releases/5.12.19/mm-hugetlb-fix-refs-calculation-from-unaligned-vaddr.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From d08af0a59684e18a51aa4bfd24c658994ea3fc5b Mon Sep 17 00:00:00 2001
 From: Joao Martins <joao.m.martins@oracle.com>
 Date: Wed, 14 Jul 2021 21:27:11 -0700
 Subject: mm/hugetlb: fix refs calculation from unaligned @vaddr

 From: Joao Martins <joao.m.martins@oracle.com>

 commit d08af0a59684e18a51aa4bfd24c658994ea3fc5b upstream.

 Commit 82e5d378b0e47 ("mm/hugetlb: refactor subpage recording")
 refactored the count of subpages but missed an edge case when @vaddr is
 not aligned to PAGE_SIZE e.g.  when close to vma->vm_end.  It would then
 errousnly set @refs to 0 and record_subpages_vmas() wouldn't set the
 @pages array element to its value, consequently causing the reported
 null-deref by syzbot.

 Fix it by aligning down @vaddr by PAGE_SIZE in @refs calculation.

 Link: https://lkml.kernel.org/r/20210713152440.28650-1-joao.m.martins@oracle.com
 Fixes: 82e5d378b0e47 ("mm/hugetlb: refactor subpage recording")
 Reported-by: syzbot+a3fcd59df1b372066f5a@syzkaller.appspotmail.com
 Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
 Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
 Cc: <stable@vger.kernel.org>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  mm/hugetlb.c |    5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)

 --- a/mm/hugetlb.c
 +++ b/mm/hugetlb.c
 @@ -5029,8 +5029,9 @@ long follow_hugetlb_page(struct mm_struc
  			continue;
  		}

 -		refs = min3(pages_per_huge_page(h) - pfn_offset,
 -			    (vma->vm_end - vaddr) >> PAGE_SHIFT, remainder);
 +		/* vaddr may not be aligned to PAGE_SIZE */
 +		refs = min3(pages_per_huge_page(h) - pfn_offset, remainder,
 +		    (vma->vm_end - ALIGN_DOWN(vaddr, PAGE_SIZE)) >> PAGE_SHIFT);

  		if (pages || vmas)
  			record_subpages_vmas(mem_map_offset(page, pfn_offset),
	From d08af0a59684e18a51aa4bfd24c658994ea3fc5b Mon Sep 17 00:00:00 2001
	From: Joao Martins <joao.m.martins@oracle.com>
	Date: Wed, 14 Jul 2021 21:27:11 -0700
	Subject: mm/hugetlb: fix refs calculation from unaligned @vaddr

	From: Joao Martins <joao.m.martins@oracle.com>

	commit d08af0a59684e18a51aa4bfd24c658994ea3fc5b upstream.

	Commit 82e5d378b0e47 ("mm/hugetlb: refactor subpage recording")
	refactored the count of subpages but missed an edge case when @vaddr is
	not aligned to PAGE_SIZE e.g. when close to vma->vm_end. It would then
	errousnly set @refs to 0 and record_subpages_vmas() wouldn't set the
	@pages array element to its value, consequently causing the reported
	null-deref by syzbot.

	Fix it by aligning down @vaddr by PAGE_SIZE in @refs calculation.

	Link: https://lkml.kernel.org/r/20210713152440.28650-1-joao.m.martins@oracle.com
	Fixes: 82e5d378b0e47 ("mm/hugetlb: refactor subpage recording")
	Reported-by: syzbot+a3fcd59df1b372066f5a@syzkaller.appspotmail.com
	Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
	Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
	Cc: <stable@vger.kernel.org>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	mm/hugetlb.c \| 5 +++--
	1 file changed, 3 insertions(+), 2 deletions(-)

	--- a/mm/hugetlb.c
	+++ b/mm/hugetlb.c
	@@ -5029,8 +5029,9 @@ long follow_hugetlb_page(struct mm_struc
	continue;
	}

	- refs = min3(pages_per_huge_page(h) - pfn_offset,
	- (vma->vm_end - vaddr) >> PAGE_SHIFT, remainder);
	+ /* vaddr may not be aligned to PAGE_SIZE */
	+ refs = min3(pages_per_huge_page(h) - pfn_offset, remainder,
	+ (vma->vm_end - ALIGN_DOWN(vaddr, PAGE_SIZE)) >> PAGE_SHIFT);

	if (pages \|\| vmas)
	record_subpages_vmas(mem_map_offset(page, pfn_offset),