From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9FE57C677F1
	for <linux-mm@archiver.kernel.org>; Fri, 13 Jan 2023 19:37:16 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 1CDB68E0002; Fri, 13 Jan 2023 14:37:16 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 17DF58E0001; Fri, 13 Jan 2023 14:37:16 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 046E38E0002; Fri, 13 Jan 2023 14:37:16 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id E8CEF8E0001
	for <linux-mm@kvack.org>; Fri, 13 Jan 2023 14:37:15 -0500 (EST)
Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id C7ECC1C605E
	for <linux-mm@kvack.org>; Fri, 13 Jan 2023 19:37:15 +0000 (UTC)
X-FDA: 80350784430.18.8ABF2AE
Received: from mail-io1-f47.google.com (mail-io1-f47.google.com [209.85.166.47])
	by imf30.hostedemail.com (Postfix) with ESMTP id 44C8B80004
	for <linux-mm@kvack.org>; Fri, 13 Jan 2023 19:37:14 +0000 (UTC)
Authentication-Results: imf30.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=DIgqsRV0;
	spf=pass (imf30.hostedemail.com: domain of jannh@google.com designates 209.85.166.47 as permitted sender) smtp.mailfrom=jannh@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1673638634;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=Wo+1IHNp3GYXjfswkalSmonaDkZuEJUvFP7FH/2V+V4=;
	b=cGL9C3gXLHWttxF9uj5odJqCmZa3F406fHHOs6Ql2Iai14JpWjPLAyE0s4jRxt1bTZB6gQ
	0p62P/s/T/j4xW8pij6nwB1BYO3/vdBBVlVNydURhaFI12/kkg07+9uhtc8VGQOkgSMOeT
	lovjoVzsFFGSQ9tWCHD7Wd/rJ4AWVew=
ARC-Authentication-Results: i=1;
	imf30.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=DIgqsRV0;
	spf=pass (imf30.hostedemail.com: domain of jannh@google.com designates 209.85.166.47 as permitted sender) smtp.mailfrom=jannh@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1673638634; a=rsa-sha256;
	cv=none;
	b=EtUHtrogX35E8tKHeleN34ICqhX2FA80Zs1agZYOgnvqE1fGrh8B1moo4lADnIaCwPpIJB
	C0LoByCDBkfoW7ZcluG+LSLdTNlw/+33+W7OM5HL2A3vAUJ4Yb5vUYrKUE3FihsjOmmiwF
	pUP1CCtNUUxPYl3cPPWJs/kNVqm0JJw=
Received: by mail-io1-f47.google.com with SMTP id r71so1956521iod.2
        for <linux-mm@kvack.org>; Fri, 13 Jan 2023 11:37:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=Wo+1IHNp3GYXjfswkalSmonaDkZuEJUvFP7FH/2V+V4=;
        b=DIgqsRV0y0XR59XsyHI08oTXi1+MNDRXBryrpyq/ZLlbVkW9Rj2k5eA/METb9g0pdx
         ZfX8JWrM1i8effLLlc7qlWSfd7vu9WqE0KZ+z9ZTrHX4dFzPYx8Xr2qSzZM+usGRVydb
         yw4qzhy2Wqtowzyt5g1q7f+NqeAuXS+Szx8h5MpJm7iMnVdl9jyZhhcbf3p5fvJweNxL
         pD8b1Z583slMheRTEgxwNNf3fjqT7/BFlK/xL8Zo5KCmcqm9LOlnl8UQ9eNsYV2qd43l
