From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
maple-tree@lists.infradead.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
Matthew Wilcox <willy@infradead.org>,
Suren Baghdasaryan <surenb@google.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Subject: [PATCH 0/8] Fix VMA tree modification under mmap read lock
Date: Mon, 27 Mar 2023 14:55:24 -0400 [thread overview]
Message-ID: <20230327185532.2354250-1-Liam.Howlett@oracle.com> (raw)
Syzbot reported a BUG_ON in mm/mmap.c which was found to be caused
by an inconsistency between threads walking the VMA maple tree.
The inconsistency is caused by the page fault handler modifying the
maple tree while holding the mmap_lock for read.
This only happens for stack VMAs. We had thought this was safe as it only
modifies a single pivot in the tree. Unfortunately, syzbot constructed
a test case where the stack had no guard page and grew the stack to abut
the next VMA. This causes us to delete the NULL entry between the two
VMAs and rewrite the node.
We considered several options for fixing this, including dropping the
mmap_lock, then reacquiring it for write; and relaxing the definition of
the tree to permit a zero-length NULL entry in the node. We decided the
best option was to backport some of the RCU patches from -next, which
solve the problem by allocating a new node and RCU-freeing the old node.
Since the problem exists in 6.1, we preferred a solution which is
similar to the one we intended to merge next merge window.
These patches have been in -next since next-20230301, and have received
intensive testing in Android as part of the RCU page fault patchset.
They were also sent as part of the "Per-VMA locks" v4 patch series.
Patches 1 to 7 are bug fixes for RCU mode of the tree and patch 8 enables
RCU mode for the tree.
Performance v6.3-rc3 vs patched v6.3-rc3:
Running these changes through mmtests showed there was a 15-20%
performance decrease in will-it-scale/brk1-processes. This tests creating
and inserting a single VMA repeatedly through the brk interface and
isn't representative of any real world applications.
Liam R. Howlett (8):
maple_tree: be more cautious about dead nodes
maple_tree: detect dead nodes in mas_start()
maple_tree: fix freeing of nodes in rcu mode
maple_tree: remove extra smp_wmb() from mas_dead_leaves()
maple_tree: fix write memory barrier of nodes once dead for RCU mode
maple_tree: add smp_rmb() to dead node detection
maple_tree: add RCU lock checking to rcu callback functions
mm: enable maple tree RCU mode by default.
include/linux/mm_types.h | 3 +-
kernel/fork.c | 3 +
lib/maple_tree.c | 269 +++++++++++++++++++++----------
mm/mmap.c | 3 +-
tools/testing/radix-tree/maple.c | 16 ++
5 files changed, 207 insertions(+), 87 deletions(-)
--
2.39.2
next reply other threads:[~2023-03-27 19:07 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-27 18:55 Liam R. Howlett [this message]
2023-03-27 18:55 ` [PATCH 1/8] maple_tree: be more cautious about dead nodes Liam R. Howlett
2023-03-27 18:55 ` [PATCH 2/8] maple_tree: detect dead nodes in mas_start() Liam R. Howlett
2023-03-27 18:55 ` [PATCH 3/8] maple_tree: fix freeing of nodes in rcu mode Liam R. Howlett
2023-03-27 18:55 ` [PATCH 4/8] maple_tree: remove extra smp_wmb() from mas_dead_leaves() Liam R. Howlett
2023-03-27 18:55 ` [PATCH 5/8] maple_tree: fix write memory barrier of nodes once dead for RCU mode Liam R. Howlett
2023-03-27 19:05 ` Liam R. Howlett
2023-03-27 19:45 ` Andrew Morton
2023-03-27 18:55 ` [PATCH 6/8] maple_tree: add smp_rmb() to dead node detection Liam R. Howlett
2023-03-27 18:55 ` [PATCH 7/8] maple_tree: add RCU lock checking to rcu callback functions Liam R. Howlett
2023-03-27 18:55 ` [PATCH 8/8] mm: enable maple tree RCU mode by default Liam R. Howlett
2023-03-27 19:38 ` Andrew Morton
2023-03-27 19:43 ` Liam R. Howlett
2023-04-11 1:25 ` kernel test robot
2023-04-11 2:25 ` Matthew Wilcox
2023-03-27 19:35 ` [PATCH 0/8] Fix VMA tree modification under mmap read lock Andrew Morton
2023-03-27 19:48 ` Liam R. Howlett
2023-03-28 9:10 ` Vlastimil Babka
2023-03-28 13:02 ` Liam R. Howlett
2023-04-03 19:44 ` Liam R. Howlett
2023-04-03 20:19 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230327185532.2354250-1-Liam.Howlett@oracle.com \
--to=liam.howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maple-tree@lists.infradead.org \
--cc=surenb@google.com \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox