Patch "mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 15 Jun 2024 22:12:31 -0400

This is a note to let you know that I've just added the patch titled

    mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mm-vmalloc-fix-vmalloc-which-may-return-null-if-call.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ee807fe1db767f2d6b4336d0c3b41443de7e205f
Author: Hailong.Liu <hailong.liu@xxxxxxxx>
Date:   Fri May 10 18:01:31 2024 +0800

    mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL
    
    [ Upstream commit 8e0545c83d672750632f46e3f9ad95c48c91a0fc ]
    
    commit a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc")
    includes support for __GFP_NOFAIL, but it presents a conflict with commit
    dd544141b9eb ("vmalloc: back off when the current task is OOM-killed").  A
    possible scenario is as follows:
    
    process-a
    __vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL)
        __vmalloc_area_node()
            vm_area_alloc_pages()
                    --> oom-killer send SIGKILL to process-a
            if (fatal_signal_pending(current)) break;
    --> return NULL;
    
    To fix this, do not check fatal_signal_pending() in vm_area_alloc_pages()
    if __GFP_NOFAIL set.
    
    This issue occurred during OPLUS KASAN TEST. Below is part of the log
    -> oom-killer sends signal to process
    [65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198
    
    [65731.259685] [T32454] Call trace:
    [65731.259698] [T32454]  dump_backtrace+0xf4/0x118
    [65731.259734] [T32454]  show_stack+0x18/0x24
    [65731.259756] [T32454]  dump_stack_lvl+0x60/0x7c
    [65731.259781] [T32454]  dump_stack+0x18/0x38
    [65731.259800] [T32454]  mrdump_common_die+0x250/0x39c [mrdump]
    [65731.259936] [T32454]  ipanic_die+0x20/0x34 [mrdump]
    [65731.260019] [T32454]  atomic_notifier_call_chain+0xb4/0xfc
    [65731.260047] [T32454]  notify_die+0x114/0x198
    [65731.260073] [T32454]  die+0xf4/0x5b4
    [65731.260098] [T32454]  die_kernel_fault+0x80/0x98
    [65731.260124] [T32454]  __do_kernel_fault+0x160/0x2a8
    [65731.260146] [T32454]  do_bad_area+0x68/0x148
    [65731.260174] [T32454]  do_mem_abort+0x151c/0x1b34
    [65731.260204] [T32454]  el1_abort+0x3c/0x5c
    [65731.260227] [T32454]  el1h_64_sync_handler+0x54/0x90
    [65731.260248] [T32454]  el1h_64_sync+0x68/0x6c
    
    [65731.260269] [T32454]  z_erofs_decompress_queue+0x7f0/0x2258
    --> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL);
            kernel panic by NULL pointer dereference.
            erofs assume kvmalloc with __GFP_NOFAIL never return NULL.
    [65731.260293] [T32454]  z_erofs_runqueue+0xf30/0x104c
    [65731.260314] [T32454]  z_erofs_readahead+0x4f0/0x968
    [65731.260339] [T32454]  read_pages+0x170/0xadc
    [65731.260364] [T32454]  page_cache_ra_unbounded+0x874/0xf30
    [65731.260388] [T32454]  page_cache_ra_order+0x24c/0x714
    [65731.260411] [T32454]  filemap_fault+0xbf0/0x1a74
    [65731.260437] [T32454]  __do_fault+0xd0/0x33c
    [65731.260462] [T32454]  handle_mm_fault+0xf74/0x3fe0
    [65731.260486] [T32454]  do_mem_abort+0x54c/0x1b34
    [65731.260509] [T32454]  el0_da+0x44/0x94
    [65731.260531] [T32454]  el0t_64_sync_handler+0x98/0xb4
    [65731.260553] [T32454]  el0t_64_sync+0x198/0x19c
    
    Link: https://lkml.kernel.org/r/20240510100131.1865-1-hailong.liu@xxxxxxxx
    Fixes: 9376130c390a ("mm/vmalloc: add support for __GFP_NOFAIL")
    Signed-off-by: Hailong.Liu <hailong.liu@xxxxxxxx>
    Acked-by: Michal Hocko <mhocko@xxxxxxxx>
    Suggested-by: Barry Song <21cnbao@xxxxxxxxx>
    Reported-by: Oven <liyangouwen1@xxxxxxxx>
    Reviewed-by: Barry Song <baohua@xxxxxxxxxx>
    Reviewed-by: Uladzislau Rezki (Sony) <urezki@xxxxxxxxx>
    Cc: Chao Yu <chao@xxxxxxxxxx>
    Cc: Christoph Hellwig <hch@xxxxxxxxxxxxx>
    Cc: Gao Xiang <xiang@xxxxxxxxxx>
    Cc: Lorenzo Stoakes <lstoakes@xxxxxxxxx>
    Cc: Michal Hocko <mhocko@xxxxxxxx>
    Cc: <stable@xxxxxxxxxxxxxxx>
    Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index cab30d9497e6b..c5e30b52844c8 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -2924,7 +2924,7 @@ vm_area_alloc_pages(gfp_t gfp, int nid,
 {
 	unsigned int nr_allocated = 0;
 	gfp_t alloc_gfp = gfp;
-	bool nofail = false;
+	bool nofail = gfp & __GFP_NOFAIL;
 	struct page *page;
 	int i;
 
@@ -2981,12 +2981,11 @@ vm_area_alloc_pages(gfp_t gfp, int nid,
 		 * and compaction etc.
 		 */
 		alloc_gfp &= ~__GFP_NOFAIL;
-		nofail = true;
 	}
 
 	/* High-order pages or fallback path if "bulk" fails. */
 	while (nr_allocated < nr_pages) {
-		if (fatal_signal_pending(current))
+		if (!nofail && fatal_signal_pending(current))
 			break;
 
 		if (nid == NUMA_NO_NODE)







