From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6CFBAC35274 for ; Thu, 21 Dec 2023 05:40:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CD3D66B0074; Thu, 21 Dec 2023 00:40:26 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C5D188D0006; Thu, 21 Dec 2023 00:40:26 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AD5C78D0001; Thu, 21 Dec 2023 00:40:26 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 9686C6B0074 for ; Thu, 21 Dec 2023 00:40:26 -0500 (EST) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 67D0B1A05CE for ; Thu, 21 Dec 2023 05:40:26 +0000 (UTC) X-FDA: 81589725252.06.C736885 Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) by imf17.hostedemail.com (Postfix) with ESMTP id 9B31040006 for ; Thu, 21 Dec 2023 05:40:24 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=Gqr8P+am; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf17.hostedemail.com: domain of jiajun.xie.sh@gmail.com designates 209.85.208.53 as permitted sender) smtp.mailfrom=jiajun.xie.sh@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1703137224; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=RoKD59FQ8KF+PjXIUMFsCWtLMYHroPhscXhFuRMvJmQ=; b=5WY7/+OkQiraxEOzxtaJVhtSP30tP0MaDkG5VW6YtYQmDh/JRUG7mw7CljsNO5xx0Sa0KS AaYPPMLRl5lduy+lfjNSTQ/WtUQ6zhNDsO5sk4WNiNra4wSZkFxY75G+LfGYy4dp7m5TE1 Yd+/SHHYPEFsvQdGy1MvYPP2kdyRshA= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=Gqr8P+am; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf17.hostedemail.com: domain of jiajun.xie.sh@gmail.com designates 209.85.208.53 as permitted sender) smtp.mailfrom=jiajun.xie.sh@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1703137224; a=rsa-sha256; cv=none; b=q05LoG30oL7qa9nzMV41DQcirCFRvMNK+aKwgePFEPT+73bhK42cLbRvu/CDX+RBnpXo9S DOWf9h+4tJIw8nLBwWrlw4/cRt8yjIk9PQUehJgv67Hz+tP7pathY4z/3pg8OdcNRyROsI Zn523tOsMmV1SH/Sqbw4QPKU7aQnJ0U= Received: by mail-ed1-f53.google.com with SMTP id 4fb4d7f45d1cf-553b3ee88c0so505169a12.0 for ; Wed, 20 Dec 2023 21:40:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703137223; x=1703742023; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=RoKD59FQ8KF+PjXIUMFsCWtLMYHroPhscXhFuRMvJmQ=; b=Gqr8P+amjhm36HU1gaW3iNvbr/eGrANQcRPSqFKKhP9gLqh9zO8hH4bn8/kw29AbSk HE+BNWSdADCa0hsWoSaxigr7VtDZRe2rqgkc6LUbb8ssqboRhQrQ6ijiCb2ddHIv0El7 MJHRHRCIUCKeno7MNOc1SVHsJaP7DQiva52NM8Rqqts2N+nR3kqcOxH93nWv7Ckk9v+V 6AHx8kKNZ7x5kZtM2HriNRSLDWhHe/zA9p18ym/kIr3hhjgdUsxKska8ypixSDJ+qV9k Sn0obwnhv/feAgpP0RRqioLTK5uZdpqxfdAdRziUaGGRv/kK6HS06ITxR3HOwkrzZm93 