From patchwork Tue Jan 16 07:53:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Baolin Wang <baolin.wang@linux.alibaba.com>
X-Patchwork-Id: 13520528
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B7E4FC47077
	for <linux-mm@archiver.kernel.org>; Tue, 16 Jan 2024 07:53:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 04DD96B0075; Tue, 16 Jan 2024 02:53:50 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id F19256B0078; Tue, 16 Jan 2024 02:53:49 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id DB92B6B007B; Tue, 16 Jan 2024 02:53:49 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id C63BA6B0075
	for <linux-mm@kvack.org>; Tue, 16 Jan 2024 02:53:49 -0500 (EST)
Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 9CF9CC0593
	for <linux-mm@kvack.org>; Tue, 16 Jan 2024 07:53:49 +0000 (UTC)
X-FDA: 81684410178.28.CBFEAC8
Received: from out30-101.freemail.mail.aliyun.com
 (out30-101.freemail.mail.aliyun.com [115.124.30.101])
	by imf03.hostedemail.com (Postfix) with ESMTP id BE03B20009
	for <linux-mm@kvack.org>; Tue, 16 Jan 2024 07:53:46 +0000 (UTC)
Authentication-Results: imf03.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=alibaba.com;
	spf=pass (imf03.hostedemail.com: domain of baolin.wang@linux.alibaba.com
 designates 115.124.30.101 as permitted sender)
 smtp.mailfrom=baolin.wang@linux.alibaba.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1705391628;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:references; bh=veZkjg4pjXCFN6puaDDtiLWN6b740QsAOjnTCabqIX4=;
	b=czGfKJT5hMTEP3quMb79FT42FIbfQYOSClbQP82y4ZgsYnhwEgqzEfuCrCJjFOVQgWpkWS
	lcO9RoIula+4gIkk7NWoKmDFygvWKllt7SQX7e3UVQp6KU65CvGWVrJiDRBbPXM8RyO6fK
	r1O5IZ2S6WR8d3UguwWcf6FIEn6/3l4=
ARC-Authentication-Results: i=1;
	imf03.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=alibaba.com;
	spf=pass (imf03.hostedemail.com: domain of baolin.wang@linux.alibaba.com
 designates 115.124.30.101 as permitted sender)
 smtp.mailfrom=baolin.wang@linux.alibaba.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1705391628; a=rsa-sha256;
	cv=none;
	b=0H+nGISYTkcRUolhEcehLQaoiV8iE3VpPLcfQN0lpq777By6G4YfJYatV1gGGexoUqhKFz
	RnLNurchTT16aPQIScPiYeTwwHf+UfMCQcZvYBqIB8agijm6rnnuBm+5xfDJ8DzNwEim1Y
	h9WfEJuAsVlvVeAhncWvVjg60oJLlLM=
X-Alimail-AntiSpam: 
 AC=PASS;BC=-1|-1;BR=01201311R461e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045170;MF=baolin.wang@linux.alibaba.com;NM=1;PH=DS;RN=9;SR=0;TI=SMTPD_---0W-lNVmJ_1705391621;
Received: from localhost(mailfrom:baolin.wang@linux.alibaba.com
 fp:SMTPD_---0W-lNVmJ_1705391621)
          by smtp.aliyun-inc.com;
          Tue, 16 Jan 2024 15:53:42 +0800
From: Baolin Wang <baolin.wang@linux.alibaba.com>
To: akpm@linux-foundation.org
Cc: willy@infradead.org,
	viro@zeniv.linux.org.uk,
	brauner@kernel.org,
	jack@suse.cz,
	baolin.wang@linux.alibaba.com,
	linux-mm@kvack.org,
	linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] fs: improve dump_mapping() robustness
Date: Tue, 16 Jan 2024 15:53:35 +0800
Message-Id: 
 <937ab1f87328516821d39be672b6bc18861d9d3e.1705391420.git.baolin.wang@linux.alibaba.com>
X-Mailer: git-send-email 2.39.3
MIME-Version: 1.0
X-Rspam-User: 
X-Rspamd-Server: rspam12
X-Rspamd-Queue-Id: BE03B20009
X-Stat-Signature: npkxwr7gr3u6qftwih9xfjaohbyg3psb
X-HE-Tag: 1705391626-100067
X-HE-Meta: 
 U2FsdGVkX1871EiOwRPMFr8mYv7vdxzNGik8dQz9u2iaIMZ9zj8GyV7wP/1wop+68Udjl/MacBekm8NocC4THk1slcaZPMp0oIvoGwAa8Vb4Dy2Hk9/t35o21ufJ/gN1MiCbssdrBiN79dRjOSXoOh39E7ahXTKr2xB5CO8YlBsbKHmj0ROzoPEilp34oZ6BlgoTlp7e8Q/4V6vn3rEOPpipCzgA3iUtJZ5tMGuOC5AH0/lI4brztGagxN+r+ToCNQ+P1N4l309yJ6asXmeu9mG8bE5fjS/a8jHi9WuFaNWZZ1q0JMpeSv57KpBYnXH41AUE4JDWZ3PbM8/QwQvG2YJMNahbQGUVCqgTpmv6R8RWfQikcJzOu+6hf/fcj+mDfjEOWzz1cVmCPxShQwhJ0Azzz2z64wByqZAmv5VwB2x8UJtjxNRZTNKcmT8nPVRF/LuYnu4RGIGsP9Ip9LSk8k6v7DfLWpy/O7GnCocpCbUlAI5ARc0PawabLwgQUS9Rvt8gEIcaC8FsyItMV2W5Lnwp04gnyk35hOEGPSD6OkQZ65wMfbAO446HF0R+i5gwkG14s+l5zIIQMsdeoN0mtcd2fTzuIpP94v3uUH8SsAkZTIBOmKa+PL7a2ddVjclbtLbBw3jH/uFIO4K59oVvLjoVXM4W1btGUR66C3yEnYE2pnyxcjOVY//2ziDZkntWgkPdS9M6wn4J5pyTrm8kJZee1FncYp6lA81lJbgDVOqW+sGGQNgiyEJ95SY8HhBnCHuk1+NofgGo9FZZ9ozrkzZ4MZys7a81zwrFK6E1TFXxWiszUqASaDWrfGQygO6EarnESlPzisL6hqQz8osqwd/eGx7nt3knzeQJ1SpUSIma68M7TrmpndyKsc95QijVFu/hav7Iyse4pDkkLxKeh0AIpEYq2iu/60WoNDAOnKxHgT8Mqx3Vpioxw+nXiEwM9gcIEpNbrMsdpae8DE2
 uGyariJW
 HC9DemAglxGvshtrsqFneTkV7pp+Rygml29iE64kjPm/mRmEsgPq4kTMI2GaEi7StZNHhTcVODG8KH8VSOH7Vi2piORCwSkkVep05bx+TTpMCtinP527egrF7kobwvbcXKI3WTfpj5n/JxjOq5tsXw03oCxNuzTvfDoT8rgYYQYRkRtSYJx2dLkjEhRftxzX793smryJVHvoRp7B651HX3FkhO2TwnX5bYUKWCCuNIqOtt/1MsWJn0033Og==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

