From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B173AC00144
	for <linux-mm@archiver.kernel.org>; Fri, 29 Jul 2022 15:47:57 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 1625F6B0071; Fri, 29 Jul 2022 11:47:57 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0EC248E0002; Fri, 29 Jul 2022 11:47:57 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id ECF298E0001; Fri, 29 Jul 2022 11:47:56 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id D89AE6B0071
	for <linux-mm@kvack.org>; Fri, 29 Jul 2022 11:47:56 -0400 (EDT)
Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id ADEE41C0485
	for <linux-mm@kvack.org>; Fri, 29 Jul 2022 15:47:56 +0000 (UTC)
X-FDA: 79740568152.04.B1802E3
Received: from alexa-out-sd-01.qualcomm.com (alexa-out-sd-01.qualcomm.com [199.106.114.38])
	by imf09.hostedemail.com (Postfix) with ESMTP id BD46B14002B
	for <linux-mm@kvack.org>; Fri, 29 Jul 2022 15:47:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim;
  t=1659109675; x=1690645675;
  h=message-id:date:mime-version:subject:to:cc:references:
   from:in-reply-to:content-transfer-encoding;
  bh=57j7+Rr2khf+4no1MtJTPN4zj/VUnqBTlsqYu5nPK68=;
  b=zO4EtaNVIwFdBRDx47Jmxyan1MUbobeiFSV5rQPJbzLTrJRz4M4gWcVT
   t+Pxrl8uCgx0lXoxjIrYWBhPkVw3NrIaiPwYDy9pgDlIyLdhrbXQyfrWN
   oOyYPGcjREicKv1Yx4AJn6pee9aSd/6y6UIRXklmX/sf0z3oW3729zekp
   k=;
Received: from unknown (HELO ironmsg05-sd.qualcomm.com) ([10.53.140.145])
  by alexa-out-sd-01.qualcomm.com with ESMTP; 29 Jul 2022 08:47:54 -0700
X-QCInternal: smtphost
Received: from nasanex01c.na.qualcomm.com ([10.47.97.222])
  by ironmsg05-sd.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Jul 2022 08:47:53 -0700
Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by
 nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.986.22; Fri, 29 Jul 2022 08:47:53 -0700
Received: from [10.216.48.47] (10.80.80.8) by nalasex01a.na.qualcomm.com
 (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Fri, 29 Jul
 2022 08:47:48 -0700
Message-ID: <6b646ff2-b6f6-052e-f3f4-3bf05243f049@quicinc.com>
Date: Fri, 29 Jul 2022 21:17:44 +0530
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.1
Subject: Re: [PATCH V2] mm: fix use-after free of page_ext after race with
 memory-offline
Content-Language: en-US
To: Michal Hocko <mhocko@suse.com>
CC: <akpm@linux-foundation.org>, <david@redhat.com>,
	<quic_pkondeti@quicinc.com>, <pasha.tatashin@soleen.com>, <sjpark@amazon.de>,
	<sieberf@amazon.com>, <shakeelb@google.com>, <dhowells@redhat.com>,
	<willy@infradead.org>, <minchan@kernel.org>, <linux-kernel@vger.kernel.org>,
	<linux-mm@kvack.org>
References: <1658931303-17024-1-git-send-email-quic_charante@quicinc.com>
 <YuKfQoOHG1celfBK@dhcp22.suse.cz>
From: Charan Teja Kalla <quic_charante@quicinc.com>
In-Reply-To: <YuKfQoOHG1celfBK@dhcp22.suse.cz>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To
 nalasex01a.na.qualcomm.com (10.47.209.196)
ARC-Authentication-Results: i=1;
	imf09.hostedemail.com;
	dkim=pass header.d=quicinc.com header.s=qcdkim header.b=zO4EtaNV;
	spf=pass (imf09.hostedemail.com: domain of quic_charante@quicinc.com designates 199.106.114.38 as permitted sender) smtp.mailfrom=quic_charante@quicinc.com;
	dmarc=pass (policy=none) header.from=quicinc.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659109676; a=rsa-sha256;
	cv=none;
	b=IIMxsRpAFiN1yPTJbi+2RneULxKYjMv1w9JFMPs70sTPPxm8StbgEr7LQ7M9Al7FrSpOdY
	grlI5D6KYJ49OvQv3/UAt++hU6jlTClPvw2Jnr0coYQOoQQT1kVg5nOOBcuKhcadshAKHI
	kthRf6BzHg1k1SEbZitLdx+A1P7qFVI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1659109676;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=57j7+Rr2khf+4no1MtJTPN4zj/VUnqBTlsqYu5nPK68=;
	b=uAcTaAtCJuqZeWtO3OIWZ+iYY/HoLiBZ3UcekCq8CssgoiNae+qvBgdM11b3259TUIrJxY
	9TZY7VtIi3pvV+12ygbEzdDVsw7CApBLuO8hbJcQoqC8+1HW3wfY8NABOvITzG4Xial5Lv
	ji1NiqQlnHiZwG1zdQJIyQWg8+bBg6w=
X-Rspamd-Server: rspam11
X-Rspamd-Queue-Id: BD46B14002B
Authentication-Results: imf09.hostedemail.com;
	dkim=pass header.d=quicinc.com header.s=qcdkim header.b=zO4EtaNV;
	spf=pass (imf09.hostedemail.com: domain of quic_charante@quicinc.com designates 199.106.114.38 as permitted sender) smtp.mailfrom=quic_charante@quicinc.com;
	dmarc=pass (policy=none) header.from=quicinc.com
X-Stat-Signature: oesu7txz785paq7qoko9wj4mzfr9h5rr
X-Rspam-User: 
X-HE-Tag: 1659109675-956424
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Thanks Michal for the reviews!!

