Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33;
Date:   Thu, 2 Nov 2023 19:28:15 -0700
From:   Mike Kravetz <mike.kravetz@oracle.com>
To:     Edward Adam Davis <eadavis@qq.com>, "Yin, Fengwei" <nh26223@qq.com>
Cc:     riel@surriel.com, akpm@linux-foundation.org,
        linux-kernel@vger.kernel.org, linux-mm@kvack.org,
        llvm@lists.linux.dev, muchun.song@linux.dev, nathan@kernel.org,
        ndesaulniers@google.com,
        syzbot+6ada951e7c0f7bc8a71e@syzkaller.appspotmail.com,
        syzkaller-bugs@googlegroups.com, trix@redhat.com
Subject: Re: [PATCH] mm/hugetlb: fix null ptr defer in hugetlb_vma_lock_write
Message-ID: <20231103022815.GB3531@monkey>
References: <3382634358afa9b95dc4f6db8a53a136d4b9e9cb.camel@surriel.com>
 <tencent_164A247533766D667C3D873798968236C409@qq.com>
 <20231103022426.GA3531@monkey>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20231103022426.GA3531@monkey>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?s8dXEYr0iO5p2/OAY2FrLD1ccXSAramOm8gDxTd1oOKvcsMeAN77QZfOnioP?=
 =?us-ascii?Q?KZovYaUCOOAAGVubdiSgBxyshYBsVsCbMdjITZdLhfRw6dwdJAhwoiQJuj6c?=
 =?us-ascii?Q?RULulHi1zfwbmQ+hGGPhn/KorCumt5gnJQhIZyxUCALJMyp/amjnGvhJC+gL?=
 =?us-ascii?Q?C1nmmDNKIfnhMvU1uIqSyTmHciuZPLrawPVyydy/m7dBVET/ct4potm4PNdQ?=
 =?us-ascii?Q?dIEBy5qBigM4Bs2Su1Zn0tePZvvjUvLbzSUrE6JspQHbnQb9yO46FZyYGCYZ?=
 =?us-ascii?Q?705VjLB/KqPOVVVMoXqjncaS6fDaG8hD3zi6MIIZKbhcZ88x48xyvI7gE7f+?=
 =?us-ascii?Q?NMb98j2hwVFBtu1Ij9ITyjaw3yQ/hgH913WAG2BcxBACAM5GXwP6VQbNCf5z?=
 =?us-ascii?Q?C40NQeVHg9tKbEctzNPp80X7Aok6CURt1W2xuZZpesgst1qbFpEdQkSUuVsd?=
 =?us-ascii?Q?evQi5wMtdVcv/jGgtciWzNYCM89A6s4rPwtmPqBzXTUPobl0RVKdD2f3soFB?=
 =?us-ascii?Q?Z5Vr6jRBNghd7f0lyEaMk0PeWZ4MLqxi3EZQD22kaPdI35+86zRY4f5K0Xcw?=
 =?us-ascii?Q?oQAyLnwoRF/qH8Y2KlVqipdIQaVHp7jkNH9kfehyUt8STSnNwTmdREcaxJOY?=
 =?us-ascii?Q?ySr+oLaq6ED/E3YrD6a4H0lzL1OvNA+IKq7AqxKsbsDVVJRCJH+ZTenJcbkR?=
 =?us-ascii?Q?e6RVmy58Wxp97wYpSsxybUd2yHhjmJQmoH8aNNWRejCwsdjDsRiA8YaFRcwG?=
 =?us-ascii?Q?ZeUWHd9r+divqwt1kXXW0F65uBTEiUxfOjK2BEaPHIJ/52tj0z5OoosW9aCI?=
 =?us-ascii?Q?aKqIg/iInDeUQl5CVaG0mQlKf/cEmhIlzTEcT281C+GgjeiIKSeS11qk4nmt?=
 =?us-ascii?Q?cw0K6m7ukC84qcQiTTTlPMo/Q4YwF/qkq4ccbdEP2N23IeIoc0q9YW14ehQk?=
 =?us-ascii?Q?BUZhFxNYVTpRctQDte3OJG07BDXksrF50QXab6ggrJRlb6ucuOLkXiIx4v4E?=
 =?us-ascii?Q?WErFOvIZlFkyr3GB0pNKcOXLqHX9Az2bywefjjaab/H5nVjoxzuc+PfXpRKw?=
 =?us-ascii?Q?9B4PQoyVoIxtjRDJ6pCvdEtJ9DsdEVFOHdSPSK3YietzulTY1uDBpGmW0fDZ?=
 =?us-ascii?Q?BZpUuCqN/i80y0H2w2Cs5hFOrRyl9Wu+DntqFHnv/1oIxImnj+4+e4wwPBI4?=
 =?us-ascii?Q?NZAmF3l3W1Uy6cwFnE9VZjpS3rXKlDwvaMWhHrOhYffm7WDlWMr9hHMlSd+u?=
 =?us-ascii?Q?5200ML2YZArujlhhnOJhxO867We0YA0WrwWUygFeZWaSEiocASfU7dJi6DEw?=
 =?us-ascii?Q?ryZo4ovOguvQDPnKqcvwOBDKonk+WxdnX6WVgku0szvw7zqOu7rpbqrBnOR7?=
 =?us-ascii?Q?qMdQMq2QDU2o6ux4npoTXW2P/50nYuv5EBZN5uPc5UVbRyJIFPj9nRwdt9Bd?=
 =?us-ascii?Q?SFGSFOxEdt4PNFXcBs93I7Jnmax82zdSzrXH3FuuiSRzrUXV7onIdRQmCmVC?=
 =?us-ascii?Q?p+ynzt5bKjo/6xK0M3EvnXusYG2yvuLCf/Ak32GPMWGgbIRdFSyc23q1KpAu?=
 =?us-ascii?Q?TwFDDsHDXez9k/0L9aocGyX2NZ+gby7Z/8P5qBXX?=
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: =?us-ascii?Q?qsFSX5nc/iplePVumuwSCiC1tAvSjxDw+ROTZdrb9L8jU2LyL7wairaoK/pr?=
 =?us-ascii?Q?yQV8MD1sovqxA+3B4fyk7Su1Gr14OU5dji2/X8l6nDt23GlMsjM4IZV3A0gP?=
 =?us-ascii?Q?bYz6YUq4IGBBsFmTWHuZ806+3+GJLjg3Oea4rWxs0D3ZoRmw9rkLFNZnqz7J?=
 =?us-ascii?Q?cRLMfLAMb6CG++2XoBNiUlR8JGCiPfpfApoJRt7jCMnrVlYnVz4KapY7eIz3?=
 =?us-ascii?Q?e5Sx8mgjmdStn/GUe4gDCXwxvDzTBfVMhrMsX0ult4M5Ebl1CgX/YzGzYPee?=
 =?us-ascii?Q?uJ3f8f1l9S02VeI34wO8hEHga5gn6bY68BrZFqlnsaTO0tPalneujjk3Iip5?=
 =?us-ascii?Q?uEC9bmvKIe2RYetvaudCf8Yy4xQNTmi7X4es+UE9XMVe3yhpwff8Lv8sHHMn?=
 =?us-ascii?Q?s8ARQgvYZtun9uCSziPpNG/6P+CqxD638npi6cQKopdQ/xPPXzM+d5POS7f8?=
 =?us-ascii?Q?sRe+gMDNw25O8VGAPZKNKlYeQSL+3gGe4iJHDqmnFSI87EiuNsP6T/YhF0Ch?=
 =?us-ascii?Q?PAOW9AAoEhpzo7ICvD3YrUhRP9eTTjCWpzseegvtGdq3zxqG005OB9VQf2zu?=
 =?us-ascii?Q?vocTNNuBIhso6COSFNWcrtkbY3rTw0WGxqLjLBT9G9jQHeOvLkC7mVcHb1WT?=
 =?us-ascii?Q?mm+vjNK7g7bJwsfO5GDqtv7T0dSNM4+tR/wdgBlCAHmdvcfld6LADenaXJqU?=
 =?us-ascii?Q?t5lI9uKy6obyK3J3vbSnqBxtMV3Zeb7sCXV0LRbRnoxL+lJ18QfGrKC8iYPm?=
 =?us-ascii?Q?gEw5+Vme7nhMnEy30fcxVIacrZCwdPofv7N4s4UgIhP4UQL265Sc44Ug67k5?=
 =?us-ascii?Q?yYdK9+beEskSnAudp/L5+6ePF4Q9gYefSnUFLlAdg3CFSnYbHikkmhY2AZ1R?=
 =?us-ascii?Q?j/OE8kdsUaNnEvWT1CKPwcXaOC78ZRfhTUUcWERvSaYi0maExJvZzTb77pEs?=
 =?us-ascii?Q?qrbRPy68+o9kpPgCF91ZSY6puljP+6hUYLTVokD4oMR92OY/isdz0nGtBA4B?=
 =?us-ascii?Q?p/7IwfupSlVYSd80Rl6iwP89ao3DD3W2a7jV24AKXUybMa0XEuqpmsYK9ddb?=
 =?us-ascii?Q?SsQelh+9vqO+ebvt2C/1zyWP2RLgx4UejDwjaYYJ3zUdKEyeGkFVQeBbgaef?=
