On Wed, 2023-11-01 at 14:36 +0800, Edward Adam Davis wrote:
> When obtaining resv_map from vma, it is necessary to simultaneously
> determine
> the flag HPAGE_RESV_OWNER of vm_private_data.
> Only when they are met simultaneously, resv_map is valid.
>
> Reported-and-tested-by:
> syzbot+6ada951e7c0f7bc8a71e@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: bf4916922c60 ("hugetlbfs: extend hugetlb_vma_lock to private
> VMAs")
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> ---
> include/linux/hugetlb.h | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
> index 47d25a5e1933..1a3ec1aee1a3 100644
> --- a/include/linux/hugetlb.h
> +++ b/include/linux/hugetlb.h
> @@ -1265,9 +1265,11 @@ static inline bool __vma_shareable_lock(struct
> vm_area_struct *vma)
> return (vma->vm_flags & VM_MAYSHARE) && vma->vm_private_data;
> }
>
> +#define HPAGE_RESV_OWNER (1UL << 0)
> static inline bool __vma_private_lock(struct vm_area_struct *vma)
> {
> - return (!(vma->vm_flags & VM_MAYSHARE)) && vma-
> >vm_private_data;
> + return (!(vma->vm_flags & VM_MAYSHARE)) && vma-
> >vm_private_data &&
> + ((unsigned long)vma->vm_private_data &
> HPAGE_RESV_OWNER);
> }
This could be cleaned up a bit by moving the HPAGE_RESV_OWNER
definition (and its friends) into hugetlb.h, as well as the
is_vma_resv_set() helper function.
Then __vma_private_lock() can just call is_vma_resv_set(),
and open coding a duplicate of the same code.
Not having duplicates of the code will make it much harder
to "miss a spot" with future changes.
I am still struggling to find a place where we might leave
HPAGE_RESV_OWNER behind on a pointer that is otherwise NULL,
but if your tests show this fixes the issue, I'm all for it :)
--
All Rights Reversed.
