_entry(entry))
> +			return false;
>  
> +		page = device_private_entry_to_page(entry);
> +	} else {
>  		if (!pte_present(*pvmw->pte))
>  			return false;
>  
> -		/* THP can be referenced by any subpage */
> -		if (pte_page(*pvmw->pte) - pvmw->page >=
> -				hpage_nr_pages(pvmw->page)) {
> -			return false;
> -		}
> -		if (pte_page(*pvmw->pte) < pvmw->page)
> -			return false;
> +		page = pte_page(*pvmw->pte);
>  	}
>  
> +	/*
> +	 * Make sure that pages are in the same section before doing pointer
> +	 * arithmetics.
> +	 */
> +	if (page_to_section(pvmw->page) != page_to_section(page))
> +		return false;
> +
> +	if (page < pvmw->page)
> +		return false;
> +
> +	/* THP can be referenced by any subpage */
> +	if (page - pvmw->page >= hpage_nr_pages(pvmw->page))
> +		return false;
> +
>  	return true;
>  }