From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5465AC433F5 for ; Tue, 14 Sep 2021 18:37:35 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 073A8610E6 for ; Tue, 14 Sep 2021 18:37:35 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 073A8610E6 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id A563F6B0072; Tue, 14 Sep 2021 14:37:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9DCB0900002; Tue, 14 Sep 2021 14:37:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 830886B0074; Tue, 14 Sep 2021 14:37:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0180.hostedemail.com [216.40.44.180]) by kanga.kvack.org (Postfix) with ESMTP id 6EA826B0072 for ; Tue, 14 Sep 2021 14:37:34 -0400 (EDT) Received: from smtpin22.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 18BFC181D12FA for ; Tue, 14 Sep 2021 18:37:34 +0000 (UTC) X-FDA: 78587037228.22.89EFBCD Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by imf06.hostedemail.com (Postfix) with ESMTP id C6745801A8A7 for ; Tue, 14 Sep 2021 18:37:33 +0000 (UTC) Received: by mail-pg1-f179.google.com with SMTP id u18so99020pgf.0 for ; Tue, 14 Sep 2021 11:37:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=czAkFfe1mpXdw9DjxU44hTrmwIzU1RlZ33B1Yq/O+QA=; b=SpGtB4dQ2h7N0KeImNRd34t3WctAxXNt9m+PStBgb6Df0wowqg9AwiCdNjRFyDHjz6 4QCfJr4tjmMSfAy/ibh8kMct1O/0//1j4HrLK3FLl3D8jeUyIepPvCl1sKYS7KqRWG+L 3ZNxwpxvmv2Ry9WCJIx68yHGpg+6W28EzF9ZXPcgdGLIkF6ZGz5tCpL0N9JohCBSV/aC 3m8qkYXhwMt2oojpPg+yy+ArHhHL2IGinpyAjJjRxILpQdcMgCe7MX5UtUBtIwmJZ9Qz KEPP7HKpVqVUhsazy+Be6g+Ri8N0pAGajBMPW5Y/8kA6Jwd/UAb5odcRpoTk69sBD+v3 Uphg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=czAkFfe1mpXdw9DjxU44hTrmwIzU1RlZ33B1Yq/O+QA=; b=Cj3TiPuIr2yizJgwhfF8jaohCLTXmT7WN7ZR/0VsxDwxZH+0AApYojXkQMMNtEDinG ZkKKqKGdC4pbdPedpsPol1sSYaxnkhTIHc15PoztXKK9DY8azL0AE4agd4nwrJ7NqXA5 sQ/xxdhlISvJ1fy5V5kp2cxQDOumAGkMWYfVWb3yzrQiI9WKsJv7+XaOJ9EMQH6GCmCR vxbxASIAXMUkH+PzKNk87DkEjR3TCCsaqYxmz4JdkD+6U8E2SHpa4FgzsqG4m5w1pD+I 8mHfqSDzZ0L4VPl0j9wi2YsXOL06kJCuiWuN3o4ba0Tv0Gpwd9/JERO9iNjeVOieIjBx keMw== X-Gm-Message-State: AOAM531AmiYPFzXvTvG/gJL1EnOlJq6xm+I6u6gIStjpgdEl5qVTeI8y zBekjT466HeiFLGEkhNOjwg= X-Google-Smtp-Source: ABdhPJx0nfeSQkT4y1cLquZT7sl2PsodSVN3cA2O8jZYC3O6mntx+Hvq5N95ug0Oe5Z3QSgKGKLllg== X-Received: by 2002:a62:7dd3:0:b0:438:a22:a49c with SMTP id y202-20020a627dd3000000b004380a22a49cmr6119204pfc.44.1631644652890; Tue, 14 Sep 2021 11:37:32 -0700 (PDT) Received: from localhost.localdomain (c-73-93-239-127.hsd1.ca.comcast.net. [73.93.239.127]) by smtp.gmail.com with ESMTPSA id y3sm12003965pge.44.2021.09.14.11.37.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Sep 2021 11:37:32 -0700 (PDT) From: Yang Shi To: naoya.horiguchi@nec.com, hughd@google.com, kirill.shutemov@linux.intel.com, willy@infradead.org, osalvador@suse.de, akpm@linux-foundation.org Cc: shy828301@gmail.com, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/4] mm: filemap: check if any subpage is hwpoisoned for PMD page fault Date: Tue, 14 Sep 2021 11:37:15 -0700 Message-Id: <20210914183718.4236-2-shy828301@gmail.