From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7192FC0015E for ; Wed, 26 Jul 2023 21:51:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D64DB8D0001; Wed, 26 Jul 2023 17:51:37 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D14E26B0072; Wed, 26 Jul 2023 17:51:37 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BB5048D0001; Wed, 26 Jul 2023 17:51:37 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id AB13F6B0071 for ; Wed, 26 Jul 2023 17:51:37 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 7D43A1602FF for ; Wed, 26 Jul 2023 21:51:37 +0000 (UTC) X-FDA: 81055110234.08.28C6A9D Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by imf18.hostedemail.com (Postfix) with ESMTP id AFD2E1C000A for ; Wed, 26 Jul 2023 21:51:35 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b="UO/isL6/"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf18.hostedemail.com: domain of jannh@google.com designates 209.85.128.48 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1690408295; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=S/DQhcgtu922pQLC21kJm/tt2ZF3dA+O3ehlQ8Mq7SY=; b=jZ94Al+n49wuC19LZ5R0JMj4QxAa1KHhsb46RMjPEVWSZvZyzihM1uO2tn9vuc0U2cp6Mt KGpW1CTZr3f/AUR7e5Z3qr9tYq/v8qr4EkN1q+tw6+kFd06M18K9851cTwjAOozIOX8ojZ uLR8i9RFyCQb7ffwzMueZC01MB0Al6s= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b="UO/isL6/"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf18.hostedemail.com: domain of jannh@google.com designates 209.85.128.48 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1690408295; a=rsa-sha256; cv=none; b=qEwA3ELOaM7FZ7L8DNf8+QhMeoBBxb3PxciUe7VDhNNqVOrcleehNTbfHNa0QHwBp2Ayzy KZ7+H8hsmiTb6/Ypq+Wxd+hEuyVL60BRXOQT417x/QKVD2YrGZuVYV/GaUno3tC9TlbD9z 65YxG/h8jtb/i8InnUkgwMDHuCY3Ows= Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-3fd28ae8b90so12445e9.1 for ; Wed, 26 Jul 2023 14:51:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1690408294; x=1691013094; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=S/DQhcgtu922pQLC21kJm/tt2ZF3dA+O3ehlQ8Mq7SY=; b=UO/isL6/HLbaEZSQKrxXYX3XYOeGvlWQSZRGM3TsqdGsXuu38hVMfIWnV58sC4vL9l bSPOdFLS+GJxda8nhUvXuZOZK1OVfAKExTxLRvpdEDMQzrrjFztUDvZN6y8BpxSBOHaE mtwgJ0yYgU7IbeItctRrswgngNFYMzwWDplyPiy/czQghhCQ+135HhT69pERN5cGS29+ jO2KRsRp2tr4pdXxVtUu5nvGvfH1YGjX4TMZnM80j5xPjsimep47Qg4i2FbynXK2y8xz q5Qg89oI9YYHDf7YxXxsBjDso+GPPXV4kH1wgPgmwL8EygI8nmSw1JTGRSo33F8WoTFA xIzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690408294; x=1691013094; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S/DQhcgtu922pQLC21kJm/tt2ZF3dA+O3ehlQ8Mq7SY=; b=M85wH4c9XKjZdtNmMTaof8T6CY5YA8TyXPbtl7KrqWVc/qujeQnqHSwmDsYy8GbcGy AET71QdNO9iRtaqZ5ZvJwT7OPYV4Q0q36mTJvPyw4U+yu1wKQg+q8u/fCoSc6w3pZjLG 7hqkuX6Kj++TyWmg2pNjfAADHP6yY5I4XUzpuVvhkmTziL8Z7c7yqCGPPCnkPv3Ilv7x OaMC07Q+fjCjPu4T4bOyAizaw5Zevx0R9ow818hLSoHdkxzuCopC92NUhFJNUOP3D1M1 5Bm4sXGMCZ3GGflEwfpnGEwcVy38PYV7p3wTUAcKRj+rb1FEkbC9fB2dheNTL9XJ4dF4 sGAg== X-Gm-Message-State: ABy/qLZcddxPT/iSa0EgtqCjs9vCGFtuAhME2zZdofxLjb1VRnya7T4l yBzeoGxkj6HUyjdYAmg2OAIUP5JNvyEKVyCjTUajlw== X-Google-Smtp-Source: APBJJlH3fbElG+U0R3Oqh4ZxT607Nuqbr2/hIgOf2+o6YECzw2j9CVI9NeOQ5Vg8Wd7Q3XNIA5nj6/n1WJ3Jh1UaBJg= X-Received: by 2002:a05:600c:690d:b0:3f1:70d1:21a6 with SMTP id fo13-20020a05600c690d00b003f170d121a6mr30058wmb.0.1690408294088; Wed, 26 Jul 2023 14:51:34 -0700 (PDT) MIME-Version: 1.0 References: <20230726214103.3261108-1-jannh@google.com> <20230726214103.3261108-4-jannh@google.com> In-Reply-To: <20230726214103.3261108-4-jannh@google.com> From: Jann Horn Date: Wed, 26 Jul 2023 23:50:57 +0200 Message-ID: Subject: Re: [PATCH 2/2] mm: Fix anon_vma memory ordering To: Andrew Morton Cc: Linus Torvalds , Peter Zijlstra , Suren Baghdasaryan , Matthew Wilcox , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Alan Stern , Andrea