Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/mm
History
Miaohe Lin f708f6970c mm/hugetlb: fix kernel NULL pointer dereference when migrating hugetlb folio 
A kernel crash was observed when migrating hugetlb folio:

BUG: kernel NULL pointer dereference, address: 0000000000000008
PGD 0 P4D 0
Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 3435 Comm: bash Not tainted 6.10.0-rc6-00450-g8578ca01f21f #66
RIP: 0010:__folio_undo_large_rmappable+0x70/0xb0
RSP: 0018:ffffb165c98a7b38 EFLAGS: 00000097
RAX: fffffbbc44528090 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffa30e000a2800 RSI: 0000000000000246 RDI: ffffa3153ffffcc0
RBP: fffffbbc44528000 R08: 0000000000002371 R09: ffffffffbe4e5868
R10: 0000000000000001 R11: 0000000000000001 R12: ffffa3153ffffcc0
R13: fffffbbc44468000 R14: 0000000000000001 R15: 0000000000000001
FS:  00007f5b3a716740(0000) GS:ffffa3151fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000010959a000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 __folio_migrate_mapping+0x59e/0x950
 __migrate_folio.constprop.0+0x5f/0x120
 move_to_new_folio+0xfd/0x250
 migrate_pages+0x383/0xd70
 soft_offline_page+0x2ab/0x7f0
 soft_offline_page_store+0x52/0x90
 kernfs_fop_write_iter+0x12c/0x1d0
 vfs_write+0x380/0x540
 ksys_write+0x64/0xe0
 do_syscall_64+0xb9/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b3a514887
RSP: 002b:00007ffe138fce68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f5b3a514887
RDX: 000000000000000c RSI: 0000556ab809ee10 RDI: 0000000000000001
RBP: 0000556ab809ee10 R08: 00007f5b3a5d1460 R09: 000000007fffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c
R13: 00007f5b3a61b780 R14: 00007f5b3a617600 R15: 00007f5b3a616a00

It's because hugetlb folio is passed to __folio_undo_large_rmappable()
unexpectedly.  large_rmappable flag is imperceptibly set to hugetlb folio
since commit f6a8dd98a2 ("hugetlb: convert alloc_buddy_hugetlb_folio to
use a folio").  Then commit be9581ea8c ("mm: fix crashes from deferred
split racing folio migration") makes folio_migrate_mapping() call
folio_undo_large_rmappable() triggering the bug.  Fix this issue by
clearing large_rmappable flag for hugetlb folios.  They don't need that
flag set anyway.

