Re: [PATCH 0/2] hugetlbfs: close race between MADV_DONTNEED and page fault

[Mike Kravetz <mike.kravetz@oracle.com>]

On 09/19/23 22:16, riel@surriel.com wrote:
> Malloc libraries, like jemalloc and tcalloc, take decisions on when
> to call madvise independently from the code in the main application.
> 
> This sometimes results in the application page faulting on an address,
> right after the malloc library has shot down the backing memory with
> MADV_DONTNEED.
> 
> Usually this is harmless, because we always have some 4kB pages
> sitting around to satisfy a page fault. However, with hugetlbfs
> systems often allocate only the exact number of huge pages that
> the application wants.
> 
> Due to TLB batching, hugetlbfs MADV_DONTNEED will free pages outside of
> any lock taken on the page fault path, which can open up the following
> race condition:
> 
>        CPU 1                            CPU 2
> 
>        MADV_DONTNEED
>        unmap page
>        shoot down TLB entry
>                                        page fault
>                                        fail to allocate a huge page
>                                        killed with SIGBUS
>        free page

Hi Rik,

I think we discussed this before.  Even with your changes there is no
guarantee that the free'ed hugetlb page can not be stolen by another
application.  This is true even with hugetlb reservations as the
reservation is consumed by the first fault.  After the MADV_DONTNEED
no reservation will exist, which allows another application to steal
the page.

This is VERY unlikely to actually happen.  However, I do want to point
out that it is possible.  Of course, the way the code is today you will
always fail if there is only one hugetlb page in the above scenario.  So,
your changes will help tremendously and I support them moving forward.

I suspect you are already aware of this, but just want to make sure you
are aware there are no guarantees here.
-- 
Mike Kravetz

> 
> Fix that race by extending the hugetlb_vma_lock locking scheme to also
> cover private hugetlb mappings (with resv_map), and pulling the locking 
> from __unmap_hugepage_final_range into helper functions called from
> zap_page_range_single. This ensures page faults stay locked out of
> the MADV_DONTNEED VMA until the huge pages have actually been freed.