From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F0FEC433F5 for ; Thu, 20 Jan 2022 19:19:37 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0EF4C6B0082; Thu, 20 Jan 2022 14:19:37 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 09F896B0089; Thu, 20 Jan 2022 14:19:37 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EA8DB6B008C; Thu, 20 Jan 2022 14:19:36 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0085.hostedemail.com [216.40.44.85]) by kanga.kvack.org (Postfix) with ESMTP id DAB7C6B0082 for ; Thu, 20 Jan 2022 14:19:36 -0500 (EST) Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 950F3181616DC for ; Thu, 20 Jan 2022 19:19:36 +0000 (UTC) X-FDA: 79051629552.24.6CD9E22 Received: from mail-io1-f49.google.com (mail-io1-f49.google.com [209.85.166.49]) by imf22.hostedemail.com (Postfix) with ESMTP id 237DBC0005 for ; Thu, 20 Jan 2022 19:19:35 +0000 (UTC) Received: by mail-io1-f49.google.com with SMTP id w7so8199737ioj.5 for ; Thu, 20 Jan 2022 11:19:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z0LGoqq0ndCBpAHeUTP2E36kjG0tFSNdXjmHbPFm9Ts=; b=j8A3AvZAY7/i1/x5PCU2Idd3tOUAkEvI5clskAFjRGlAR+EUynI00v9OTXhBd6fqA8 GkBUh8OGCZtxLy6mgRGilYUVxloLm6fyqpmZb3rCCdQbQV1mZDWlP0+PMtRPmTYFk4NR aF1ctfvU7xm8Z8fTBywGYqZTLYxYpR0rpMlspZWjbED7fLIKNkLp2YIaMKWvYLJ3ifed aoqcZ1WPN7V0H3jG3RX02svkb3O60iXnYpmoBtKiAzCDlj/8vKm9q3t1C5DcFS7NtCNJ 5+tm2BFDqK+5F4+WJbJPwgAEmUstiDTpHocwkQKVInkgxts8ehzBl+ImfTlUMBK7VAVm HrNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z0LGoqq0ndCBpAHeUTP2E36kjG0tFSNdXjmHbPFm9Ts=; b=DH5olhQ3GmdkGiz91Fdyv6IRe1oAwSveTT/XqOQLkucPk8B20QnspYzox0wWdoUNwd qQ86ua1y1G875KZEr++Ks8HQxDZ4y3738xVZxH+uiqIk7ted3ztfRcHMN+ngAPJ+HOVj mXtOLGrv8QjCCnn7UobxEQUyZy68Sd1iVGtmqL8mLJI8aJUbm4uSwLEoQa4UxwuJoN4u HrC8V7dIOAVDQBLwTl0KM0+PSzwHCUodqXFcKTrH9VWjI1xR1Bf2iaboYTqVVIxI2J+2 r7hZPyAFMQBcCvFUGyP3EGZzx5Gl+n1OtFGtdww+MVI67ETuFDbKrIMpRHx67sG+0Vik lNRg== X-Gm-Message-State: AOAM533U5aIc5nyqbqcf3KK7eq6MFY/qfCtJcFAwblfOR/PcNI+chZCP 68yAwgqj3Tf1BUQw9zGdF7rhrEn/zjorSdUSn4fsYg== X-Google-Smtp-Source: ABdhPJz47WB1CxHkVNXyLkdptdxjlBAMwv0gR1aJgEzNZ16HsBYD6CXpG66pTmb16F7IB6M0adbLYmw2cN6GDQ5i0+Y= X-Received: by 2002:a05:6638:2201:: with SMTP id l1mr120278jas.264.1642706375229; Thu, 20 Jan 2022 11:19:35 -0800 (PST) MIME-Version: 1.0 References: <20220120191250.2671557-1-pasha.tatashin@soleen.com> <20220120191250.2671557-3-pasha.tatashin@soleen.com> In-Reply-To: <20220120191250.2671557-3-pasha.tatashin@soleen.com> From: Wei Xu Date: Thu, 20 Jan 2022 11:19:24 -0800 Message-ID: Subject: Re: [PATCH v2 2/3] mm/page_table_check: check entries at pud and pmd levels To: Pasha Tatashin Cc: Linux Kernel Mailing List , Linux MM , Andrew Morton , David Rientjes , Paul Turner , Greg Thelen , mingo@redhat.com, will@kernel.org, rppt@kernel.org, Dave Hansen , hpa@zytor.com, aneesh.kumar@linux.ibm.com, jirislaby@kernel.org, songmuchun@bytedance.com, qydwhotmail@gmail.com, Hugh Dickins , Zi Yan , anshuman.khandual@arm.