From patchwork Tue Apr 14 13:29:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 11487857 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 066E715AB for ; Tue, 14 Apr 2020 13:29:39 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B832E2075E for ; Tue, 14 Apr 2020 13:29:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=bytedance-com.20150623.gappssmtp.com header.i=@bytedance-com.20150623.gappssmtp.com header.b="YQcJeuR9" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B832E2075E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=bytedance.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id E143E8E0005; Tue, 14 Apr 2020 09:29:37 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id DC46F8E0003; Tue, 14 Apr 2020 09:29:37 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CD9368E0005; Tue, 14 Apr 2020 09:29:37 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0155.hostedemail.com [216.40.44.155]) by kanga.kvack.org (Postfix) with ESMTP id B4FAF8E0003 for ; Tue, 14 Apr 2020 09:29:37 -0400 (EDT) Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 5C000181AEF1E for ; Tue, 14 Apr 2020 13:29:37 +0000 (UTC) X-FDA: 76706542794.03.bells22_8e1a92cd21007 X-Spam-Summary: 2,0,0,cd6d38ed57cb4039,d41d8cd98f00b204,songmuchun@bytedance.com,,RULES_HIT:41:69:355:379:541:800:960:968:973:988:989:1260:1311:1314:1345:1437:1515:1535:1543:1711:1730:1747:1777:1792:2393:2559:2562:2895:2899:2901:3138:3139:3140:3141:3142:3354:3865:3866:3867:3868:3870:3871:3872:4117:4250:4321:4605:5007:6117:6119:6120:6238:6261:6653:7264:7901:7903:7904:8660:8784:9121:9163:10004:11026:11232:11658:11914:12043:12296:12297:12438:12517:12519:12555:12679:12683:12740:12895:12986:13095:13148:13161:13229:13230:13870:13894:14096:14181:14394:14721:21080:21324:21433:21444:21451:21622:21740:21990:22047:30003:30012:30029:30054:30056:30070,0,RBL:209.85.216.67:@bytedance.com:.lbl8.mailshell.net-62.2.0.100 66.100.201.201,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:39,LUA_SUMMARY:none X-HE-Tag: bells22_8e1a92cd21007 X-Filterd-Recvd-Size: 6344 Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67]) by imf39.hostedemail.com (Postfix) with ESMTP for ; Tue, 14 Apr 2020 13:29:36 +0000 (UTC) Received: by mail-pj1-f67.google.com with SMTP id a32so5267868pje.5 for ; Tue, 14 Apr 2020 06:29:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FPVFqHKLtFgv5CMDL9p1wHCJmrO0wMhC7dlAthlEzks=; b=YQcJeuR9b0mmqqvGS3J84hQBGzwnkE6mNVTL5CJRx5P9JEnezpHzzKWafMRucP7EFL tyQJECQZCTHtDHWnAcjB0aDg2I6ifcWyknJTCiKSp7x+aa/77hGKFntzu/GYvhr4TazO iKc7hPMwd6ouVTcn9LpWbAPJxLLvenuOF538EFovumf+1UY0dldXcQry2jVMg59TgTIp YRR8Wv9G7ixQpNmCQXGFIuVJ3xS6pDv9qrwfFZ92EEWUT+7ndZJsrW8MrK/0nPppBy8Z yMPkhySeeTdSCPrUJQ03AaqmvOYok1ON4UCLrbDhZsbBDXKByk6coGgJmLqIYjBUfrqg /XOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FPVFqHKLtFgv5CMDL9p1wHCJmrO0wMhC7dlAthlEzks=; b=iaT2GXKlduGZmlfIj4p26+tM8zpte3AacVas1GL96i1+i6gp2TeNZganO7NwG52LOs xtBX5P+g/ttDSBM1ZiWeG4rwvVO682qU+29b05E0xASs42Q3+wtjBnI8gj2z7STCXeSw VXu1T854BvJ6QGzCy2hm4oL7g1RhkvCjw2NmJpVL5i3ZFLY87vnB0JoB+XWZEoKS6+TU AtlouGEKm5NKmOKYjjD2GNXVUpHOljrqoiEiQR5fXNkdi/NS1VwYFH1inw+Nxw3Ber3F 8UKwBjeO35dEEO6n40gqrYGHkvs5Xe5UR9+RJcl+psX09rBl+LBd5w4OkEjuYVh4s5w0 1yKg== X-Gm-Message-State: AGi0PuZ3h+ucvYudyVVx2YWsoF91jeXAfFaKHyAi4xR6MboFYfNaD1J1 MwgJ3AMh+AYIicnYRh/7fwUxyA== X-Google-Smtp-Source: APiQypLdtA6iI77i9jhWLS28aw9H7bsNa3cQKswLMtEjLDRChHLwWTX38LrcG/4G6CxqzGUWCAdqRg== X-Received: by 2002:a17:90a:ac18:: with SMTP id o24mr140716pjq.62.1586870975059; Tue, 14 Apr 2020 06:29:35 -0700 (PDT) Received: from Smcdef-MBP.lan ([103.136.220.69]) by smtp.gmail.com with ESMTPSA id b4sm996361pff.6.2020.04.14.06.29.