B7oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703137223; x=1703742023; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RoKD59FQ8KF+PjXIUMFsCWtLMYHroPhscXhFuRMvJmQ=; b=qEOgCBdjVSDDkyPWE/3SzgHHApM99nmaRDbzpa2lzbPjH5WZPks7bzSvk25MLxPc3X 0JPbuFv/b+bLc7inPP5vfmMQ3HwED+hnZP3lMRcIoTVixMj8VdaVP6j1E4s/rALGuTLR 5+0kZNdz4lP1B2bRqSmpevfPrxc7fHUqnv72xkTLBTmHElk+NqxzQ13hQcCu+/j2yJAc ZfKlOWeMs594M0sXRbZxLb3Da4uI71maUUg1Ej9mFcSLCyWrw0J0evOsq/ALxMimdrMb EydI+x1dEfJ/sMAHVTiKFzLuAajssUKERjrKWwM0Kwr6gIAL4x+6AylcGNrZjve++Lks BhSA== X-Gm-Message-State: AOJu0Ywm+nCFv+wSLTMz/xcGMiTOWZgC7dwYTL+DfhhWpkPd6glbsOBh et9J98fCoH3IbfTL6SfMfTCm9SSPlRGCkzODfbI= X-Google-Smtp-Source: AGHT+IECXI/KIO0fCAfyQQchXo0yiUpeazNAOyAZc81HxMxghK5DzwOcd7sz8snz+Fvk36CL9Lv56IEXz89ckXIFhEQ= X-Received: by 2002:a50:9b16:0:b0:553:5a86:560a with SMTP id o22-20020a509b16000000b005535a86560amr2864694edi.56.1703137222896; Wed, 20 Dec 2023 21:40:22 -0800 (PST) MIME-Version: 1.0 References: <20231220052839.26970-1-jiajun.xie.sh@gmail.com> <20231220095343.326584f605e8ce995ac151d0@linux-foundation.org> In-Reply-To: <20231220095343.326584f605e8ce995ac151d0@linux-foundation.org> From: Jiajun Xie Date: Thu, 21 Dec 2023 13:40:11 +0800 Message-ID: Subject: Re: [PATCH v1] mm: fix unmap_mapping_range high bits shift bug To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Stat-Signature: a5fbf1cufz1xhgfckeb8gyj459jqeya4 X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 9B31040006 X-HE-Tag: 1703137224-421711 X-HE-Meta: U2FsdGVkX19wXTH+064gYeaiTSG7LBhhycgfDz0m1jYPOBkbjrdxs/Hcwm+riO8BPXC2n5UG7cvm8eGPrbG0dG30fr+t14qhySeTVe9KHjR1N/MDegVxsfli0obJ11NQOHuKDHd3TyBXr8UHCG4Qu5NXNMskELJyE7CQxs3sV/jOglBIocRjkgYEHFa1Z+03f080JrKo4PfbJtI7vkVcKuL/KTv1FlXmpdFm6Io8AHXESGjdvuZiuz7JWDhG7wCzcm/3DGSobCbL624SWE8Q4SGKvqh3rZYK3tlCHNf1niOSxTmBt6nMTFZ5ETxneytjyj+iRE80RKTvfDL8Eh8Ac/9oJ0uPxkuQhVr8zKyVfqVDsabyIO9cyBDjfhzWcOuAZL5fXJAt0tgAdHud7P8ifd3tkEbTefM8ScgmJpdML6yGZ+2sLYGhbeuQ1T55fbzGT05ePheJRfE0CGZpnGX0N64q+TdRKSSFmE3FbAlGzWvTPmC9kVUoyjKqHIHp3uoD6Qq7ImxvaBbXZUWxFT+58JR3pI/PZaEYAoqm46n7GzTOYd3H7WzkENEqa4awC+JbQEWS+gszTNl3KQJGxH7HFWHiOB+uxzJQPFmXyKgBe7YOS8lDAlwMXi9TzLFlp5PzHNjCLzbK8fZIUF0eyMJSz+5Ivl8/bIB0t2luRJiGgtDjU7slXvqPbe7qHYC3YdMqvNvDhpYLsnZiuWdwKfCgiqPjnqqBuWA3G05nJPGmvOhmaWn8NEJMMPhNBX/0X5q2zrfPygpwJOgNyeqsMURD/hPz5ZaNfXdzOsKoD0R+Yg/jglaeTiDXBxtGJzZ9/749Zf/ijOq/darH+14JpsM6DlXWjvxtbWW1cbw9Yt5GOKB6ymCg6og35XtPTdZ+Z++ILzWxCS1GC7gDBu8Us3jukOmVSb25BSP5FWE45Z70CF/J9MnWJ5JkcsBtuqy/KoahFBpcu9OZVQKWcpK3EPc WgqYWaHN