Received: by 2002:a05:7412:b101:b0:e2:908c:2ebd with SMTP id az1csp2809604rdb; Wed, 15 Nov 2023 11:04:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IFqij1euPKvKHUg0NvqTfWQ6/UvWpfPtS3C6Ju+R9ntn/sNDBHbn1XT6DVwsZpxGBqTAsc0 X-Received: by 2002:a05:6a20:4322:b0:171:a2df:4e68 with SMTP id h34-20020a056a20432200b00171a2df4e68mr11565982pzk.36.1700075096227; Wed, 15 Nov 2023 11:04:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700075096; cv=none; d=google.com; s=arc-20160816; b=HKmfX/3MvzQIC08PdjfmHYlMUKfR8KETS2AucK66wiAwD8CC47mQ21cqre00HlI2z3 0+S/k4HjDGOlYgI6gcaW43JdFVSPLqkkfJT5lp4QQRz1vjFeNmFNg+EhfCySocGaGARn vE9TvfJpubttMMurg0bmfVuLBfh1vdAIFNZRMzG0Cbw20YD22IQ1L7FYRWEmJzd7ImSc DO25+LZRq6hRyVwEHVI4yvYibzKc1XxsZMyJufCR1DFenFjX/55XaLZgIujHcax6WiMt X8RWFQeU8BMKO+RSftx1Ygw0CodTawBJ2KLI8xoAXL75uAI3QWQs0IrErQTKM5ut5KBr EFLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=xR5jXjalkv+3xl2hvJEA3on0YsUVjM36wGHO7zEA1+8=; fh=NQnj/rchRllh9GSRuGOWJu6NLsiHALFP7nyEQF3YpBg=; b=0YuLhrTQG5SAlNMM5rXx3KK7GeRLzhMR6S7VRBylcmWHFiEcUHfrGXg1CJ/GkBZs0G qr7r+jBrcQhXk+YfAE6kRYsM+9K7JvJOmvAlTHnWS9ooiZQhlvA6ECda9wV6nHsxyXWt kPWApHBmcbTC/NDbUakdPUPmagSXlXoQ12OCL9AnyTpwhhpbsseocb3RgmwLWrqpSIXI Oe6xkWnKUaNnVK9gvK+YBHowWcFyyc1UrX6vgM+17JyPvSHpLm4q6CP4KJ4TYK3HwHK/ lF6Pvi+w5lzc9zoXH1l0jaH/nzhh0aSydZHJ8jsB5oKLIdvH7kbDUrUYifWQcmeGAxSh Vtmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b="coxdz/uM"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id bz39-20020a056a02062700b0057d7cff25b8si11182946pgb.198.2023.11.15.11.04.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Nov 2023 11:04:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b="coxdz/uM"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 594E8808EDF7; Wed, 15 Nov 2023 11:04:53 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232796AbjKOTE1 (ORCPT + 99 others); Wed, 15 Nov 2023 14:04:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49108 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232665AbjKOTE0 (ORCPT ); Wed, 15 Nov 2023 14:04:26 -0500 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8357DC for ; Wed, 15 Nov 2023 11:04:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description; bh=xR5jXjalkv+3xl2hvJEA3on0YsUVjM36wGHO7zEA1+8=; b=coxdz/uMBpP2qrs6VvFvIrmOjB Rp0v2QygwbJhYQWMx0TaTg9q/pykgcpXK/n9As9QDhViNROUy2oaxm5e2SDDcN0hWeO+BhrO+AbIW owXkpwcxPFF5XAlpvXCZo4319GlmY18ZbJY//s2Kz9Z3oZ4P7XzZmmjCj6SSllxrEhgYrtAYVRVyC aaFDnxEp4rD+wb8o/nwrxGlsgSI6gmX37eumZP8QksJcILTlcrpDHTGCqNTY/VKwWRTig2V2TY0xG fK/xHNr7gDi6CwtjqwstXmKfQDuCddOg/1qcOM9pANa2sFaHWFEFSLnqnMHpcrYM1orcpXNlWoI/r GgEB84fQ==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1r3LBO-00Fruc-5G; Wed, 15 Nov 2023 19:04:14 +0000 Date: Wed, 15 Nov 2023 19:04:14 +0000 From: Matthew Wilcox To: =?iso-8859-1?Q?Jos=E9?= Pekkarinen Cc: akpm@linux-foundation.org, skhan@linuxfoundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linux.dev, syzbot+89edd67979b52675ddec@syzkaller.appspotmail.com, Hugh Dickins Subject: Re: [PATCH] mm/pgtable: return null if no ptl in __pte_offset_map_lock Message-ID: References: <20231115065506.19780-1-jose.pekkarinen@foxhound.fi> <1c4cb1959829ecf4f0c59691d833618c@foxhound.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1c4cb1959829ecf4f0c59691d833618c@foxhound.fi> X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 15 Nov 2023 11:04:53 -0800 (PST) On Wed, Nov 15, 2023 at 06:05:30PM +0200, Jos? Pekkarinen wrote: > On 2023-11-15 16:19, Matthew Wilcox wrote: > > On Wed, Nov 15, 2023 at 08:55:05AM +0200, Jos? Pekkarinen wrote: > > > Documentation of __pte_offset_map_lock suggest there is situations > > > where > > > > You should have cc'd Hugh who changed all this code recently. > > Hi, > > Sorry, he seems to be missing if I run get_maintainer.pl: > > $ ./scripts/get_maintainer.pl include/linux/mm.h > Andrew Morton (maintainer:MEMORY MANAGEMENT) > linux-mm@kvack.org (open list:MEMORY MANAGEMENT) > linux-kernel@vger.kernel.org (open list) That's a good example of why get_maintainer.pl is not great. It's just a stupid perl program. Ideally, you should research what changes have been made to that code recently and see who else might be implicated. Who introduced the exact code that you're fixing? In this specific instance, you can see Hugh already responded to it: https://lore.kernel.org/all/0000000000005e44550608a0806c@google.com/T/ Now, part of Hugh's response turns out to be incorrect; syzbot can reproduce this on a current mainline kernel. But, for some reason, syzbot has not done a bisect to track it down to a particular commit. I don't understand why it hasn't; maybe someone who knows syzbot better can explain why. > > > +++ b/include/linux/mm.h > > > @@ -2854,7 +2854,7 @@ void ptlock_free(struct ptdesc *ptdesc); > > > > > > static inline spinlock_t *ptlock_ptr(struct ptdesc *ptdesc) > > > { > > > - return ptdesc->ptl; > > > + return (likely(ptdesc)) ? ptdesc->ptl : NULL; > > > } > > > > I don't think we should be changing ptlock_ptr(). > > This is where the null ptr dereference originates, so the only > alternative I can think of is to protect the life cycle of the ptdesc > to prevent it to die between the pte check and the spin_unlock of > __pte_offset_map_lock. Would that work for you? Ah! I think I found the problem. If ALLOC_SPLIT_PTLOCKS is not set, there is no problem as ->ptl is embedded in the struct page. But if ALLOC_SPLIT_PTLOCKS is set (eg you have LOCKDEP enabled), we can _return_ a NULL pointer from ptlock_ptr. The NULL pointer dereference isn't in ptlock_ptr(), it's in __pte_offset_map_lock(). So, how to solve this? We can't just check the ptl against NULL; the memory that ptl points to may have been freed. We could grab a reference to the pmd_page, possibly conditionally on ALLOC_SPLIT_LOCK being set, but that will slow down everything. We could make page_ptl_cachep SLAB_TYPESAFE_BY_RCU, preventing the memory from being freed (even if the lock might not be associated with this page any more). Other ideas?