From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68FE2C52D7B for ; Tue, 13 Aug 2024 06:19:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EEB0A6B00A0; Tue, 13 Aug 2024 02:19:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E9B316B00A1; Tue, 13 Aug 2024 02:19:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D3C816B00A2; Tue, 13 Aug 2024 02:19:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id ACCFA6B00A0 for ; Tue, 13 Aug 2024 02:19:14 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 5AE881A0637 for ; Tue, 13 Aug 2024 06:19:14 +0000 (UTC) X-FDA: 82446219828.10.5E6F5E0 Received: from mail-oi1-f181.google.com (mail-oi1-f181.google.com [209.85.167.181]) by imf28.hostedemail.com (Postfix) with ESMTP id 15A2BC000D for ; Tue, 13 Aug 2024 06:19:10 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b="dpbBCxr/"; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf28.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.167.181 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723529940; a=rsa-sha256; cv=none; b=QH0Lhmly+0xyBiIFCG3CSqhWZ0ZtyDJUwcM6AN1ogI3SzD+RH8WcXhrEUA8ZAALa2sRcxn YPAU9xkaO3PLL7j5+KkonMjmFAJPfe8AclJkTSVPHXb/eDliPcm5UuI/7MUMVUmAhQUTDi JHOJs530DQ1LA5RSQKYP2NaWO6ktflU= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b="dpbBCxr/"; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf28.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.167.181 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723529940; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+o8W6KPeD+G2pxc/u4nbSNGQ5xQMtPGfIV7k0oCYAhI=; b=Uxpsra7Ea/94IDq2W/soDt4z6p05eKyLhfg54+DmEE9VlowRLRZVOKfD4OIyFtuf2BD4CL hW9XcvAUXbOGw2J0njtboiy7IUYXpWZxWrdEBdbf1qRVc/xJg1s80yg/SX74Vm0T13GdRO DyWo56ZbsSMyOtzBiWBonfMX7gjEKi4= Received: by mail-oi1-f181.google.com with SMTP id 5614622812f47-3db165f8211so462013b6e.1 for ; Mon, 12 Aug 2024 23:19:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1723529950; x=1724134750; darn=kvack.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=+o8W6KPeD+G2pxc/u4nbSNGQ5xQMtPGfIV7k0oCYAhI=; b=dpbBCxr/alsW5wBjKaWyLC4cTeoF48Sx6kNg7ZWO9/qV1vMk6/xdRVCUvdmWeUqeCF +bPtGSOkDBmt+gdDaq6K20zgESlFwm4K65dtv/WU0e7k6FTpruG64Jql0bUtvgCp94nM GioGELlH6IKZZZ2J01RuVaXzkfSZ3jUIfwaSg5RM/5Gl770J6gnQlKzqxc8oxv90xaQT IYu/vPbEa8CiGWkdIW+hz7JMFPDq3AAejlniDDNOpicS5XHdL9x6CLlJUI+sVZNUOnMR OpGqimayYELxVGgkcvlY0cGwYhkOp5tCVScO5V0AKlGET5eNj0akFWQiHvdUS/OCul0t /F9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723529950; x=1724134750; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+o8W6KPeD+G2pxc/u4nbSNGQ5xQMtPGfIV7k0oCYAhI=; b=J+Hvq9gHVrxs63/kgDUFOLIj/AXdfiby1DVO8mcBNj42vgd/zrKmeljrCIg26m2nHx 34nQ605cstaBR3dGN/cRjKWuK7J5rpJ6c432xmMm9u7x/MHw72aFwr1uY/7zPYtBIYFl U2HYkcy95dm6muhBD3YTh14e2/YdPd9qnwge//xqEEByhqiwEtEp1jSQbVxI7eIHyP9w DTqBAfn3h1HKkO4KxnzW3swtPXSIIInyrOkzVTzluRvVWALdX7wu8ZL0AEVD8ewOctLg 3K3y7NmZnRPq+yheePa8on0VIdlL7coafni5eA5mbW+3E2rdaLc8gkxgWhvtnvFsbVGs n8Xw== X-Forwarded-Encrypted: i=1; AJvYcCVNENHWgJr/asV0n8hdVMA+bfJ4JIhz0jCR4m0YC/B2RNHm+cW7Jskz7gM8oGyLXRQGPRB/ImsXxwHxmwTtsw0Byz0= X-Gm-Message-State: AOJu0YyiPJog0P3WfsbVZIUjHnU+OmArhgcvBl+pSQtx83+esezXwMhm EXm8eSFWtohMTQIAXld1s+E+XU9OEnWUs3ncKzLn+ayinA/PhQ7jPiSPu7lo8CA= X-Google-Smtp-Source: AGHT+IHGJ1A9lPbrXqyoEtuy+hO00+nCxFh6Lqpl29dwj8QJ4q9buu50xBdbJQRHjMyls0g/qp3ZqQ== X-Received: by 2002:a05:6808:981:b0:3db:15b9:f29b with SMTP id 5614622812f47-3dd22ce96bfmr672305b6e.5.1723529949825; Mon, 12 Aug 2024 23:19:09 -0700 (PDT) Received: from [10.4.217.215] ([139.177.225.242]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7c697a6c6e4sm691042a12.80.2024.08.12.23.19.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Aug 2024 23:19:09 -0700 (PDT) Message-ID: <59bf3c2e-d58b-41af-ab10-3e631d802229@bytedance.com> Date: Tue, 13 Aug 2024 14:19:03 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 1/2] userfaultfd: Fix pmd_trans_huge() recheck race Content-Language: en-US To: Jann Horn Cc: Andrew Morton , Pavel Emelyanov , Andrea Arcangeli , Hugh Dickins , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20240812-uffd-thp-flip-fix-v1-0-4fc1db7ccdd0@google.com> <20240812-uffd-thp-flip-fix-v1-1-4fc1db7ccdd0@google.com> From: Qi Zheng In-Reply-To: <20240812-uffd-thp-flip-fix-v1-1-4fc1db7ccdd0@google.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Queue-Id: 15A2BC000D X-Rspamd-Server: rspam01 X-Stat-Signature: fdau3ydrcnjyp1395uktpayj9xntzokw X-HE-Tag: 1723529950-627240 X-HE-Meta: U2FsdGVkX18eck8d/t2bfHoAIZcrfudRmFxWL5+Jl9dO0oczz9/JQ5x/vkWdbzFJt/FwClX7Gd+arWyziA9HEnyYlGlU3vchxkdgNgWQg2M89HZ0ymPfkr7MhZfmM2P9CKjQHunpkg1sfdf7gSMrDHDSQ+6bhcC8MvOPoGM170XTLGVGkWO9UYGShNx1R8l+mMpFsETYe19Y9oa7e65I2aObej8PKaHNHMg70CQz4HRJUTvdt76cahgEELWXfzFQ1cZqNOM/AWcEj7wGRQ4dYzjwYHNX1D4Wwm3yhRkqfZOjmcfppEvDvF+v2So4zRfRfvq2lEdCFjDAo+vwDawwVXsjJnf5dQtvlgEoOUCfP9xCL944Jas9E1tPktgOdDzchWxzeTz3aQlfmZr3AcG2P7ttCTMS3FWaVfefJ6w3IeoxDtYdTcXhSJ94upjxpxOseqMr6GFbDRhqIxuLIIpFAvNNsmfbuqKvSkV0LcZeFB4hVvHIHlEvnfUKmoIqgGc55lMWaSGSm6SiOH79z+D5jT67B+S1ncc4xsBA7zV/pkgUxfLNw8F60uEd7D3PeMO