Link: https://lkml.kernel.org/r/20240709120433.4136700-1-linmiaohe@huawei.com
Fixes: f6a8dd98a2 ("hugetlb: convert alloc_buddy_hugetlb_folio to use a folio")
Fixes: be9581ea8c ("mm: fix crashes from deferred split racing folio migration")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 		2024-07-09 15:41:11 -07:00
..
damon mm/damon/core: merge regions aggressively when max_nr_regions is unmet 2024-07-03 22:40:36 -07:00
kasan kasan: fix bad call to unpoison_slab_object 2024-06-24 20:52:09 -07:00
kfence
kmsan kmsan: do not wipe out origin when doing partial unpoisoning 2024-06-05 19:19:25 -07:00
Kconfig The usual shower of singleton fixes and minor series all over MM, 2024-05-19 09:21:03 -07:00
Kconfig.debug
Makefile mseal: add mseal syscall 2024-05-23 19:40:26 -07:00
backing-dev.c
balloon_compaction.c
bootmem_info.c
cma.c
cma.h
cma_debug.c
cma_sysfs.c
compaction.c mm: handle profiling for fake memory allocations during compaction 2024-06-24 20:52:09 -07:00
debug.c
debug_page_alloc.c
debug_page_ref.c
debug_vm_pgtable.c mm/debug_vm_pgtable: drop RANDOM_ORVALUE trick 2024-06-15 10:43:08 -07:00
dmapool.c
dmapool_test.c
early_ioremap.c
execmem.c
fadvise.c
fail_page_alloc.c
failslab.c
filemap.c filemap: replace pte_offset_map() with pte_offset_map_nolock() 2024-07-09 15:41:10 -07:00
folio-compat.c
gup.c mm: gup: stop abusing try_grab_folio 2024-07-06 11:39:51 -07:00
gup_test.c
gup_test.h
highmem.c
hmm.c
huge_memory.c mm: gup: stop abusing try_grab_folio 2024-07-06 11:39:51 -07:00
hugetlb.c mm/hugetlb: fix kernel NULL pointer dereference when migrating hugetlb folio 2024-07-09 15:41:11 -07:00
hugetlb_cgroup.c
hugetlb_vmemmap.c mm/hugetlb_vmemmap: fix race with speculative PFN walkers 2024-07-03 22:40:38 -07:00
hugetlb_vmemmap.h
hwpoison-inject.c
init-mm.c
internal.h mm: gup: stop abusing try_grab_folio 2024-07-06 11:39:51 -07:00
interval_tree.c
io-mapping.c
ioremap.c
khugepaged.c
kmemleak.c mm: lift gfp_kmemleak_mask() to gfp.h 2024-05-19 14:40:44 -07:00
ksm.c mm/ksm: fix ksm_zero_pages accounting 2024-06-05 19:19:26 -07:00
list_lru.c
maccess.c
madvise.c mseal: add mseal syscall 2024-05-23 19:40:26 -07:00
mapping_dirty_helpers.c
memblock.c memblock: use numa_valid_node() helper to check for invalid node ID 2024-06-16 10:17:57 +03:00
memcontrol.c mm: fix crashes from deferred split racing folio migration 2024-07-06 11:39:51 -07:00
memfd.c
memory-failure.c mm/memory-failure: fix handling of dissolved but not taken off from buddy pages 2024-05-24 11:55:08 -07:00
memory-tiers.c
memory.c mm/memory: don't require head page for do_set_pmd() 2024-06-24 20:52:11 -07:00
memory_hotplug.c
mempolicy.c
mempool.c mm: fix xyz_noprof functions calling profiled functions 2024-06-05 19:19:26 -07:00
memremap.c
memtest.c
migrate.c mm: fix crashes from deferred split racing folio migration 2024-07-06 11:39:51 -07:00
migrate_device.c The usual shower of singleton fixes and minor series all over MM, 2024-05-19 09:21:03 -07:00
mincore.c
mlock.c
mm_init.c Revert "mm: init_mlocked_on_free_v3" 2024-06-15 10:43:05 -07:00
mm_slot.h
mmap.c mseal: add mseal syscall 2024-05-23 19:40:26 -07:00
mmap_lock.c
mmu_gather.c
mmu_notifier.c
mmzone.c
mprotect.c mseal: add mseal syscall 2024-05-23 19:40:26 -07:00
mremap.c mseal: add mseal syscall 2024-05-23 19:40:26 -07:00
mseal.c mseal: add mseal syscall 2024-05-23 19:40:26 -07:00
msync.c
nommu.c The usual shower of singleton fixes and minor series all over MM, 2024-05-19 09:21:03 -07:00
oom_kill.c
page-writeback.c mm: avoid overflows in dirty throttling logic 2024-07-03 12:29:24 -07:00
page_alloc.c mm/page_alloc: Separate THP PCP into movable and non-movable categories 2024-06-24 20:52:11 -07:00
page_counter.c
page_ext.c
page_idle.c
page_io.c mm: drop the 'anon_' prefix for swap-out mTHP counters 2024-06-05 19:19:23 -07:00
page_isolation.c
page_owner.c mm/page-owner: use gfp_nested_mask() instead of open coded masking 2024-05-19 14:40:44 -07:00
page_poison.c
page_reporting.c
page_reporting.h
page_table_check.c mm/page_table_check: fix crash on ZONE_DEVICE 2024-06-15 10:43:04 -07:00
page_vma_mapped.c
pagewalk.c
percpu-internal.h
percpu-km.c
percpu-stats.c
percpu-vm.c
percpu.c
pgalloc-track.h
pgtable-generic.c
process_vm_access.c
ptdump.c
readahead.c mm/readahead: limit page cache size in page_cache_ra_order() 2024-07-03 22:40:37 -07:00
rmap.c
rodata_test.c
secretmem.c
shmem.c mm/shmem: disable PMD-sized page cache if needed 2024-07-03 22:40:37 -07:00
shmem_quota.c
show_mem.c
shrinker.c
shrinker_debug.c
shuffle.c
shuffle.h
slab.h The usual shower of singleton fixes and minor series all over MM, 2024-05-19 09:21:03 -07:00
slab_common.c The usual shower of singleton fixes and minor series all over MM, 2024-05-19 09:21:03 -07:00
slub.c mm/slab: fix 'variable obj_exts set but not used' warning 2024-06-24 20:52:09 -07:00
sparse-vmemmap.c
sparse.c
swap.c
swap.h
swap_cgroup.c
swap_slots.c
swap_state.c
swapfile.c getting rid of bogus set_blocksize() uses, switching it 2024-05-21 08:34:51 -07:00
truncate.c
usercopy.c
userfaultfd.c The usual shower of singleton fixes and minor series all over MM, 2024-05-19 09:21:03 -07:00
util.c hardening fixes for v6.10-rc5 2024-06-17 12:00:22 -07:00
vmalloc.c mm: vmalloc: check if a hash-index is in cpu_possible_mask 2024-07-03 22:40:36 -07:00
vmpressure.c
vmscan.c mm: drop the 'anon_' prefix for swap-out mTHP counters 2024-06-05 19:19:23 -07:00
vmstat.c
workingset.c cachestat: do not flush stats in recency check 2024-07-03 22:40:37 -07:00
z3fold.c
zbud.c
zpool.c
zsmalloc.c
zswap.c