 =?us-ascii?Q?pFWqS/tRviDOR/ls2+p/XFa32QMsMQ7AuqSrBlmytZMuOYYWZWYO1hI=3D?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e4231af0-1bdc-4505-6ca2-08dbdc148a43
X-MS-Exchange-CrossTenant-AuthSource: BY5PR10MB4196.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Nov 2023 02:28:18.1318
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: anCgEiUUw1aKllJ870auIGz8kllkZjFDApRfxdMT4KL4nAIsMOFmeb/uRajRuvRkko5G9C0SbNTcMTTE4lcbtQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR10MB7590
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-11-03_02,2023-11-02_03,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 mlxscore=0
 spamscore=0 phishscore=0 adultscore=0 mlxlogscore=647 malwarescore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2310240000
 definitions=main-2311030019
X-Proofpoint-GUID: 7c153biE2RF_UTIW7Fq9UlUh8pdGrpRL
X-Proofpoint-ORIG-GUID: 7c153biE2RF_UTIW7Fq9UlUh8pdGrpRL
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 02 Nov 2023 19:29:19 -0700 (PDT)

On 11/02/23 19:24, Mike Kravetz wrote:
> On 11/02/23 20:58, Edward Adam Davis wrote:
> > When obtaining resv_map from vma, it is necessary to simultaneously determine
> > the flag HPAGE_RESV_OWNER of vm_private_data.
> > Only when they are met simultaneously, resv_map is valid.
> 
> Thanks for looking into this!
> 
> The check for HPAGE_RESV_OWNER does 'work'.  However, I believe root
> cause is this block of code in __unmap_hugepage_range().
> 
> 		/*
> 		 * If a reference page is supplied, it is because a specific
> 		 * page is being unmapped, not a range. Ensure the page we
> 		 * are about to unmap is the actual page of interest.
> 		 */
> 		if (ref_page) {
> 			if (page != ref_page) {
> 				spin_unlock(ptl);
> 				continue;
> 			}
> 			/*
> 			 * Mark the VMA as having unmapped its page so that
> 			 * future faults in this VMA will fail rather than
> 			 * looking like data was lost
> 			 */
> 			set_vma_resv_flags(vma, HPAGE_RESV_UNMAPPED);
> 		}
> 
> In the specific case causing the null-ptr-deref, the resv_map pointer
> (vm_private_data) is NULL.  So, set_vma_resv_flags() just sets the lower bit.
> Because of this, __vma_private_lock returns true.

Ah!

I see Yin, Fengwei already discovered this code path.

-- 
Mike Kravetz