From patchwork Thu Apr 16 02:50:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 11492213 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9C5F26CA for ; Thu, 16 Apr 2020 02:50:46 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 617C720725 for ; Thu, 16 Apr 2020 02:50:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=bytedance-com.20150623.gappssmtp.com header.i=@bytedance-com.20150623.gappssmtp.com header.b="Vm2AdqHG" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 617C720725 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=bytedance.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 6E6C38E0072; Wed, 15 Apr 2020 22:50:45 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 698048E0001; Wed, 15 Apr 2020 22:50:45 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 55FC28E0072; Wed, 15 Apr 2020 22:50:45 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0042.hostedemail.com [216.40.44.42]) by kanga.kvack.org (Postfix) with ESMTP id 3C5478E0001 for ; Wed, 15 Apr 2020 22:50:45 -0400 (EDT) Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 045DB180AD815 for ; Thu, 16 Apr 2020 02:50:45 +0000 (UTC) X-FDA: 76712190450.25.earth83_40b13b0b86f26 X-Spam-Summary: 2,0,0,73ffee1f9985f5f3,d41d8cd98f00b204,songmuchun@bytedance.com,,RULES_HIT:41:69:355:379:541:800:960:968:973:988:989:1260:1311:1314:1345:1437:1515:1535:1543:1711:1730:1747:1777:1792:2393:2559:2562:2895:2898:2899:2901:2924:2926:3138:3139:3140:3141:3142:3354:3865:3866:3867:3868:3870:3871:3872:4117:4250:4321:4605:5007:6117:6119:6120:6238:6261:6653:7264:7901:7903:7904:8660:8784:9121:10004:11026:11232:11658:11914:12043:12048:12296:12297:12438:12517:12519:12555:12679:12683:12740:12895:12986:13095:13148:13161:13229:13230:13870:13894:14093:14096:14181:14394:14721:21080:21324:21433:21444:21451:21622:21740:21990:22047:30003:30012:30054:30056:30070,0,RBL:209.85.216.68:@bytedance.com:.lbl8.mailshell.net-62.2.0.100 66.100.201.201,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:30,LUA_SUMMARY:none X-HE-Tag: earth83_40b13b0b86f26 X-Filterd-Recvd-Size: 6565 Received: from mail-pj1-f68.google.com (mail-pj1-f68.google.com [209.85.216.68]) by imf14.hostedemail.com (Postfix) with ESMTP for ; Thu, 16 Apr 2020 02:50:44 +0000 (UTC) Received: by mail-pj1-f68.google.com with SMTP id a22so733094pjk.5 for ; Wed, 15 Apr 2020 19:50:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=6Q7W5ehzWsjUkkp8y3o1ZGWaS+29RuWOEbUwQ2aJUz0=; b=Vm2AdqHGTKxj9VJj13wnb+zAUcOswIjBK5VnhqfV2BLubluRkBk/Yc+nBulO38JAj4 2BQkPknjITamBPQzP5jBGm3Ru1iYjGde01b8FFPjA52qCf7gwc0TH4y8q/yzW1Hsjn5l p5tnVTpgoiVvIFKXmaOS4z2F4u8pj4rZqLQscS5ihSDg7ZARk1Jp7G8ZT3/7Jf8i9z5U 65M7OxyUBM5zm1NL6Mq4JVNX1BoZm2gPyiyXyUJvgN/R+rN77ZwPzRBQSB/Druq4QR9R pm4ERv3YpGGaNQ6yirqlwoMMsN8IOHcGgaLBHZMrF/uS1dct9PSbeytgIg7RRtqb2gEO iG5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=6Q7W5ehzWsjUkkp8y3o1ZGWaS+29RuWOEbUwQ2aJUz0=; b=JUqbYgednHDuPOQW1Hjz1I9mMhrhMhDfDwKO4X5X9tEKYwnjX0mZsKb0rcbILsgCpR aFxDl3UgLNx2zuRtNDIfKwNM3N8jleIyqOlCcHcp8ljhuLptTYDebovuPaerUBJrVuVN O14AJJn371Z5QjSWbYg9lNdGXiGvMjFljxvfx4V6iEhUj2xu8pk5VXN3UD0mSuEzTKCG dMm8QCK0reFFqClHIgTVsuGLQgUEV1EsiUd92qRTrAz7VRA0RFiOR6qIlcaC9dqz4ALu 9RyOPb6I05z9ebqY85xZQAtY3IfbJ9KoEbx8jju9BsBb1mG336kRN1dQzf0hm99fCdCo UAfA== X-Gm-Message-State: AGi0PuY+p7lJ4fFdUWxHdw98mqMAX3/Ydff9vdCzGJdqDjxVwc+5qXG5 0galwuirxy2M2lws7yCxSfoxzw== X-Google-Smtp-Source: APiQypKXTbL28FPX0Sg4JxD6/bpaTlE9T3uuNe4w/98SvRRFZDZgHIwZeEfa/7u+hLz0lYKtnNhdew== X-Received: by 2002:a17:90a:15d6:: with SMTP id w22mr2310413pjd.173.1587005443063; Wed, 15 Apr 2020 19:50:43 -0700 (PDT) Received: from Smcdef-MBP.lan ([103.136.220.69]) by smtp.gmail.com with ESMTPSA id o11sm8704421pgd.58.2020.04.15.19.50.