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210914183718.4236-1-shy828301@gmail.com> References: <20210914183718.4236-1-shy828301@gmail.com> MIME-Version: 1.0 X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: C6745801A8A7 X-Stat-Signature: h3w9zujko8xm8xickj3bkd961tpxprbn Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=SpGtB4dQ; spf=pass (imf06.hostedemail.com: domain of shy828301@gmail.com designates 209.85.215.179 as permitted sender) smtp.mailfrom=shy828301@gmail.com; dmarc=pass (policy=none) header.from=gmail.com X-HE-Tag: 1631644653-858208 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: When handling shmem page fault the THP with corrupted subpage could be PM= D mapped if certain conditions are satisfied. But kernel is supposed to send SIGBUS when trying to map hwpoisoned page. There are two paths which may do PMD map: fault around and regular fault. Before commit f9ce0be71d1f ("mm: Cleanup faultaround and finish_fault() codepaths") the thing was even worse in fault around path. The THP could= be PMD mapped as long as the VMA fits regardless what subpage is accessed an= d corrupted. After this commit as long as head page is not corrupted the T= HP could be PMD mapped. In the regulat fault path the THP could be PMD mapped as long as the corr= upted page is not accessed and the VMA fits. Fix the loophole by iterating all subpage to check hwpoisoned one when do= ing PMD map, if any is found just fallback to PTE map. Such THP just can be = PTE mapped. Do the check in the icache flush loop in order to avoid iteratin= g all subpages twice and icache flush is actually noop for most architectur= es. Cc: Signed-off-by: Yang Shi --- mm/filemap.c | 15 +++++++++------ mm/memory.c | 11 ++++++++++- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/mm/filemap.c b/mm/filemap.c index dae481293b5d..740b7afe159a 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -3195,12 +3195,14 @@ static bool filemap_map_pmd(struct vm_fault *vmf,= struct page *page) } =20 if (pmd_none(*vmf->pmd) && PageTransHuge(page)) { - vm_fault_t ret =3D do_set_pmd(vmf, page); - if (!ret) { - /* The page is mapped successfully, reference consumed. */ - unlock_page(page); - return true; - } + vm_fault_t ret =3D do_set_pmd(vmf, page); + if (ret =3D=3D VM_FAULT_FALLBACK) + goto out; + if (!ret) { + /* The page is mapped successfully, reference consumed. */ + unlock_page(page); + return true; + } } =20 if (pmd_none(*vmf->pmd)) { @@ -3220,6 +3222,7 @@ static bool filemap_map_pmd(struct vm_fault *vmf, s= truct page *page) return true; } =20 +out: return false; } =20 diff --git a/mm/memory.c b/mm/memory.c index 25fc46e87214..1765bf72ed16 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -3920,8 +3920,17 @@ vm_fault_t do_set_pmd(struct vm_fault *vmf, struct= page *page) if (unlikely(!pmd_none(*vmf->pmd))) goto out; =20 - for (i =3D 0; i < HPAGE_PMD_NR; i++) + for (i =3D 0; i < HPAGE_PMD_NR; i++) { + /* + * Just backoff if any subpage of a THP is corrupted otherwise + * the corrupted page may mapped by PMD silently to escape the + * check. This kind of THP just can be PTE mapped. Access to + * the corrupted subpage should trigger SIGBUS as expected. + */ + if (PageHWPoison(page + i)) + goto out; flush_icache_page(vma, page + i); + } =20 entry =3D mk_huge_pmd(page, vma->vm_page_prot); if (write) --=20 2.26.2