Parri , Will Deacon , Boqun Feng , Nicholas Piggin , David Howells , Jade Alglave , Luc Maranget , "Paul E. McKenney" , Akira Yokosawa , Daniel Lustig , Joel Fernandes Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: AFD2E1C000A X-Stat-Signature: j68193xxp5sn1pgocarpgoqtuf6o8oif X-Rspam-User: X-HE-Tag: 1690408295-342407 X-HE-Meta: U2FsdGVkX1+rqobudQlwCvwk6WJMMTsjHzMHigu3+10QIEWYRid0NciJ7bkU9ru7v8WJDVo3zeEqc5MT2vW2GsvM4fMqAHq1H9nS66vWT4BK7tkjsGvAImmh4pLvtmfyEYo7KXGPncZlpNwujai1WbOZobvhInu8TPBpi24zE26xhaWc1X9YddZOu7wEDeoEbBFGYJuKvlpUnt+SKR3nv7V+0hAuvsWuJbe07yv3u8Rik/Xrrqy5eN06hVWkPRxTn+cYviUSyk3i8plxkQyM4hEUhI5q81+owNhltFpbRJBt/mLeuWwILDs8DK8ThGkUwMY/IxRy/mcJIhJ1iQXTMimoiK4pcqgb6sZdvBM3Zz60EdRB4WX1T0U7wpYvQvp5F3Tpuyh5L0wCoiRsuVqqrVhqLchTm/qzjRMgjY937A/IQG++F4AUFsqLqcvDobI2oQmpF2Wh0dRUgYx8/3kBgPCSnrHmm81KU6IQbVJQN14Rq6yoACqEg0BmGDPPHVV5pNuc6YNldDy8Dj7iFI04IT0lDGDOvnqz0zunnNTQDH1m02ZVJto4Setm6DXtVNoV/ERcE1zueoxkg+QGWae787Rwt5T+bi5wsCSVlJOeYdu6D/zgX7E05wJegBRfvisxAjDG0hGIemUgORw+kstYNM2Kbq6E+NhbYwqCuDpZ+joSwkBTRdpzIjyVi7W13WF1nqCvz8WP4K3l5tj2ROurqr22m4w515STUmJQI9MwB4N8gSGlR/ZqPv+B63rFwgGJJW2xfTHSj6y8kArLwel3ekZVUCd/q0K/HXMtQZhuRhwAz2hsGvFVlSVbaf0fssO+UjhfzSquuYiqBDZedv25PTd7fOaaWyL03TxWuYkgjAKMr9Pkk66Pp0fY8zjKEwPtOCyPBqFjs85GnGitJiUB9IzI0Hv+P1mPhsk4A8qqwn63tuDG79GNm5oINfQcG9JOzkmKHvSL8dAd2iH+Ppl rNj4HEPI cadvVBTxQ6tyQDpuBlrqbEKDPhS5ZetQX4k84hZoYJw/0leVEdYGUV6ipxlglrIfD5Bpav79M99m6kWyHA8+ztApmGaLQKF/+CqdDCMZdHi/dDHXuSHWZ1JjiNVdzPekl2I5uGvLyCiCSPv2Jb6EStH5lwOjU2J392CRSt05hFLKLU70MiOcY0RstcP3NrBf9E8MLGBIvvmTToVFeQUejS4ftXinGmmOhzwn/uS0srpSRBLrulq0WEr6Y3yLW/eRAzp0357e5xr6eCCgbR4NIFDbBX8TxEuSCfPi9UN3xa/YOb0KpgZq7Ecza0g3aiEYYvC+DogfoPSAMqfwtJao0o8o0Ep/PTKP6Jf5DpEkC3p0CLGA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jul 26, 2023 at 11:42=E2=80=AFPM Jann Horn wrote= : > A read of vma->anon_vma under mmap_lock in read mode (in particular in > anon_vma_prepare()) can race with a concurrent update under mmap_lock > in read mode plus pagetable lock (in __prepare_anon_vma()). > However, the only allowed concurrent update is one that changes > vma->anon_vma from NULL to a non-NULL pointer; once vma->anon_vma has > been set to a non-NULL value, it will keep that value as long as the > mmap lock is held in read mode. [...] > @@ -1072,7 +1071,15 @@ static int anon_vma_compatible(struct vm_area_stru= ct *a, struct vm_area_struct * > static struct anon_vma *reusable_anon_vma(struct vm_area_struct *old, st= ruct vm_area_struct *a, struct vm_area_struct *b) > { > if (anon_vma_compatible(a, b)) { > - struct anon_vma *anon_vma =3D READ_ONCE(old->anon_vma); > + /* > + * Pairs with smp_store_release() in __anon_vma_prepare()= . > + * > + * We could get away with a READ_ONCE() here, but > + * smp_load_acquire() ensures that the following > + * list_is_singular() check on old->anon_vma_chain doesn'= t race > + * with __anon_vma_prepare(). Of course I only realize directly after sending this patch that this comment only holds... > + */ > + struct anon_vma *anon_vma =3D smp_load_acquire(&old->anon= _vma); > > if (anon_vma && list_is_singular(&old->anon_vma_chain)) > return anon_vma; > diff --git a/mm/rmap.c b/mm/rmap.c > index 0c0d8857dfce..83bc4267269f 100644 > --- a/mm/rmap.c > +++ b/mm/rmap.c > @@ -210,8 +210,9 @@ int __anon_vma_prepare(struct vm_area_struct *vma) > anon_vma_lock_write(anon_vma); > /* page_table_lock to protect against threads */ > spin_lock(&mm->page_table_lock); > + /* no need for smp_load_acquire() here, the lock prevents concurr= ency */ > if (likely(!vma->anon_vma)) { > - vma->anon_vma =3D anon_vma; > + smp_store_release(&vma->anon_vma, anon_vma); > anon_vma_chain_link(vma, avc, anon_vma); ... if we move the smp_store_release() down by one line here. > anon_vma->num_active_vmas++; > allocated =3D NULL;