redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/mm
History
Kirill A. Shutemov 594cced14a khugepaged: fix null-pointer dereference due to race 
khugepaged has to drop mmap lock several times while collapsing a page.
The situation can change while the lock is dropped and we need to
re-validate that the VMA is still in place and the PMD is still subject
for collapse.

But we miss one corner case: while collapsing an anonymous pages the VMA
could be replaced with file VMA.  If the file VMA doesn't have any
private pages we get NULL pointer dereference:

	general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
	KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
	anon_vma_lock_write include/linux/rmap.h:120 [inline]
	collapse_huge_page mm/khugepaged.c:1110 [inline]
	khugepaged_scan_pmd mm/khugepaged.c:1349 [inline]
	khugepaged_scan_mm_slot mm/khugepaged.c:2110 [inline]
	khugepaged_do_scan mm/khugepaged.c:2193 [inline]
	khugepaged+0x3bba/0x5a10 mm/khugepaged.c:2238

The fix is to make sure that the VMA is anonymous in
hugepage_vma_revalidate().  The helper is only used for collapsing
anonymous pages.

Fixes: 99cb0dbd47 ("mm,thp: add read-only THP support for (non-shmem) FS")
Reported-by: syzbot+ed318e8b790ca72c5ad0@syzkaller.appspotmail.com
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Acked-by: Yang Shi <yang.shi@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/20200722121439.44328-1-kirill.shutemov@linux.intel.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-07-24 12:42:41 -07:00
..
kasan mm: remove __ARCH_HAS_5LEVEL_HACK and include/asm-generic/5level-fixup.h 2020-06-04 19:06:21 -07:00
backing-dev.c bdi: remove the name field in struct backing_dev_info 2020-05-09 16:15:13 -06:00
balloon_compaction.c
cleancache.c
cma.c mm/cma.c: use exact_nid true to fix possible per-numa cma leak 2020-07-03 16:15:25 -07:00
cma.h
cma_debug.c
compaction.c mm, compaction: make capture control handling safe wrt interrupts 2020-06-26 00:27:36 -07:00
debug.c maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
debug_page_ref.c
debug_vm_pgtable.c mm/debug_vm_pgtable: fix build failure with powerpc 8xx 2020-06-26 00:27:37 -07:00
dmapool.c
early_ioremap.c
fadvise.c mm: return void from various readahead functions 2020-06-02 10:59:06 -07:00
failslab.c
filemap.c fs: Add IOCB_NOIO flag for generic_file_read_iter 2020-07-07 23:40:08 +02:00
frame_vector.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
frontswap.c mm/frontswap: fix some typos in frontswap.c 2020-06-04 19:06:24 -07:00
gup.c mm: Allow arches to provide ptep_get() 2020-06-20 22:14:53 +10:00
gup_benchmark.c
highmem.c
hmm.c mmap locking API: add mmap_assert_locked() and mmap_assert_write_locked() 2020-06-09 09:39:14 -07:00
huge_memory.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
hugetlb.c mm/hugetlb: avoid hardcoding while checking if cma is enabled 2020-07-24 12:42:41 -07:00
hugetlb_cgroup.c
hwpoison-inject.c
init-mm.c mmap locking API: add MMAP_LOCK_INITIALIZER 2020-06-09 09:39:14 -07:00
internal.h mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
interval_tree.c
Kconfig Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-next 2020-06-07 17:25:29 -07:00
Kconfig.debug treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
khugepaged.c khugepaged: fix null-pointer dereference due to race 2020-07-24 12:42:41 -07:00
kmemleak-test.c
kmemleak.c
ksm.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
list_lru.c mm/list_lru: fix a typo in comment "numbesr"->"numbers" 2020-06-04 19:06:24 -07:00
maccess.c maccess: rename probe_user_{read,write} to copy_{from,to}_user_nofault 2020-06-17 10:57:41 -07:00
madvise.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
Makefile The Kernel Concurrency Sanitizer (KCSAN) 2020-06-11 18:55:43 -07:00
mapping_dirty_helpers.c
memblock.c mm/memblock: fix a typo in comment "implict"->"implicit" 2020-06-04 19:06:23 -07:00
memcontrol.c mm/memcg: fix refcount error while moving and swapping 2020-07-24 12:42:41 -07:00
memfd.c
memory-failure.c mm/memory-failure: send SIGBUS(BUS_MCEERR_AR) only to current thread 2020-06-11 18:17:47 -07:00
memory.c mm: initialize return of vm_insert_pages 2020-07-24 12:42:41 -07:00
memory_hotplug.c mm/memory_hotplug.c: fix false softlockup during pfn range removal 2020-06-26 00:27:38 -07:00
