From patchwork Wed Mar 11 07:45:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: chenqiwu X-Patchwork-Id: 11430997 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5DF42138D for ; Wed, 11 Mar 2020 07:45:23 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 2794920873 for ; Wed, 11 Mar 2020 07:45:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LAIlcIwr" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2794920873 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 505E36B0003; Wed, 11 Mar 2020 03:45:22 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 4B6826B0006; Wed, 11 Mar 2020 03:45:22 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3CC646B0007; Wed, 11 Mar 2020 03:45:22 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0130.hostedemail.com [216.40.44.130]) by kanga.kvack.org (Postfix) with ESMTP id 21C8A6B0003 for ; Wed, 11 Mar 2020 03:45:22 -0400 (EDT) Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id A96D08E4A for ; Wed, 11 Mar 2020 07:45:21 +0000 (UTC) X-FDA: 76582296042.01.slave13_68f895bbaf327 X-Spam-Summary: 2,0,0,5ac6b3b037ed73f7,d41d8cd98f00b204,qiwuchen55@gmail.com,,RULES_HIT:41:355:379:541:800:960:973:988:989:1260:1345:1437:1534:1542:1711:1730:1747:1777:1792:2393:2559:2562:2898:3138:3139:3140:3141:3142:3353:3865:3867:3868:3871:3874:4250:4321:5007:6119:6261:6653:7576:7903:8660:9413:10004:11026:11658:11914:12043:12296:12297:12438:12517:12519:12555:12679:12895:12986:13148:13153:13161:13228:13229:13230:13255:14096:14181:14394:14721:21080:21324:21444:21451:21524:21627:21666:21987:30003:30012:30054:30056:30070,0,RBL:209.85.215.195:@gmail.com:.lbl8.mailshell.net-62.18.0.100 66.100.201.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:24,LUA_SUMMARY:none X-HE-Tag: slave13_68f895bbaf327 X-Filterd-Recvd-Size: 4544 Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by imf26.hostedemail.com (Postfix) with ESMTP for ; Wed, 11 Mar 2020 07:45:21 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id h8so712468pgs.9 for ; Wed, 11 Mar 2020 00:45:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=2DaPORnabKa7l3EYloS0IchtmMoOHjH5Lw7tLE7rT3w=; b=LAIlcIwruDmHQ1Nn0nRwAbuWPAM3CQeVTL09tEIT0uBTBY9XZIE8BdzNRi3etn+IuW khBs4D+/rlJ02iyOiyTgW1EBgbv3wJJmT8dX5pa+/leXtXrtkwb7E9lrnbvuGtBKNklc UOp8k6+KbQdjC9nQdr2FtK324wDUiRxTJ9eRDAJreh6UCEpiuWfZCp7PmiovQNO79o0o 48XPRGWVbFDtyw0XUnE9c+t5iVHjTB58G4z1hbnNKJiKtDvVAuEyOdeMGC2PlV74XIOH 9l4D5kD8YRaZ2V36mXoJeJZXHbymIkiQGXGO1QV4zNnNyHvdmt0S6ELFx9EsBw4EygMn M82g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=2DaPORnabKa7l3EYloS0IchtmMoOHjH5Lw7tLE7rT3w=; b=t3IDodRVhxn56JwjKlq4bcsT0MRrzZJweWQq/HAfMFCpKlHgVTDPkh83fkzzB3Fd2K KvJc6gU42u7Ng3jGv0x/JY6f/uy+F91/IE+m+UiZQRwsHinObfHDy5DZw5qzn6JYwfdg 98IvrIGSq5ZG5TzQ08rTFeT+Sy7+KKW8gy0GJ7APImpyi5Z1EF/hXbtCg0/KHDjtSehf xweEv7EYOJHpvv/7s4EK3Ox8TKL1fYVJa2maeAIMiRDh/2viD/KU45ZooGgDot1Ufe1s e/GO1gwcznkfFR+ogheVQrhdk2UVAYOvtxkcHwDPUBhSupA9RrX4y3VsfMYCqwbuPm7i l70w== X-Gm-Message-State: ANhLgQ0SGUAy5FyRHUzbLXSTtt9cjyxOA0Unt8DivCI2JDMHspSc5hXD 411ZrrYM1k6ZzsGObU/vgI8= X-Google-Smtp-Source: ADFU+vuWmUcjgL6pvoSRuVaS7q6z2eK6057fd/SjHV+KusL8cGHyAU5KLeufgdvIhQVG4V8HjWI5sw== X-Received: by 2002:a63:3d45:: with SMTP id k66mr1642702pga.56.1583912720321; Wed, 11 Mar 2020 00:45:20 -0700 (PDT) Received: from localhost ([43.224.245.179]) by smtp.gmail.com with ESMTPSA id j5sm9996536pfe.32.2020.03.11.00.45.18 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Wed, 11 Mar 2020 00:45:19 -0700 (PDT) From: qiwuchen55@gmail.com To: akpm@linux-foundation.org Cc: linux-mm@kvack.org, chenqiwu Subject: [PATCH] mm/rmap: ensure the validity of mapping vma which referenced an anon page Date: Wed, 11 Mar 2020 15:45:13 +0800 Message-Id: <1583912713-30778-1-git-send-email-qiwuchen55@gmail.com> X-Mailer: git-send-email 1.9.1 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: chenqiwu When finding all the mapping vmas for an anon page by anon_vma, there is a panic risk that one mapping vma or its vm_mm has been released by someone. Like the following crash during kswapd reclaiming pages: Unable to handle kernel NULL pointer dereference at virtual address 00000048 PC is at page_vma_mapped_walk+0x54/0x16c LR is at page_referenced_one+0x44/0x140 [......] CPU: 1 PID: 161 Comm: kswapd0 Call trace: [] el1_da+0x24/0x3c [] page_vma_mapped_walk+0x54/0x16c [] page_referenced_one+0x44/0x140 [] rmap_walk_anon+0x124/0x168 [] page_referenced+0x144/0x190 [] shrink_active_list+0x25c/0x478 [] kswapd+0x7b0/0x9c8 [] kthread+0x154/0x18c [] ret_from_fork+0x10/0x18 The PC is pointed to the following code line: bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) { struct mm_struct *mm = pvmw->vma->vm_mm; ...... pgd = pgd_offset(mm, pvmw->address); //PC ...... } Because the current pvmw->vma->vm_mm is a kernel NULL pointer, which causing crash when pgd_offset() dereferences the mm pointer. This patch fixes the problem by ensuring that both the mapping vma and its vm_mm are valid. If not, we just continue to traverse the anon_vma->rb_root to avoid the potential junk pointer dereference. Signed-off-by: chenqiwu --- mm/rmap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/rmap.c b/mm/rmap.c index b3e3819..fc42ca2 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1863,6 +1863,9 @@ static void rmap_walk_anon(struct page *page, struct rmap_walk_control *rwc, if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg)) continue; + if (!vma && !vma->vm_mm) + continue; + if (!rwc->rmap_one(page, vma, address, rwc->arg)) break; if (rwc->done && rwc->done(page))