On 7/28/2022 8:07 PM, Michal Hocko wrote:
>> FAQ's:
>> Q) Should page_ext_[get|put]() needs to be used for every page_ext
>> access?
>> A) NO, the synchronization is really not needed in all the paths of
>> accessing page_ext. One case is where extra refcount is taken on a
>> page for which memory block, this pages falls into, offline operation is
>> being performed. This extra refcount makes the offline operation not to
>> succeed hence the freeing of page_ext.  Another case is where the page
>> is already being freed and we do reset its page_owner.
> This is just subtlety and something that can get misunderstood over
> time. Moreover there is no documentation explaining the difference.
> What is the reason to have these two different APIs in the first place.
> RCU read side is almost zero cost. So what is the point?
Currently not all the places where page_ext is being used is put under
the rcu_lock. I just used rcu lock in the places where it is possible to
have the use-after-free of page_ext. You recommend to use rcu lock while
using with page_ext in all the places?

My only point here is since there may be a non-atomic context exist
across page_ext_get/put() and If users are sure that this page's
page_ext will not be freed by parallel offline operation, they need not
get the rcu lock.

I agree that this can be misunderstood over time, let me check if I can
use page_ext_get/put in all the places.

>> @@ -57,6 +60,11 @@ static inline void page_ext_init(void)
>>  
>>  struct page_ext *lookup_page_ext(const struct page *page);
>>  
>> +static inline bool page_ext_invalid(struct page_ext *page_ext)
>> +{
>> +	return !page_ext || (((unsigned long)page_ext & PAGE_EXT_INVALID) == 1);
>> +}
>> +
> No real reason to expose this into a header file. Nothing but page_ext.c
> should know and care about this.
Agree. Will move it accordingly.

> 
>> +static inline struct page_ext *page_ext_get(struct page *page)
>> +{
>> +	struct page_ext *page_ext;
>> +
>> +	rcu_read_lock();
>> +	page_ext = lookup_page_ext(page);
>> +	if (!page_ext) {
>> +		rcu_read_unlock();
>> +		return NULL;
>> +	}
>> +
>> +	return page_ext;
> If you make this an extern you can actually hide lookup_page_ext and
> prevent from future bugs where people are using non serialized API
> without realizing that.

This design looks good. Let me check the feasibility in its implementation.

>> diff --git a/mm/page_ext.c b/mm/page_ext.c
>> index 3dc715d..404a2eb 100644
>> --- a/mm/page_ext.c
>> +++ b/mm/page_ext.c
>> @@ -211,15 +211,17 @@ struct page_ext *lookup_page_ext(const struct page *page)
>>  {
>>  	unsigned long pfn = page_to_pfn(page);
>>  	struct mem_section *section = __pfn_to_section(pfn);
>> +	struct page_ext *page_ext = READ_ONCE(section->page_ext);
>> +
> 	WARN_ON_ONCE(!rcu_read_lock_held());

Again this requires page_ext usage should be under the rcu lock always
by the user.

> 
>>  static void *__meminit alloc_page_ext(size_t size, int nid)
>> @@ -298,9 +300,26 @@ static void __free_page_ext(unsigned long pfn)
>>  	ms = __pfn_to_section(pfn);
>>  	if (!ms || !ms->page_ext)
>>  		return;
>> -	base = get_entry(ms->page_ext, pfn);
>> +
>> +	base = READ_ONCE(ms->page_ext);
>> +	if (page_ext_invalid(base))
>> +		base = (void *)base - PAGE_EXT_INVALID;
> All page_ext accesses should use the same fetched pointer including the
> ms->page_ext check. Also page_ext_invalid _must_ be true here otherwise
> something bad is going on so I would go with
> 	if (WARN_ON_ONCE(!page_ext_invalid(base)))
> 		return;
> 	base = (void *)base - PAGE_EXT_INVALID;

The roll back operation in the online_page_ext(), where we free the
allocated page_ext's, will not have the PAGE_EXT_INVALID flag thus
WARN() may not work here. no?
> 

Thanks,
Charan