We met a kernel crash issue when running stress-ng testing, and the
system crashes when printing the dentry name in dump_mapping().

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
pc : dentry_name+0xd8/0x224
lr : pointer+0x22c/0x370
sp : ffff800025f134c0
......
Call trace:
  dentry_name+0xd8/0x224
  pointer+0x22c/0x370
  vsnprintf+0x1ec/0x730
  vscnprintf+0x2c/0x60
  vprintk_store+0x70/0x234
  vprintk_emit+0xe0/0x24c
  vprintk_default+0x3c/0x44
  vprintk_func+0x84/0x2d0
  printk+0x64/0x88
  __dump_page+0x52c/0x530
  dump_page+0x14/0x20
  set_migratetype_isolate+0x110/0x224
  start_isolate_page_range+0xc4/0x20c
  offline_pages+0x124/0x474
  memory_block_offline+0x44/0xf4
  memory_subsys_offline+0x3c/0x70
  device_offline+0xf0/0x120
  ......

The root cause is that, one thread is doing page migration, and we will
use the target page's ->mapping field to save 'anon_vma' pointer between
page unmap and page move, and now the target page is locked and refcount
is 1.

Currently, there is another stress-ng thread performing memory hotplug,
attempting to offline the target page that is being migrated. It discovers
that the refcount of this target page is 1, preventing the offline operation,
thus proceeding to dump the page. However, page_mapping() of the target
page may return an incorrect file mapping to crash the system in dump_mapping(),
since the target page->mapping only saves 'anon_vma' pointer without setting
PAGE_MAPPING_ANON flag.

The page migration issue has been fixed by commit d1adb25df711 ("mm: migrate:
fix getting incorrect page mapping during page migration"). In addition,
Matthew suggested we should also improve dump_mapping()'s robustness to
resilient against the kernel crash [1].

With checking the 'dentry.parent' and 'dentry.d_name.name' used by
dentry_name(), I can see dump_mapping() will output the invalid dentry
instead of crashing the system when this issue is reproduced again.

[12211.189128] page:fffff7de047741c0 refcount:1 mapcount:0 mapping:ffff989117f55ea0 index:0x1 pfn:0x211dd07
[12211.189144] aops:0x0 ino:1 invalid dentry:74786574206e6870
[12211.189148] flags: 0x57ffffc0000001(locked|node=1|zone=2|lastcpupid=0x1fffff)
[12211.189150] page_type: 0xffffffff()
[12211.189153] raw: 0057ffffc0000001 0000000000000000 dead000000000122 ffff989117f55ea0
[12211.189154] raw: 0000000000000001 0000000000000001 00000001ffffffff 0000000000000000
[12211.189155] page dumped because: unmovable page

[1] https://lore.kernel.org/all/ZXxn%2F0oixJxxAnpF@casper.infradead.org/
Suggested-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Baolin Wang <baolin.wang@linux.alibaba.com>
---
 fs/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/inode.c b/fs/inode.c
index 99d8754a74a3..3093e3b3fd12 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -589,7 +589,8 @@ void dump_mapping(const struct address_space *mapping)
 	}
 
 	dentry_ptr = container_of(dentry_first, struct dentry, d_u.d_alias);
-	if (get_kernel_nofault(dentry, dentry_ptr)) {
+	if (get_kernel_nofault(dentry, dentry_ptr) ||
+	    !dentry.d_parent || !dentry.d_name.name) {
 		pr_warn("aops:%ps ino:%lx invalid dentry:%px\n",
 				a_ops, ino, dentry_ptr);
 		return;