Received: by 2002:a05:7412:f589:b0:e2:908c:2ebd with SMTP id eh9csp953237rdb; Wed, 1 Nov 2023 07:28:56 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE3ZOXGtskzSoJN7rIdvYrT1WwWsP5i28CKQ2V58qCOGr7nE4AS8JIWXr6Q0nQ2coHo7a4x X-Received: by 2002:a05:6a20:a115:b0:13d:df16:cf29 with SMTP id q21-20020a056a20a11500b0013ddf16cf29mr14924577pzk.15.1698848935975; Wed, 01 Nov 2023 07:28:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698848935; cv=none; d=google.com; s=arc-20160816; b=jmhrn41m6fFnWxllqt2eWnq4JIVOO4lh48az67XGwtXhwdSzfcfkbmYIlk8I/7eT1P bJdG6UGxYEC8d73LEJ1Bh50aBZn1+SKXGjKapt+KBjXHlNevhxw99GCluh2Qz3kXGd50 zR9b1mbJ3S59lsNdIMkkRPufa+Zp4xwhG4BR3lKBJLgCVt1/rcvZtct2SNLUU/msrMkF IGmX0oz/1QPNX8NV+wC5MMnXK+/zfDhoQYbqNSzOxjS+kJ9B5Mhb41TUDqI4IIMNh3B0 CHDvwAHw3cNCYQkPPVRF+s1ggd/G58AGQcM1hlxnJsMPTDHjmh25Avjg1K4zJ5u5j67+ 923Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id; bh=mtAK1QMx0Ut+/sRVfdng5I0biv+q23Bw4PBaV+xt8Ms=; fh=08LJiD71W1J53yExp5UhP05S8IomR/E+UaT2PBoTH7U=; b=aJoGAtRylUYpk5qqhW6foIIID+zjGIqQK2kYx7ukEQeTi0OYsJQCG5ShZecL5DdMd2 hzoQCy02Mzm3GvJdaEH3+SEBNk3T29PDOhTbp2QqqKXbt/8acySFp38M1jzjFidC1EXM RqLEZwN9YmE80LUb3Dj2k/UEFXgxnvqWyfPGDXEEdOGxoAYQBf9/8b+jAzAylQk6tlgp 0fx3U83ABqZFNxiP1/I1VNe9QVDSaN3lvTD6g8Jln67N9f3nmFvfVXgKQw71nHhlo8O+ EfskOtA5tXjKBjF830FBYaw+IJ+uTeHNmPcwTAYguws9gm/NLeTDuKN2+UudFVjtohnk Q94A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id d14-20020a17090ad3ce00b002802da109fasi900126pjw.165.2023.11.01.07.28.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Nov 2023 07:28:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 242598077F93; Wed, 1 Nov 2023 07:28:53 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344405AbjKAO23 convert rfc822-to-8bit (ORCPT + 99 others); Wed, 1 Nov 2023 10:28:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233772AbjKAO22 (ORCPT ); Wed, 1 Nov 2023 10:28:28 -0400 Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1CDF4110 for ; Wed, 1 Nov 2023 07:28:26 -0700 (PDT) Received: from imladris.home.surriel.com ([10.0.13.28] helo=imladris.surriel.com) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from ) id 1qyCCL-00084w-04; Wed, 01 Nov 2023 10:27:57 -0400 Message-ID: <3382634358afa9b95dc4f6db8a53a136d4b9e9cb.camel@surriel.com> Subject: Re: [PATCH] mm/hugetlb: fix null ptr defer in hugetlb_vma_lock_write From: Rik van Riel To: Edward Adam Davis , syzbot+6ada951e7c0f7bc8a71e@syzkaller.appspotmail.com Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, llvm@lists.linux.dev, mike.kravetz@oracle.com, muchun.song@linux.dev, nathan@kernel.org, ndesaulniers@google.com, syzkaller-bugs@googlegroups.com, trix@redhat.com Date: Wed, 01 Nov 2023 10:27:56 -0400 In-Reply-To: References: <00000000000078d1e00608d7878b@google.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 Sender: riel@surriel.com X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 01 Nov 2023 07:28:53 -0700 (PDT) On Wed, 2023-11-01 at 14:36 +0800, Edward Adam Davis wrote: > When obtaining resv_map from vma, it is necessary to simultaneously > determine > the flag HPAGE_RESV_OWNER of vm_private_data. > Only when they are met simultaneously, resv_map is valid. > > Reported-and-tested-by: > syzbot+6ada951e7c0f7bc8a71e@syzkaller.appspotmail.com > Fixes: bf4916922c60 ("hugetlbfs: extend hugetlb_vma_lock to private > VMAs") > Signed-off-by: Edward Adam Davis > --- >  include/linux/hugetlb.h | 4 +++- >  1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h > index 47d25a5e1933..1a3ec1aee1a3 100644 > --- a/include/linux/hugetlb.h > +++ b/include/linux/hugetlb.h > @@ -1265,9 +1265,11 @@ static inline bool __vma_shareable_lock(struct > vm_area_struct *vma) >         return (vma->vm_flags & VM_MAYSHARE) && vma->vm_private_data; >  } >   > +#define HPAGE_RESV_OWNER    (1UL << 0) >  static inline bool __vma_private_lock(struct vm_area_struct *vma) >  { > -       return (!(vma->vm_flags & VM_MAYSHARE)) && vma- > >vm_private_data; > +       return (!(vma->vm_flags & VM_MAYSHARE)) && vma- > >vm_private_data && > +               ((unsigned long)vma->vm_private_data & > HPAGE_RESV_OWNER); >  } This could be cleaned up a bit by moving the HPAGE_RESV_OWNER definition (and its friends) into hugetlb.h, as well as the is_vma_resv_set() helper function. Then __vma_private_lock() can just call is_vma_resv_set(), and open coding a duplicate of the same code. Not having duplicates of the code will make it much harder to "miss a spot" with future changes. I am still struggling to find a place where we might leave HPAGE_RESV_OWNER behind on a pointer that is otherwise NULL, but if your tests show this fixes the issue, I'm all for it :) -- All Rights Reversed.