mempolicy.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
mempool.c
memremap.c
memtest.c
migrate.c Raise gcc version requirement to 4.9 2020-07-08 10:48:35 -07:00
mincore.c mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
mlock.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
mm_init.c mm/mm_init.c: report kasan-tag information stored in page->flags 2020-06-02 10:59:12 -07:00
mmap.c mm/mmap.c: close race between munmap() and expand_upwards()/downwards() 2020-07-24 12:42:41 -07:00
mmu_gather.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
mmu_notifier.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
mmzone.c
mprotect.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
mremap.c mm: document warning in move_normal_pmd() and make it warn only once 2020-07-13 11:37:39 -07:00
msync.c mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
nommu.c mm: remove vmalloc_exec 2020-06-26 00:27:38 -07:00
oom_kill.c kernel: better document the use_mm/unuse_mm API contract 2020-06-10 19:14:18 -07:00
page-writeback.c mm/page-writeback: fix a typo in comment "effictive"->"effective" 2020-06-04 19:06:24 -07:00
page_alloc.c mm/page_alloc: fix documentation error 2020-07-03 16:15:25 -07:00
page_counter.c
page_ext.c
page_idle.c mm/page_idle.c: skip offline pages 2020-06-08 11:05:55 -07:00
page_io.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
page_isolation.c mm: Allow to offline unmovable PageOffline() pages via MEM_GOING_OFFLINE 2020-06-04 15:36:52 -04:00
page_owner.c mm: rename gfpflags_to_migratetype to gfp_migratetype for same convention 2020-06-03 20:09:45 -07:00
page_poison.c
page_reporting.c
page_reporting.h mm: introduce include/linux/pgtable.h 2020-06-09 09:39:13 -07:00
page_vma_mapped.c
pagewalk.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
percpu-internal.h
percpu-km.c
percpu-stats.c
percpu-vm.c
percpu.c mm: remove the pgprot argument to __vmalloc 2020-06-02 10:59:11 -07:00
pgtable-generic.c mm: introduce include/linux/pgtable.h 2020-06-09 09:39:13 -07:00
process_vm_access.c mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
ptdump.c mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
readahead.c mm: use memalloc_nofs_save in readahead path 2020-06-02 10:59:07 -07:00
rmap.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
rodata_test.c maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault 2020-06-17 10:57:41 -07:00
shmem.c vfs/xattr: mm/shmem: kernfs: release simple xattr entry in a right way 2020-07-24 12:42:41 -07:00
shuffle.c
shuffle.h
slab.c mm/page_alloc: integrate classzone_idx and high_zoneidx 2020-06-03 20:09:44 -07:00
slab.h mm, slab: fix sign conversion problem in memcg_uncharge_slab() 2020-06-26 00:27:37 -07:00
slab_common.c mm: memcg/slab: fix memory leak at non-root kmem_cache destroy 2020-07-24 12:42:41 -07:00
slob.c
slub.c slub: cure list_slab_objects() from double fix 2020-06-26 00:27:37 -07:00
sparse-vmemmap.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
sparse.c mm: don't include asm/pgtable.h if linux/mm.h is already included 2020-06-09 09:39:13 -07:00
swap.c mm/swap: fix for "mm: workingset: age nonresident information alongside anonymous pages" 2020-06-26 00:27:38 -07:00
swap_cgroup.c mm: memcontrol: make swap tracking an integral part of memory control 2020-06-03 20:09:48 -07:00
swap_slots.c
swap_state.c mm: fix swap cache node allocation mask 2020-06-26 00:27:37 -07:00
swapfile.c mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
truncate.c
usercopy.c
userfaultfd.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
util.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
vmacache.c kernel: better document the use_mm/unuse_mm API contract 2020-06-10 19:14:18 -07:00
vmalloc.c mm: remove vmalloc_exec 2020-06-26 00:27:38 -07:00
vmpressure.c
vmscan.c mm: workingset: age nonresident information alongside anonymous pages 2020-06-26 00:27:37 -07:00
vmstat.c mm/vmstat.c: convert to use DEFINE_SEQ_ATTRIBUTE macro 2020-06-04 19:06:26 -07:00
workingset.c mm: workingset: age nonresident information alongside anonymous pages 2020-06-26 00:27:37 -07:00
z3fold.c mm/z3fold: silence kmemleak false positives of slots 2020-05-28 11:35:40 -07:00
zbud.c mm: use false for bool variable 2020-06-04 19:06:24 -07:00
zpool.c
zsmalloc.c mm: reorder includes after introduction of linux/pgtable.h 2020-06-09 09:39:13 -07:00
zswap.c