q91OEJh0ZC5TY5KyZBAreUtFRHRvvqTTOLy97cK+orQDK1vvDxB6t+FobyB0yHKxXRg+fmsAdgO4ik8PK15CIGxdKP9q0jZKZ//HH7FN2yEZN2fCuN7fKOUD1yoVKJk/Kc9GiIuXXSjNfQ7ZZIyNe5Rj7m8eEzESxEkns9TtfTyXo/WXTxxkIkRn9jqUC8N+03iUpOLwh9P+nFfyiu5eoYKlEqHt8poLa05FjzScDhDKk1BXPdUIz9LdCdVp27SmKwbJHsMgjQdZenggwEdMUZva25ZcrvevdKpr6XTW2h7AN11IHPhAuO57r8ztbdhyWpv8l87qZhMDN/pirAnmPJilyOQe/FNn1Uhsw/HoWRSuNCgiMT1vUJNwxenywjdSScxj66xhVzltcvYd3Um0dPZXSa6xdAba203RVswI3gltXMnMTpgwW5Ln0sGZy5/UyHTvFaT/vf3tuCD+faBgkoAM8FHceyfTY1dje95JDh8p/6ootlJ5xzNQo+LqtvY+KmGrn X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Dec 21, 2023 at 1:53=E2=80=AFAM Andrew Morton wrote: > > On Wed, 20 Dec 2023 13:28:39 +0800 "jiajun.xie" = wrote: > > > From: Jiajun Xie > > > > The bug happens when highest bit of holebegin is 1, suppose > > holebign is 0x8000000111111000, after shift, hba would be > > 0xfff8000000111111, then vma_interval_tree_foreach would look > > it up fail or leads to the wrong result. > > > > error call seq e.g.: > > - mmap(..., offset=3D0x8000000111111000) > > |- syscall(mmap, ... unsigned long, off): > > |- ksys_mmap_pgoff( ... , off >> PAGE_SHIFT); > > > > here pgoff is correctly shifted to 0x8000000111111, > > but pass 0x8000000111111000 as holebegin to unmap > > would then cause terrible result, as shown below: > > > > - unmap_mapping_range(..., loff_t const holebegin) > > |- pgoff_t hba =3D holebegin >> PAGE_SHIFT; > > /* hba =3D 0xfff8000000111111 unexpectedly */ > > > > turn holebegin to be unsigned first would fix the bug. > > > > Thanks. Are you able to describe the runtime effects of this > (obviously bad, but it's good to spell it out) and under what > circumstances it occurs? Thanks for the quick reply. The issue happens in Heterogeneous computing, where the device(e.g. gpu) and host share the same virtual address space. A simple workflow pattern which hit the issue is: /* host */ 1. userspace first mmap a file backed VA range with specified offset. e.g. (offset=3D0x800..., mmap return: va_a) 2. write some data to the corresponding sys page e.g. (va_a =3D 0xAABB) /* device */ 3. gpu workload touches VA, triggers gpu fault and notify the host. /* host */ 4. reviced gpu fault notification, then it will: 4.1 unmap host pages and also takes care of cpu tlb (use unmap_mapping_range with offset=3D0x800...) 4.2 migrate sys page to device 4.3 setup device page table and resolve device fault. /* device */ 5. gpu workload continued, it accessed va_a and got 0xAABB. 6. gpu workload continued, it wrote 0xBBCC to va_a. /* host */ 7. userspace access va_a, as expected, it will: 7.1 trigger cpu vm fault. 7.2 driver handling fault to migrate gpu local page to host. 8. userspace then could correctly get 0xBBCC from va_a 9. done But in step 4.1, if we hitted the bug this patch mentioned, then user space would never trigger cpu fault, and still get the old value: 0xAABB.