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Apr 2020 19:50:42 -0700 (PDT) From: Muchun Song To: akpm@linux-foundation.org, Markus.Elfring@web.de, david@redhat.com, ktkhai@virtuozzo.com, yang.shi@linux.alibaba.com Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Muchun Song , Xiongchun Duan Subject: [PATCH v4] mm/ksm: Fix NULL pointer dereference when KSM zero page is enabled Date: Thu, 16 Apr 2020 10:50:34 +0800 Message-Id: <20200416025034.29780-1-songmuchun@bytedance.com> X-Mailer: git-send-email 2.21.0 (Apple Git-122) MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The find_mergeable_vma can return NULL. In this case, it leads to a crash when we access vm_mm(its offset is 0x40) later in write_protect_page. And this case did happen on our server. The following call trace is captured in kernel 4.19 with the following patch applied and KSM zero page enabled on our server. commit e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring") So add a vma check to fix it. -------------------------------------------------------------------------- BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 Oops: 0000 [#1] SMP NOPTI CPU: 9 PID: 510 Comm: ksmd Kdump: loaded Tainted: G OE 4.19.36.bsk.9-amd64 #4.19.36.bsk.9 RIP: 0010:try_to_merge_one_page+0xc7/0x760 Code: 24 58 65 48 33 34 25 28 00 00 00 89 e8 0f 85 a3 06 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8b 46 08 a8 01 75 b8 <49> 8b 44 24 40 4c 8d 7c 24 20 b9 07 00 00 00 4c 89 e6 4c 89 ff 48 RSP: 0018:ffffadbdd9fffdb0 EFLAGS: 00010246 RAX: ffffda83ffd4be08 RBX: ffffda83ffd4be40 RCX: 0000002c6e800000 RDX: 0000000000000000 RSI: ffffda83ffd4be40 RDI: 0000000000000000 RBP: ffffa11939f02ec0 R08: 0000000094e1a447 R09: 00000000abe76577 R10: 0000000000000962 R11: 0000000000004e6a R12: 0000000000000000 R13: ffffda83b1e06380 R14: ffffa18f31f072c0 R15: ffffda83ffd4be40 FS: 0000000000000000(0000) GS:ffffa0da43b80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000040 CR3: 0000002c77c0a003 CR4: 00000000007626e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? follow_page_pte+0x36d/0x5e0 ksm_scan_thread+0x115e/0x1960 ? remove_wait_queue+0x60/0x60 kthread+0xf5/0x130 ? try_to_merge_with_ksm_page+0x90/0x90 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x1f/0x30 -------------------------------------------------------------------------- Fixes: e86c59b1b12d ("mm/ksm: improve deduplication of zero pages with colouring") Signed-off-by: Muchun Song Co-developed-by: Xiongchun Duan Reviewed-by: David Hildenbrand Reviewed-by: Kirill Tkhai --- Change in v4: 1. Update commit message. 2. If the vma is out of date, just exit. Change in v3: 1. Update "Signed-off-by" to "Co-developed-by" 2. Update commit message Change in v2: 1. Update commit message. 2. Update patch subject from: "mm/ksm: Fix kernel NULL pointer dereference at 0000000000000040" to: "mm/ksm: Fix NULL pointer dereference when KSM zero page is enabled" mm/ksm.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) -- 2.11.0 diff --git a/mm/ksm.c b/mm/ksm.c index a558da9e71770..15339538da299 100644 --- a/mm/ksm.c +++ b/mm/ksm.c @@ -2112,8 +2112,15 @@ static void cmp_and_merge_page(struct page *page, struct rmap_item *rmap_item) down_read(&mm->mmap_sem); vma = find_mergeable_vma(mm, rmap_item->address); - err = try_to_merge_one_page(vma, page, - ZERO_PAGE(rmap_item->address)); + if (vma) + err = try_to_merge_one_page(vma, page, + ZERO_PAGE(rmap_item->address)); + else + /** + * If the vma is out of date, we do not need to + * continue. + */ + err = 0; up_read(&mm->mmap_sem); /* * In case of failure, the page was not really empty, so we