Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4455160ybz; Tue, 28 Apr 2020 11:34:58 -0700 (PDT) X-Google-Smtp-Source: APiQypKmA+sh4VV415J0XQ7+lwEp2ues5XlwPNlXJQ7zxhA7nE1WC2YPReWuRA3kXN077OhIMCWa X-Received: by 2002:a17:906:3709:: with SMTP id d9mr26881690ejc.94.1588098898383; Tue, 28 Apr 2020 11:34:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588098898; cv=none; d=google.com; s=arc-20160816; b=Snj16ZI/+tI/or9/b0hmFAcnTH7dn2unV/GhZOlTTEpSMCIx6sevkpyB9gh3SO2TPF 92sJBPCX+rUmzTgLY4bGtab4gLvB2NsPP7uvREqlafU9R9/4b5eIvL9lNAMXTVdQ7QCj piE7+ubtPXIJpd5H4nUzjcNsEln2Oe/VU0IrHcvUd1FGCvcYgz5h8zPCtmqsRF2+jaTL WTtUDAMkaO2hQhQN3OdIAoIKsnWwy6a9yvTE93hIpvst5RsZuRydXaiHLyJ8QUmkWdfe PCgQoCHr3bXpZbXocG+Cut5NlHmwUVt7wjgY3AvH4aWfnjSsc25B62RxQuQEv/H1AuFM IFJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=n3woE3hvtfrf+KHC9/5HXHMXozPUBsz8d7Pjb16syX8=; b=Kvh6zm5Z3mE1Fvws1cmtcTeABdSz86/8eOpl0hWm5O7qe2686opD6aVL6TJAZ1ptDh sVspR2AmEp5Yga3HPkA7S9GcWxJWL86heuBj2Asa8vpVDjBZ7T4xScORiEwm/DxxzdKJ Mc+eF7NKK31TjES43eLvaquIJqws4+78qoqmP/HpV4Xox74pV6uYEmRm7IWFqIOISvdy Y+wVNcGjP6cpdu/ThRrTkVXR0Ouk6DlUCRQn22NxlgLXyjyEIC3ZtwkUC2DsyQFz1qMi rhBCYkHt6EOuUqGF98xIg3osT2WLNO9kTU4bBzOOTUlHRqHSeECns9UQv4wXmLeV1r7I LRUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=S+PL1S5q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i14si2138283ejr.238.2020.04.28.11.34.33; Tue, 28 Apr 2020 11:34:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=S+PL1S5q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729748AbgD1Sbz (ORCPT + 99 others); Tue, 28 Apr 2020 14:31:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:47552 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729729AbgD1Sbr (ORCPT ); Tue, 28 Apr 2020 14:31:47 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B2D4421707; Tue, 28 Apr 2020 18:31:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588098707; bh=HWMvJyEw60WCHcdPzwbLZlTM4bK0nudpPPz6ATP+t/M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=S+PL1S5qit6QMh8mxl1Sn/p+sUXtjdeQJnVO1HS5Bd4Uq0P20yGjD5wnwAFMlHALQ vL4M2jME8Lgy5+L25RXzfKjwDUbcTcSB2RLj1qJ+o8qmvQSTXE1UVQ+SHqBpVMJ/29 MZV/qAWGBmEzw6cqzvNuKG6U48WKlEI1yM+WlMog= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Muchun Song , Andrew Morton , David Hildenbrand , Kirill Tkhai , Hugh Dickins , Yang Shi , Claudio Imbrenda , Markus Elfring , Linus Torvalds , Xiongchun Duan Subject: [PATCH 5.6 101/167] mm/ksm: fix NULL pointer dereference when KSM zero page is enabled Date: Tue, 28 Apr 2020 20:24:37 +0200 Message-Id: <20200428182237.949581001@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428182225.451225420@linuxfoundation.org> References: <20200428182225.451225420@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Muchun Song commit 56df70a63ed5d989c1d36deee94cae14342be6e9 upstream. find_mergeable_vma() can return NULL. In this case, it leads to a crash when we access vm_mm(its offset is 0x40) later in write_protect_page. And this case did happen on our server. The following call trace is captured in kernel 4.19 with the following patch applied and KSM zero page enabled on our server. commit e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring") So add a vma check to fix it. BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 Oops: 0000 [#1] SMP NOPTI CPU: 9 PID: 510 Comm: ksmd Kdump: loaded Tainted: G OE 4.19.36.bsk.9-amd64 #4.19.36.bsk.9 RIP: try_to_merge_one_page+0xc7/0x760 Code: 24 58 65 48 33 34 25 28 00 00 00 89 e8 0f 85 a3 06 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8b 46 08 a8 01 75 b8 <49> 8b 44 24 40 4c 8d 7c 24 20 b9 07 00 00 00 4c 89 e6 4c 89 ff 48 RSP: 0018:ffffadbdd9fffdb0 EFLAGS: 00010246 RAX: ffffda83ffd4be08 RBX: ffffda83ffd4be40 RCX: 0000002c6e800000 RDX: 0000000000000000 RSI: ffffda83ffd4be40 RDI: 0000000000000000 RBP: ffffa11939f02ec0 R08: 0000000094e1a447 R09: 00000000abe76577 R10: 0000000000000962 R11: 0000000000004e6a R12: 0000000000000000 R13: ffffda83b1e06380 R14: ffffa18f31f072c0 R15: ffffda83ffd4be40 FS: 0000000000000000(0000) GS:ffffa0da43b80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000040 CR3: 0000002c77c0a003 CR4: 00000000007626e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ksm_scan_thread+0x115e/0x1960 kthread+0xf5/0x130 ret_from_fork+0x1f/0x30 [songmuchun@bytedance.com: if the vma is out of date, just exit] Link: http://lkml.kernel.org/r/20200416025034.29780-1-songmuchun@bytedance.com [akpm@linux-foundation.org: add the conventional braces, replace /** with /*] Fixes: e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring") Co-developed-by: Xiongchun Duan Signed-off-by: Muchun Song Signed-off-by: Andrew Morton Reviewed-by: David Hildenbrand Reviewed-by: Kirill Tkhai Cc: Hugh Dickins Cc: Yang Shi Cc: Claudio Imbrenda Cc: Markus Elfring Cc: Link: http://lkml.kernel.org/r/20200416025034.29780-1-songmuchun@bytedance.com Link: http://lkml.kernel.org/r/20200414132905.83819-1-songmuchun@bytedance.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/ksm.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/mm/ksm.c +++ b/mm/ksm.c @@ -2112,8 +2112,16 @@ static void cmp_and_merge_page(struct pa down_read(&mm->mmap_sem); vma = find_mergeable_vma(mm, rmap_item->address); - err = try_to_merge_one_page(vma, page, - ZERO_PAGE(rmap_item->address)); + if (vma) { + err = try_to_merge_one_page(vma, page, + ZERO_PAGE(rmap_item->address)); + } else { + /* + * If the vma is out of date, we do not need to + * continue. + */ + err = 0; + } up_read(&mm->mmap_sem); /* * In case of failure, the page was not really empty, so we