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Apr 2020 06:29:34 -0700 (PDT) From: Muchun Song To: akpm@linux-foundation.org, Markus.Elfring@web.de, david@redhat.com Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Muchun Song , Xiongchun Duan Subject: [PATCH v3] mm/ksm: Fix NULL pointer dereference when KSM zero page is enabled Date: Tue, 14 Apr 2020 21:29:05 +0800 Message-Id: <20200414132905.83819-1-songmuchun@bytedance.com> X-Mailer: git-send-email 2.21.0 (Apple Git-122) MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The find_mergeable_vma can return NULL. In this case, it leads to crash when we access vma->vm_mm(its offset is 0x40) later in write_protect_page. And this case did happen on our server. The following calltrace is captured in kernel 4.19 with the following patch applied and KSM zero page enabled on our server. commit e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring") So add a vma check to fix it. -------------------------------------------------------------------------- BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 Oops: 0000 [#1] SMP NOPTI CPU: 9 PID: 510 Comm: ksmd Kdump: loaded Tainted: G OE 4.19.36.bsk.9-amd64 #4.19.36.bsk.9 Hardware name: FOXCONN R-5111/GROOT, BIOS IC1B111F 08/17/2019 RIP: 0010:try_to_merge_one_page+0xc7/0x760 Code: 24 58 65 48 33 34 25 28 00 00 00 89 e8 0f 85 a3 06 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8b 46 08 a8 01 75 b8 <49> 8b 44 24 40 4c 8d 7c 24 20 b9 07 00 00 00 4c 89 e6 4c 89 ff 48 RSP: 0018:ffffadbdd9fffdb0 EFLAGS: 00010246 RAX: ffffda83ffd4be08 RBX: ffffda83ffd4be40 RCX: 0000002c6e800000 RDX: 0000000000000000 RSI: ffffda83ffd4be40 RDI: 0000000000000000 RBP: ffffa11939f02ec0 R08: 0000000094e1a447 R09: 00000000abe76577 R10: 0000000000000962 R11: 0000000000004e6a R12: 0000000000000000 R13: ffffda83b1e06380 R14: ffffa18f31f072c0 R15: ffffda83ffd4be40 FS: 0000000000000000(0000) GS:ffffa0da43b80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000040 CR3: 0000002c77c0a003 CR4: 00000000007626e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? follow_page_pte+0x36d/0x5e0 ksm_scan_thread+0x115e/0x1960 ? remove_wait_queue+0x60/0x60 kthread+0xf5/0x130 ? try_to_merge_with_ksm_page+0x90/0x90 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x1f/0x30 -------------------------------------------------------------------------- Fixes: e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring") Signed-off-by: Muchun Song Co-developed-by: Xiongchun Duan Reviewed-by: David Hildenbrand --- Change in v3: 1. Update "Signed-off-by" to "Co-developed-by" 2. Update commit message Change in v2: 1. Update commit message. 2. Update patch subject from: "mm/ksm: Fix kernel NULL pointer dereference at 0000000000000040" to: "mm/ksm: Fix NULL pointer dereference when KSM zero page is enabled" mm/ksm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/mm/ksm.c b/mm/ksm.c index a558da9e71770..69b2f85e22d5b 100644 --- a/mm/ksm.c +++ b/mm/ksm.c @@ -2112,8 +2112,11 @@ static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item) down_read(&mm->mmap_sem); vma = find_mergeable_vma(mm, rmap_item->address); - err = try_to_merge_one_page(vma, page, - ZERO_PAGE(rmap_item->address)); + if (vma) + err = try_to_merge_one_page(vma, page, + ZERO_PAGE(rmap_item->address)); + else + err = -EFAULT; up_read(&mm->mmap_sem); /* * In case of failure, the page was not really empty, so we