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 237DBC0005 X-Stat-Signature: 5rq99yhkb8qkk5a3c4dougsye97hd3pg Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=j8A3AvZA; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf22.hostedemail.com: domain of weixugc@google.com designates 209.85.166.49 as permitted sender) smtp.mailfrom=weixugc@google.com X-Rspamd-Server: rspam08 X-HE-Tag: 1642706375-939183 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Jan 20, 2022 at 11:12 AM Pasha Tatashin wrote: > > syzbot detected a case where the page table counters were not properly > updated. > > syzkaller login: ------------[ cut here ]------------ > kernel BUG at mm/page_table_check.c:162! > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 3099 Comm: pasha Not tainted 5.16.0+ #48 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIO4 > RIP: 0010:__page_table_check_zero+0x159/0x1a0 > Code: 7d 3a b2 ff 45 39 f5 74 2a e8 43 38 b2 ff 4d 85 e4 01 > RSP: 0018:ffff888010667418 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000 > RDX: ffff88800cea8680 RSI: ffffffff81becaf9 RDI: 0000000003 > RBP: ffff888010667450 R08: 0000000000000001 R09: 0000000000 > R10: ffffffff81becaab R11: 0000000000000001 R12: ffff888008 > R13: 0000000000000001 R14: 0000000000000200 R15: dffffc0000 > FS: 0000000000000000(0000) GS:ffff888035e00000(0000) knlG0 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007ffd875cad00 CR3: 00000000094ce000 CR4: 0000000000 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000 > Call Trace: > > free_pcp_prepare+0x3be/0xaa0 > free_unref_page+0x1c/0x650 > ? trace_hardirqs_on+0x6a/0x1d0 > free_compound_page+0xec/0x130 > free_transhuge_page+0x1be/0x260 > __put_compound_page+0x90/0xd0 > release_pages+0x54c/0x1060 > ? filemap_remove_folio+0x161/0x210 > ? lock_downgrade+0x720/0x720 > ? __put_page+0x150/0x150 > ? filemap_free_folio+0x164/0x350 > __pagevec_release+0x7c/0x110 > shmem_undo_range+0x85e/0x1250 > ... > > The repro involved having a huge page that is split due to uprobe event > temporarily replacing one of the pages in the huge page. Later the huge > page was combined again, but the counters were off, as the PTE level > was not properly updated. > > Make sure that not only huge page but also small pages are updated when > a new entry is set or cleared. > > Fixes: df4e817b7108 ("mm: page table check") > > Signed-off-by: Pasha Tatashin > --- > mm/page_table_check.c | 60 ++++++++++++++++++++++++++----------------- > 1 file changed, 36 insertions(+), 24 deletions(-) > > diff --git a/mm/page_table_check.c b/mm/page_table_check.c > index 7504e7caa2a1..877d967742bc 100644 > --- a/mm/page_table_check.c > +++ b/mm/page_table_check.c > @@ -145,6 +145,30 @@ static void page_table_check_set(struct mm_struct *mm, unsigned long addr, > } > } > > +static void pte_clear_level(struct mm_struct *mm, unsigned long addr, > + pte_t *ptep) > +{ > + unsigned long i; > + > + for (i = 0; i < PTRS_PER_PTE; i++) { > + __page_table_check_pte_clear(mm, addr, *ptep); > + addr += PAGE_SIZE; > + ptep++; > + } > +} > + > +static void pmd_clear_level(struct mm_struct *mm, unsigned long addr, > + pmd_t *pmdp) > +{ > + unsigned long i; > + > + for (i = 0; i < PTRS_PER_PMD; i++) { > + __page_table_check_pmd_clear(mm, addr, *pmdp); > + addr += PMD_PAGE_SIZE; > + pmdp++; > + } > +} > + > /* > * page is on free list, or is being allocated, verify that counters are zeroes > * crash if they are not. > @@ -186,6 +210,11 @@ void __page_table_check_pmd_clear(struct mm_struct *mm, unsigned long addr, > if (pmd_user_accessible_page(pmd)) { > page_table_check_clear(mm, addr, pmd_pfn(pmd), > PMD_PAGE_SIZE >> PAGE_SHIFT); > + } else if (!pmd_bad(pmd) && !pmd_leaf(pmd)) { > + pte_t *ptep = pte_offset_map(&pmd, addr); > + > + pte_clear_level(mm, addr, ptep); > + pte_unmap(ptep); > } > } > EXPORT_SYMBOL(__page_table_check_pmd_clear); > @@ -199,6 +228,10 @@ void __page_table_check_pud_clear(struct mm_struct *mm, unsigned long addr, > if (pud_user_accessible_page(pud)) { > page_table_check_clear(mm, addr, pud_pfn(pud), > PUD_PAGE_SIZE >> PAGE_SHIFT); > + } else if (!pud_bad(pud) && !pud_leaf(pud)) { > + pmd_t *pmdp = pmd_offset(&pud, addr); > + > + pmd_clear_level(mm, addr, pmdp); > } > } > EXPORT_SYMBOL(__page_table_check_pud_clear); > @@ -206,17 +239,10 @@ EXPORT_SYMBOL(__page_table_check_pud_clear); > void __page_table_check_pte_set(struct mm_struct *mm, unsigned long addr, > pte_t *ptep, pte_t pte) > { > - pte_t old_pte; > - > if (&init_mm == mm) > return; > > - old_pte = *ptep; > - if (pte_user_accessible_page(old_pte)) { > - page_table_check_clear(mm, addr, pte_pfn(old_pte), > - PAGE_SIZE >> PAGE_SHIFT); > - } > - > + __page_table_check_pte_clear(mm, addr, *ptep); > if (pte_user_accessible_page(pte)) { > page_table_check_set(mm, addr, pte_pfn(pte), > PAGE_SIZE >> PAGE_SHIFT, > @@ -228,17 +254,10 @@ EXPORT_SYMBOL(__page_table_check_pte_set); > void __page_table_check_pmd_set(struct mm_struct *mm, unsigned long addr, > pmd_t *pmdp, pmd_t pmd) > { > - pmd_t old_pmd; > - > if (&init_mm == mm) > return; > > - old_pmd = *pmdp; > - if (pmd_user_accessible_page(old_pmd)) { > - page_table_check_clear(mm, addr, pmd_pfn(old_pmd), > - PMD_PAGE_SIZE >> PAGE_SHIFT); > - } > - > + __page_table_check_pmd_clear(mm, addr, *pmdp); > if (pmd_user_accessible_page(pmd)) { > page_table_check_set(mm, addr, pmd_pfn(pmd), > PMD_PAGE_SIZE >> PAGE_SHIFT, > @@ -250,17 +269,10 @@ EXPORT_SYMBOL(__page_table_check_pmd_set); > void __page_table_check_pud_set(struct mm_struct *mm, unsigned long addr, > pud_t *pudp, pud_t pud) > { > - pud_t old_pud; > - > if (&init_mm == mm) > return; > > - old_pud = *pudp; > - if (pud_user_accessible_page(old_pud)) { > - page_table_check_clear(mm, addr, pud_pfn(old_pud), > - PUD_PAGE_SIZE >> PAGE_SHIFT); > - } > - > + __page_table_check_pud_clear(mm, addr, *pudp); > if (pud_user_accessible_page(pud)) { > page_table_check_set(mm, addr, pud_pfn(pud), > PUD_PAGE_SIZE >> PAGE_SHIFT, > -- > 2.34.1.703.g22d0c6ccf7-goog > Reviewed-by: Wei Xu