6PhMX4Zl1vIw4Elrwfsk4fjLOp0jLAR1rem2Wu2GmQgSeMwB2PPTCbExaid0pXrAGCz3HC4sLyikwZ0LD4IejV26qCe4wd0QH1Ak13cAWsJ/HTMFfg7dbeQXR3TUW8TC8Nnvg9aMZJpwc0T9Wk3WUzN3y1kU1MNWHlfeR/cDSB2qfa345r0RMa/BkJ+FSePPAhQiOwQsgfjvl2rA0rMRaEz1FD5N2lfOiLpNbfgjn2fuozpkLZT3yfONzWbJXGYg2jpQe7xgtvvbyS3CvuZhypnYl5pAvJOWEPa11oqVfZsk5n/usR6rpgIpZP5uE9ndmBCwMgEhPVhTin3PiVeRdm7DPee7EqzizNs/+31II+noF9EbksxB1nweIXRSaCKDsIijmHf6Ip8a7bJk2gmm deZaBAc8 +opGyglUWLFXdojxT+xHsRVznY9kkjajNCHCb9AF6YwHk+Id2DbrQ0XSCS0xhzBQa38Z6LX2lyN0QzBS+cKx7VI7uMex+pWRZ5fhITBSKHU/xbgJyx4wkUYsyEgwfszbxxTQoFwLnTC8M+i+o4yJmVP/+lMNAI9qN66j4i2ZHE+JW2M3A0rYNE8bHGOfhfS7wuNal+m9c8XioRWMpF1tUTpk1qDkIr8dc9B3S9DBLRDsOAwravNibGhiRNPNl3jAH7KK/jqnZhfzry8a/zJPZRHSz8qCjkvO41NU3ntJpdmr9y1moQH+VgMgrAw5AAoNassX1XhMjwddhDOoXerjZkHPq80DqzJTxYXyc6o3kpv0BnpcecKB6YZfSPhJjd+0AskAyWNt1Fc+vSSAkSLMfi22/JHy/exsVUofZmFYvz5m1jEWTvMSQXMam9Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi Jann, On 2024/8/13 00:42, Jann Horn wrote: > The following race can occur: > > mfill_atomic other thread > ============ ============ > > pmdp_get_lockless() [reads none pmd] > > > > __pte_alloc [no-op] > > > BUG_ON(pmd_none(*dst_pmd)) > > I have experimentally verified this in a kernel with extra mdelay() calls; > the BUG_ON(pmd_none(*dst_pmd)) triggers. > > On kernels newer than commit 0d940a9b270b ("mm/pgtable: allow > pte_offset_map[_lock]() to fail"), this can't lead to anything worse than > a BUG_ON(), since the page table access helpers are actually designed to > deal with page tables concurrently disappearing; but on older kernels > (<=6.4), I think we could probably theoretically race past the two BUG_ON() > checks and end up treating a hugepage as a page table. > > Cc: stable@vger.kernel.org > Fixes: c1a4de99fada ("userfaultfd: mcopy_atomic|mfill_zeropage: UFFDIO_COPY|UFFDIO_ZEROPAGE preparation") > Signed-off-by: Jann Horn > --- > mm/userfaultfd.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c > index e54e5c8907fa..ec3750467aa5 100644 > --- a/mm/userfaultfd.c > +++ b/mm/userfaultfd.c > @@ -801,7 +801,8 @@ static __always_inline ssize_t mfill_atomic(struct userfaultfd_ctx *ctx, > break; > } > /* If an huge pmd materialized from under us fail */ > - if (unlikely(pmd_trans_huge(*dst_pmd))) { > + dst_pmdval = pmdp_get_lockless(dst_pmd); > + if (unlikely(pmd_none(dst_pmdval) || pmd_trans_huge(dst_pmdval))) { Before commit 0d940a9b270b, should we also check for is_pmd_migration_entry(), pmd_devmap() and pmd_bad() here? Thanks, Qi > err = -EFAULT; > break; > } >