Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp215730rdf; Thu, 2 Nov 2023 20:16:29 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHOPrYYgbsI5K8xVOEi5r3ha7TI9nmYnntQd8oOlg9RASUQgpt3kmP1eO7dS8ABM4pONby7 X-Received: by 2002:a54:4799:0:b0:3a7:82e8:8fd1 with SMTP id o25-20020a544799000000b003a782e88fd1mr20210967oic.20.1698981389066; Thu, 02 Nov 2023 20:16:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698981389; cv=none; d=google.com; s=arc-20160816; b=LKgguXqmif951l0oHYNgMnl+8wnIHO8EfnqjSIKKiHFvvyAXOXvhDVkNVwcM2Cfsov wx64Qj0WYtfyY2JdGmrDgof6ngHmZXaEGcdg3LuIXhn/ORvwR+yX+1fUtVk6W5LnyP+0 /fMprIJ1lWez+Yumm+u/4sZ0GsQRv+J5DB8oJg8Qj8WODl2npghQIMk1p1no3k/NuKVn 43AI6EYprm9+en+w5uMxfW9eUIhi9WBIgw16P+AM0GRIWHdSOdVmq1KUF13kPpOMCXc5 ExWqqEsnTW+dt1td1G8oDPiskGJ3qGAuBWxYgm91pRi9/2BJjU53sbV9ZG8r4Ssb1c7N EKUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id; bh=eXnbudiCiu0BIl62V0ddUHYhitAkHylUhCGsptXAsVE=; fh=cM/dZCiAbROaQVCvFDzoeQ4hyWxv295/m0GbEPyBcfc=; b=DPHY4CbiQWiPmbm1XCNcuq4XiM4KF9M3MfudX/3AicZ6t6BI4tqhYnypzX80nwA2uK 2fe6ZoVTMApUlmx+BkGzsR46Hn2D88aCexwaK9L++sZLdf6sYHYnIvD339KnvGZF+WNf LZIEuxy7r00Z6XFLnebHjDB4/AETF8qMDYFsn46n/9iQmg7c6/s7o0C30RZT5tqz9i7m BsTC3e1apzjuLoHaY5dktcbRPP0FAzHo5KBGbtOOZ+UT6JHTDThINSR4jful8MdMvip4 hwclGWBh99BjDFRa69RZ/z66RE7itA/Hr0tLsCAIc/VwBc6KZ9AEGeepsS1bl1I9rwI/ ugbA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id dr1-20020a056a004a8100b0068ff3a3c9d0si710065pfb.91.2023.11.02.20.16.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Nov 2023 20:16:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 674D380FE281; Thu, 2 Nov 2023 20:16:26 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229677AbjKCDQV convert rfc822-to-8bit (ORCPT + 99 others); Thu, 2 Nov 2023 23:16:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229459AbjKCDQU (ORCPT ); Thu, 2 Nov 2023 23:16:20 -0400 Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2ADCC1A5 for ; Thu, 2 Nov 2023 20:16:17 -0700 (PDT) Received: from imladris.home.surriel.com ([10.0.13.28] helo=imladris.surriel.com) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from ) id 1qykf0-0007x0-1e; Thu, 02 Nov 2023 23:15:50 -0400 Message-ID: <48ec0dd17f048541dd83f7ed7cb29dac91d8c607.camel@surriel.com> Subject: Re: [PATCH] mm/hugetlb: fix null ptr defer in hugetlb_vma_lock_write From: Rik van Riel To: Mike Kravetz Cc: Edward Adam Davis , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, llvm@lists.linux.dev, muchun.song@linux.dev, nathan@kernel.org, ndesaulniers@google.com, syzbot+6ada951e7c0f7bc8a71e@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com, trix@redhat.com Date: Thu, 02 Nov 2023 23:15:50 -0400 In-Reply-To: <20231103023737.GC3531@monkey> References: <3382634358afa9b95dc4f6db8a53a136d4b9e9cb.camel@surriel.com> <20231103022426.GA3531@monkey> <20231103023737.GC3531@monkey> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 Sender: riel@surriel.com X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Thu, 02 Nov 2023 20:16:26 -0700 (PDT) On Thu, 2023-11-02 at 19:37 -0700, Mike Kravetz wrote: > On 11/02/23 19:24, Mike Kravetz wrote: > > > > In the specific case causing the null-ptr-deref, the resv_map > > pointer > > (vm_private_data) is NULL. > > Hi Rik, > > In commit bf4916922c60 hugetlbfs: extend hugetlb_vma_lock to private > VMAs, > it correctly says: > >     Extend the locking scheme used to protect shared hugetlb mappings > from >     truncate vs page fault races, in order to protect private hugetlb > mappings >     (with resv_map) against MADV_DONTNEED. > > That qualification '(with resv_map)' caught my attention originally, > and > I thought about it again while looking into this.  We now cover the > common > cases, but there are still quite a few cases where resv_map is NULL > for > private mappings.  In such cases, the race between MADV_DONTNEED and > page > fault still exists.  Is that a concern? Honestly, I'm not sure. In hugetlb_dup_vma_private, which is called at fork time, we have this comment: * - For MAP_PRIVATE mappings, this is the reserve map which does * not apply to children. Faults generated by the children are * not guaranteed to succeed, even if read-only. That suggests we already have no guarantee of faults succeeding after fork. > > With a bit more work we 'could' make sure every hugetlb vma has a > lock > to participate in this scheme. > > Any thhoughts? We can certainly close the race between MADV_DONTNEED and page faults for MAP_PRIVATE mappings in child processes, but that does not guarantee that we actually have hugetlb pages for those processes. In short, I'm not sure :) -- All Rights Reversed.