From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CBBBCC00144
	for <linux-mm@archiver.kernel.org>; Mon,  1 Aug 2022 13:02:00 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 161B46B0071; Mon,  1 Aug 2022 09:02:00 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1105C6B0072; Mon,  1 Aug 2022 09:02:00 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id F19398E0001; Mon,  1 Aug 2022 09:01:59 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id E06456B0071
	for <linux-mm@kvack.org>; Mon,  1 Aug 2022 09:01:59 -0400 (EDT)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id 995B9A0B40
	for <linux-mm@kvack.org>; Mon,  1 Aug 2022 13:01:59 +0000 (UTC)
X-FDA: 79751036358.11.6328DB5
Received: from alexa-out-sd-01.qualcomm.com (alexa-out-sd-01.qualcomm.com [199.106.114.38])
	by imf25.hostedemail.com (Postfix) with ESMTP id 9535DA0131
	for <linux-mm@kvack.org>; Mon,  1 Aug 2022 13:01:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim;
  t=1659358915; x=1690894915;
  h=message-id:date:mime-version:subject:to:cc:references:
   from:in-reply-to:content-transfer-encoding;
  bh=mxuFY55kREA83okL1GF6GyBWBMStJ9QziVd69vrKeV4=;
  b=jA6WqtHcLuXYXmyJDcQHYEYhhrhBrLSl3v6bER8zdleHmGIetnovEKUG
   z1dTY8wx3PvJGDxYhakLHnmNhoXxNV/Pce/cK7oqwatyNfirR2gHZOsCI
   n8cTy98HoZgjL+fe7F1izbLuNtNPt8zzYlCoYhiuxn8p/NzGyQL2ow93f
   c=;
Received: from unknown (HELO ironmsg04-sd.qualcomm.com) ([10.53.140.144])
  by alexa-out-sd-01.qualcomm.com with ESMTP; 01 Aug 2022 06:01:54 -0700
X-QCInternal: smtphost
Received: from nasanex01c.na.qualcomm.com ([10.47.97.222])
  by ironmsg04-sd.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Aug 2022 06:01:53 -0700
Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by
 nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.986.22; Mon, 1 Aug 2022 06:01:53 -0700
Received: from [10.216.43.100] (10.80.80.8) by nalasex01a.na.qualcomm.com
 (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Mon, 1 Aug 2022
 06:01:48 -0700
Message-ID: <54e4ce7d-7cbd-480c-28ba-cba684341b37@quicinc.com>
Date: Mon, 1 Aug 2022 18:31:45 +0530
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.1
Subject: Re: [PATCH V2] mm: fix use-after free of page_ext after race with
 memory-offline
Content-Language: en-US
To: Michal Hocko <mhocko@suse.com>
CC: <akpm@linux-foundation.org>, <david@redhat.com>,
	<quic_pkondeti@quicinc.com>, <pasha.tatashin@soleen.com>, <sjpark@amazon.de>,
	<sieberf@amazon.com>, <shakeelb@google.com>, <dhowells@redhat.com>,
	<willy@infradead.org>, <minchan@kernel.org>, <linux-kernel@vger.kernel.org>,
	<linux-mm@kvack.org>
References: <1658931303-17024-1-git-send-email-quic_charante@quicinc.com>
 <YuKfQoOHG1celfBK@dhcp22.suse.cz>
 <6b646ff2-b6f6-052e-f3f4-3bf05243f049@quicinc.com>
 <YueObAiml8c74DLV@dhcp22.suse.cz>
From: Charan Teja Kalla <quic_charante@quicinc.com>
In-Reply-To: <YueObAiml8c74DLV@dhcp22.suse.cz>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nalasex01a.na.qualcomm.com (10.47.209.196)
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659358917; a=rsa-sha256;
	cv=none;
	b=FrM0aHdDQPcBu3mExLyDaeSBT0mFVyu54Hy+9NWkSvyuAyjS0OFoSwwY2aHHeMpUtPDfLN
	rrmd3CFvDbYYaNxK9hBZWkZBTrkW0alOSv+PugSdJMxajEf8wmF/tmFTW+EGxAnHfRQ7V7
	EAoygeO6fBOVJoLKi2wmXyYaSU5MGDk=
ARC-Authentication-Results: i=1;
	imf25.hostedemail.com;
	dkim=pass header.d=quicinc.com header.s=qcdkim header.b=jA6WqtHc;
	spf=pass (imf25.hostedemail.com: domain of quic_charante@quicinc.com designates 199.106.114.38 as permitted sender) smtp.mailfrom=quic_charante@quicinc.com;
	dmarc=pass (policy=none) header.from=quicinc.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1659358917;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=mxuFY55kREA83okL1GF6GyBWBMStJ9QziVd69vrKeV4=;
	b=CXmTlZYjlZWnbe4RbzLBVF50msc0hbSGpCJ6uAyZ/Ayb0WF9KpIqTxv7qWdu07j4oE88Im
	/COF9g1iT0XwGnlt+ffbG9sdF243a68tvvIBhxAsZBbSITIZEmyd74Lis3Z6gxWLogu8CO
	Mu6IoUxdYM4p6H83lZpbL48Y/zrg6cs=
Authentication-Results: imf25.hostedemail.com;
	dkim=pass header.d=quicinc.com header.s=qcdkim header.b=jA6WqtHc;
	spf=pass (imf25.hostedemail.com: domain of quic_charante@quicinc.com designates 199.106.114.38 as permitted sender) smtp.mailfrom=quic_charante@quicinc.com;
	dmarc=pass (policy=none) header.from=quicinc.com
X-Stat-Signature: 8sppn3erc39ne9aa7ka3zjaz4h93mzmb
X-Rspamd-Queue-Id: 9535DA0131
X-Rspamd-Server: rspam09
X-Rspam-User: 
X-HE-Tag: 1659358915-188823
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Thanks Michal !!

On 8/1/2022 1:57 PM, Michal Hocko wrote:
>> Currently not all the places where page_ext is being used is put under
>> the rcu_lock. I just used rcu lock in the places where it is possible to
>> have the use-after-free of page_ext. You recommend to use rcu lock while
>> using with page_ext in all the places?
> Yes. Using locking inconsistently just begs for future problems. There
> should be a very good reason to use lockless approach in some paths and
> that would be where the locking overhead is not really acceptable or
> when the locking cannot be used for other reasons.
> 
> RCU read lock is essentially zero overhead so the only reason would be
> that the critical section would require to sleep. Is any of that the
> case?
> 
> If there is a real need to have a lockless variant then I would propose
> to add __page_ext_get/put which would be lockless and clearly documented
> under which contexts it can be used and enfore those condictions (e.g.
> reference count assumption).
> 

Let me try to use a single interface here.

>> The roll back operation in the online_page_ext(), where we free the
>> allocated page_ext's, will not have the PAGE_EXT_INVALID flag thus
>> WARN() may not work here. no?
> Wouldn't ms->page_ext be NULL in that case?
I don't think that ms->page_ext would be NULL here.
online_page_ext():
  (a) for (pfn = start; !fail && pfn < end; pfn += PAGES_PER_SECTION)
     fail = init_section_page_ext():
	   ms->page_ext = (void *)base - page_ext_size * pfn;

  //If fail = -ERROR in the middle, roll back operation.
  (b) for (pfn = start; pfn < end; pfn += PAGES_PER_SECTION)
       __free_page_ext();

   Here (b) can be called on the sections without PAGE_EXT_INVALID with
ms->page_ext != NULL.

Thanks,
Charan