Received: by 2002:a05:7412:8d09:b0:fa:4c10:6cad with SMTP id bj9csp299457rdb; Mon, 15 Jan 2024 23:53:59 -0800 (PST) X-Google-Smtp-Source: AGHT+IGgLKWSqtvHmBbfHtHeQI9dTrG04kdoOdTr/Hp1zwrrNhhDFOt9Xynwzl7OsH5hggz9LrL+ X-Received: by 2002:a17:903:260e:b0:1d3:8063:85b3 with SMTP id jd14-20020a170903260e00b001d3806385b3mr3815035plb.94.1705391639549; Mon, 15 Jan 2024 23:53:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705391639; cv=none; d=google.com; s=arc-20160816; b=Ry7aG4DrRqFITBQiifNI3LIh5OdBwKAU0UPVwekpNTEY9xwYe2n+N7Br85KVnvg4o0 b/aC+o25ygd9Q45GyFl8WnLPSUU5RxYahT5X2qX2EBLdvRcRVD94QK6ywvd8lRMB7bKE t43TTkt+zljtqfwkDKJKvd2vlgvmkr4Z6pjF0fy3jzOsTJpbN2INuSQJfjY60Bq9KZ/H kVNvC/PRr+7wLvKPquX48mUqwB9DJJ6SKa1Qw+fbDyDOaKX1Z0jXWoSop1BX1aDyY7Bt 0OIncw3rPi2aDEmSTkQpw5avq3FPCUS3msz1VjqLlfiodMzYNmNyN6ODkONv4iCu74BI yaIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=7v4eDHG05rJ3BZ4IjslVBlChXv+bgX22jkRlKbwg+mI=; fh=rqeviyY4OCbsIjXfq5jT0D1iAU8n8hr9RBirSHgQROc=; b=no4Ch4+XU5EUInvnGuL4kGzpvlLNQPniHLa/JYPRf/Ex9SCBTzZ/FdXzIIcusl3BDH NY5bFuase2+r3qtQ72dE6RI3xavlf1ExF5GgKhnhqMNDU+0DFzqrW7PUoId3n6CIBW21 5QNX90xuEAP0CJ1BOVi4ixqby+d2y1eJ8gY8cu8VWHQ7psIiesTZY8LqixlHU+efBaO+ nieOubc2qWi9fAmfKpYUML0aOjrtk22il4oUZdSUVQxptyIRWewjmQIDNSLtzTyjbuN9 uzu4rH9E2UUJEkFpgZqWjVHE+d3AmdHT/Wish6ATRULPPOhYgaS1vt1/gdpsn4xgG6YB j6Dg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-27101-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-27101-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id u5-20020a170903124500b001d42ee2a4f0si11679901plh.424.2024.01.15.23.53.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Jan 2024 23:53:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-27101-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-27101-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-27101-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id E7C3D285145 for ; Tue, 16 Jan 2024 07:53:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 087A4111B7; Tue, 16 Jan 2024 07:53:49 +0000 (UTC) Received: from out30-111.freemail.mail.aliyun.com (out30-111.freemail.mail.aliyun.com [115.124.30.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4DA61111A0; Tue, 16 Jan 2024 07:53:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R461e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045170;MF=baolin.wang@linux.alibaba.com;NM=1;PH=DS;RN=9;SR=0;TI=SMTPD_---0W-lNVmJ_1705391621; Received: from localhost(mailfrom:baolin.wang@linux.alibaba.com fp:SMTPD_---0W-lNVmJ_1705391621) by smtp.aliyun-inc.com; Tue, 16 Jan 2024 15:53:42 +0800 From: Baolin Wang To: akpm@linux-foundation.org Cc: willy@infradead.org, viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz, baolin.wang@linux.alibaba.com, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] fs: improve dump_mapping() robustness Date: Tue, 16 Jan 2024 15:53:35 +0800 Message-Id: <937ab1f87328516821d39be672b6bc18861d9d3e.1705391420.git.baolin.wang@linux.alibaba.com> X-Mailer: git-send-email 2.39.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit We met a kernel crash issue when running stress-ng testing, and the system crashes when printing the dentry name in dump_mapping(). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 ..... Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ...... The root cause is that, one thread is doing page migration, and we will use the target page's ->mapping field to save 'anon_vma' pointer between page unmap and page move, and now the target page is locked and refcount is 1. Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping(), since the target page->mapping only saves 'anon_vma' pointer without setting PAGE_MAPPING_ANON flag. The page migration issue has been fixed by commit d1adb25df711 ("mm: migrate: fix getting incorrect page mapping during page migration"). In addition, Matthew suggested we should also improve dump_mapping()'s robustness to resilient against the kernel crash [1]. With checking the 'dentry.parent' and 'dentry.d_name.name' used by dentry_name(), I can see dump_mapping() will output the invalid dentry instead of crashing the system when this issue is reproduced again. [12211.189128] page:fffff7de047741c0 refcount:1 mapcount:0 mapping:ffff989117f55ea0 index:0x1 pfn:0x211dd07 [12211.189144] aops:0x0 ino:1 invalid dentry:74786574206e6870 [12211.189148] flags: 0x57ffffc0000001(locked|node=1|zone=2|lastcpupid=0x1fffff) [12211.189150] page_type: 0xffffffff() [12211.189153] raw: 0057ffffc0000001 0000000000000000 dead000000000122 ffff989117f55ea0 [12211.189154] raw: 0000000000000001 0000000000000001 00000001ffffffff 0000000000000000 [12211.189155] page dumped because: unmovable page [1] https://lore.kernel.org/all/ZXxn%2F0oixJxxAnpF@casper.infradead.org/ Suggested-by: Matthew Wilcox Signed-off-by: Baolin Wang --- fs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/inode.c b/fs/inode.c index 99d8754a74a3..3093e3b3fd12 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -589,7 +589,8 @@ void dump_mapping(const struct address_space *mapping) } dentry_ptr = container_of(dentry_first, struct dentry, d_u.d_alias); - if (get_kernel_nofault(dentry, dentry_ptr)) { + if (get_kernel_nofault(dentry, dentry_ptr) || + !dentry.d_parent || !dentry.d_name.name) { pr_warn("aops:%ps ino:%lx invalid dentry:%px\n", a_ops, ino, dentry_ptr); return; -- 2.39.3