From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1960BC04A68 for ; Wed, 27 Jul 2022 17:29:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7B089940023; Wed, 27 Jul 2022 13:29:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 76034940012; Wed, 27 Jul 2022 13:29:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5DA4F940023; Wed, 27 Jul 2022 13:29:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 4C53A940012 for ; Wed, 27 Jul 2022 13:29:46 -0400 (EDT) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 1A3001C64B1 for ; Wed, 27 Jul 2022 17:29:46 +0000 (UTC) X-FDA: 79733567172.06.BB772AE Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf13.hostedemail.com (Postfix) with ESMTP id 01AF1200D1 for ; Wed, 27 Jul 2022 17:29:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1658942984; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fEIQ19tql/jpfio1zfIhkIdZRcHX2TtLFigEENlwyz4=; b=NqWJ2+Y4yGqntoopDPNcnB96a7tWy5ViajBWDPGfZZ2CNb4pgP+c7ErvcmY87vhEBPL80N GDxhZnLxgaid4O37+4wnMYD6xS05K/XGrN/y79O6Hkd8D6gfocYxYSUaU2QmJ9QJePOqEg j+K28fCYmtK9F/5wBRAsKp7PScTdAmg= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-202-MrXTZLQAOFOO9qafmaH2ug-1; Wed, 27 Jul 2022 13:29:43 -0400 X-MC-Unique: MrXTZLQAOFOO9qafmaH2ug-1 Received: by mail-wm1-f69.google.com with SMTP id 184-20020a1c02c1000000b003a3497306a8so38567wmc.9 for ; Wed, 27 Jul 2022 10:29:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:organization:in-reply-to :content-transfer-encoding; bh=fEIQ19tql/jpfio1zfIhkIdZRcHX2TtLFigEENlwyz4=; b=IfFCB2EiZunvwst5311I7774SWcHn1vnU7DDBc2JffzmMt4Kz5A3eB7gC5uDNSxe8A EbOphLyafxCW46b+owuXukMugSaJeDKi7FQine7meW/kFej7pBGIR9Vk5VEjBes9ppx3 dVH6t+ytV/ia8Y8F1itEZeYS3CkhAmANZNISTMWuoDbHMV+RAm0zchIfUrUO1OGmTksi KKgOYtsfXplvTHzEcuEYTKzuEefS60ZeM8ahA23COXktOOOyIM9rHJiO4BlQ/LqJNDad Tm+Xdn8hEf4E+H24TSw1oijckC5dXNR22c8H+Dt+XnqDiSQaUslbT393qDMZNjiEhwg2 OUpA== X-Gm-Message-State: AJIora9jk8hIGEZBQCxmZHkChpM7PkZvSJMJUWl2/jgVLqiYgxWeRFpB pVgrH4UrfsyoY5+0Mt6AkofqhUWfKfM1RMouKK5fS0W67zd/acH8gbL32yVtOMIPMspYSGekJyD kMZG279iMt4U= X-Received: by 2002:a5d:4b81:0:b0:21e:e3c8:7055 with SMTP id b1-20020a5d4b81000000b0021ee3c87055mr1548066wrt.519.1658942981999; Wed, 27 Jul 2022 10:29:41 -0700 (PDT) X-Google-Smtp-Source: AGRyM1u5hDE/h2o9jh/qDvlEby7XGmrwuGF7oyOoDEodiimeOGJhTSLMZ6f9RZk732dM12pzMnP8MQ== X-Received: by 2002:a5d:4b81:0:b0:21e:e3c8:7055 with SMTP id b1-20020a5d4b81000000b0021ee3c87055mr1548040wrt.519.1658942981643; Wed, 27 Jul 2022 10:29:41 -0700 (PDT) Received: from ?IPV6:2003:cb:c713:7b00:d3e8:c80b:4abc:d55c? (p200300cbc7137b00d3e8c80b4abcd55c.dip0.t-ipconnect.de. [2003:cb:c713:7b00:d3e8:c80b:4abc:d55c]) by smtp.gmail.com with ESMTPSA id h9-20020a5d4fc9000000b0021e6277bc50sm17578329wrw.36.2022.07.27.10.29.40 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Jul 2022 10:29:41 -0700 (PDT) Message-ID: <6168cf49-bf75-2ebb-ab55-30de473835e3@redhat.com> Date: Wed, 27 Jul 2022 19:29:40 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH V2] mm: fix use-after free of page_ext after race with memory-offline To: Charan Teja Kalla , akpm@linux-foundation.org, hocko@suse.com, quic_pkondeti@quicinc.com, pasha.tatashin@soleen.com, sjpark@amazon.de, sieberf@amazon.com, shakeelb@google.com, dhowells@redhat.com, willy@infradead.org, liuting.0x7c00@bytedance.com, minchan@kernel.org Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org References: <1658931303-17024-1-git-send-email-quic_charante@quicinc.com> From: David Hildenbrand Organization: Red Hat In-Reply-To: <1658931303-17024-1-git-send-email-quic_charante@quicinc.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=NqWJ2+Y4; spf=temperror (imf13.hostedemail.com: error in processing during lookup of david@redhat.com: DNS error) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1658942985; a=rsa-sha256; cv=none; b=IXufPNOn0+6i6q9b8jbcsEXRcpySBYZRLVw9QoK0q+fWnSrwQh/PNiEaslVRIFw4O8SFeo EbpnkHAjCq4CMsvB5pZiJutSXIvWCToHym74FSP3bFkGY4aBr8X4IfGShA56LbtbNc+yiX qEgchhj93Lhv7AE6GX/E+/FYqS7Mfgs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1658942985; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fEIQ19tql/jpfio1zfIhkIdZRcHX2TtLFigEENlwyz4=; b=TOde0+qgCbc6pWLZt9QzoSng++znyOMt+oTumbmUCt36uc6CtzIlx0Z8hMcskhBa+nJUeb +6gNH7PhN6JiwBBvo0C5i6nb/z9Ok7SLwnRt+3klJwB8sZbuNJJmrqnFy8X7swqYrARPkY zsVKttmFpBJQM9aYJwTQvMQIOH2SBjw= Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=NqWJ2+Y4; spf=temperror (imf13.hostedemail.com: error in processing during lookup of david@redhat.com: DNS error) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com X-Rspam-User: X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 01AF1200D1 X-Stat-Signature: a5kc134g9rofrkg8x75rrqf819174ths X-HE-Tag: 1658942984-317518 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 27.07.22 16:15, Charan Teja Kalla wrote: > The below is one path where race between page_ext and offline of the > respective memory blocks will cause use-after-free on the access of > page_ext structure. > > process1 process2 > --------- --------- > a)doing /proc/page_owner doing memory offline > through offline_pages. > > b)PageBuddy check is failed > thus proceed to get the > page_owner information > through page_ext access. > page_ext = lookup_page_ext(page); > > migrate_pages(); > ................. > Since all pages are successfully > migrated as part of the offline > operation,send MEM_OFFLINE notification > where for page_ext it calls: > offline_page_ext()--> > __free_page_ext()--> > free_page_ext()--> > vfree(ms->page_ext) > mem_section->page_ext = NULL > > c) Check for the PAGE_EXT flags > in the page_ext->flags access > results into the use-after-free(leading > to the translation faults). > > As mentioned above, there is really no synchronization between page_ext > access and its freeing in the memory_offline. > > The memory offline steps(roughly) on a memory block is as below: > 1) Isolate all the pages > 2) while(1) > try free the pages to buddy.(->free_list[MIGRATE_ISOLATE]) > 3) delete the pages from this buddy list. > 4) Then free page_ext.(Note: The struct page is still alive as it is > freed only during hot remove of the memory which frees the memmap, which > steps the user might not perform). > > This design leads to the state where struct page is alive but the struct > page_ext is freed, where the later is ideally part of the former which > just representing the page_flags. > > The above mentioned race is just one example __but the problem persists > in the other paths too involving page_ext->flags access(eg: > page_is_idle())__. Since offline waits till the last reference on the > page goes down i.e. any path that took the refcount on the page can make > the memory offline operation to wait. Eg: In the migrate_pages() > operation, we do take the extra refcount on the pages that are under > migration and then we do copy page_owner by accessing page_ext. For > > Fix those paths where offline races with page_ext access by maintaining > synchronization with rcu lock and is achieved in 3 steps: > 1) Invalidate all the page_ext's of the sections of a memory block by > storing a flag in the LSB of mem_section->page_ext. > > 2) Wait till all the existing readers to finish working with the > ->page_ext's with synchronize_rcu(). Any parallel process that starts > after this call will not get page_ext, through lookup_page_ext(), for > the block parallel offline operation is being performed. > > 3) Now safely free all sections ->page_ext's of the block on which > offline operation is being performed. > > Thanks to David Hildenbrand for his views/suggestions on the initial > discussion[1] and Pavan kondeti for various inputs on this patch. > > FAQ's: > Q) Should page_ext_[get|put]() needs to be used for every page_ext > access? > A) NO, the synchronization is really not needed in all the paths of > accessing page_ext. One case is where extra refcount is taken on a > page for which memory block, this pages falls into, offline operation is > being performed. This extra refcount makes the offline operation not to > succeed hence the freeing of page_ext. Another case is where the page > is already being freed and we do reset its page_owner. > > Some examples where the rcu_lock is not taken while accessing the > page_ext are: > 1) In migration (where we also migrate the page_owner information), we > take the extra refcount on the source and destination pages and then > start the migration. This extra refcount makes the test_pages_isolated() > function to fail thus retry the offline operation. > > 2) In free_pages_prepare(), we do reset the page_owner(through page_ext) > which again doesn't need the protection to access because the page is > already freeing (through only one path). > > So, users need not to use page_ext_[get|put]() when they are sure that > extra refcount is taken on a page preventing the offline operation. > > Q) Why can't the page_ext is freed in the hot_remove path, where memmap > is also freed ? > > A) As per David's answers, there are many reasons and a few are: > 1) Discussions had happened in the past to eventually also use rcu > protection for handling pfn_to_online_page(). So doing it cleanly here > is certainly an improvement. > > 2) It's not good having to scatter section online checks all over the > place in page ext code. Once there is a difference between active vs. > stale page ext data things get a bit messy and error prone. This is > already ugly enough in our generic memmap handling code. > > 3) Having on-demand allocations, such as KASAN or page ext from the > memory online notifier is at least currently cleaner, because we don't > have to handle each and every subsystem that hooks into that during the > core memory hotadd/remove phase, which primarily only setups the > vmemmap, direct map and memory block devices. > > [1] https://lore.kernel.org/linux-mm/59edde13-4167-8550-86f0-11fc67882107@quicinc.com/ > I guess if we care about the synchronize_rcu() we could go crazy with temporary allocations for data-to-free + call_rcu(). -- Thanks, David / dhildenb