         GBAEx01Dv5YzeYP4qJl6SBAFJe0wNNKSShUtEsqNxbPToeb6DSse25Se4MfiK1rzjRs5
         3zvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Wo+1IHNp3GYXjfswkalSmonaDkZuEJUvFP7FH/2V+V4=;
        b=lELyrr4L7Q/Krh4D4BgjuM4Itjhi6TpdUSiezWZ0g4oNEEVdLjOr26fOzUfjrNjavy
         lQt48Si6A+dgIrm/FeuZPTLcYVuxUOboDMWb0aoT60h3dpDZr67oQ2s7q0kbFgTO5Dym
         SAp8I5TaY1RofNcQpLX6Zkwkl6bjF9seUr/sNSeJ1TDJFtHERfg9SS+zrPJhRdYIDFTH
         CVGNst/Ii+D91WAjdKVN1ev1ROOrKK6ohDc06NlR0NsnOFQfP4v+8jE7/L40LBQNejLa
         9y/hoLGsoYcMpqzCtEi2s9MrLYhORl0jDLJVM6giFNKZgm8z45FvfpeBgcuARtfYrI7E
         2mow==
X-Gm-Message-State: AFqh2kqI/bXW8yS6+6UZ7RciJuS/gZgKiUFShdF/qz4MBeUxQGpdYFZB
	mmBIVAF9Xj3tgSgQNvCjQlfJg8f0QNuaJ+D382Pw/tjeftxRKOOu
X-Google-Smtp-Source: AMrXdXsxaDAokgsgZs4z0pPvVcPcGRbCuCnyAN4JVV7ydb88UH1KS8zRwIVB2bG/bzSMKdfVunQTiI+zii/z0tWbN6A=
X-Received: by 2002:a5d:8185:0:b0:6e3:2350:744c with SMTP id
 u5-20020a5d8185000000b006e32350744cmr4625342ion.2.1673638633212; Fri, 13 Jan
 2023 11:37:13 -0800 (PST)
MIME-Version: 1.0
References: <20230111133351.807024-1-jannh@google.com> <CAHbLzkqqKWcMOxm9V4xeyDnnqBVzUjgMaPHtxV=+X3yq4NP1zw@mail.gmail.com>
In-Reply-To: <CAHbLzkqqKWcMOxm9V4xeyDnnqBVzUjgMaPHtxV=+X3yq4NP1zw@mail.gmail.com>
From: Jann Horn <jannh@google.com>
Date: Fri, 13 Jan 2023 20:36:37 +0100
Message-ID: <CAG48ez3JUGWyDQ1hioVVy==5QCeDw3B=3TbGT0hUa1MygqOasg@mail.gmail.com>
Subject: Re: [PATCH] mm/khugepaged: Fix ->anon_vma race
To: Yang Shi <shy828301@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org, 
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>, "Zach O'Keefe" <zokeefe@google.com>, 
	linux-kernel@vger.kernel.org, David Hildenbrand <david@redhat.com>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 44C8B80004
X-Stat-Signature: njo5yd98ey1g3jrqhbf357cdpu1tri5m
X-Rspam-User: 
X-Rspamd-Server: rspam08
X-HE-Tag: 1673638634-719203
X-HE-Meta: U2FsdGVkX1/g/MjUP9atIYUVfPdrVMJJuny5EV6swt5jB1cewQGoK/fLyKHtR7cVbqJypQuvRF0nPinz6n+UfAKCGcC4Wcdmj3F8okNf9a3N5rwfAoXH6MD90pMouY7p2K2QlXcqqhY+0J8J5MgClZb90TcL+Gj5QRBiAT7qRv631NJQRNYHYXew8h/vSaIv7/P21AseJ7E+NsuIAdcZAKIQvd6iOj8DZ6mEOE84z/b6fUUpJcGARTD+bgUqV8VTk1/kOqhEXgf6PrHAAIwtf3eiDrypNCj/WOFP+uwDzvlFXjUgkC1XDZ9qUaNszIaF6JjXUTXkIznfixF2FyuhGhy5xTPcFtOwoGj1WSpLYWGiVAyO6JNb+E6PgKnlmEB8Gmiv/zpJW+CWRIEPopO+CxWaV8jkEbATqvmboS43EllltZQvTY1rM3cnBu5n1Egkv6DSK68epy8UdzmGXLVCp2wI6UsCn2GKKAuQY0w7utQjEuqbU0zE0LBFCpQUyYd/pZGSV5ddx7ff6W4jO+YpXurjESkLoOQhhv4+IfdV+7tVPCAwlWo9jhi1Ox55zDN3+kOq2YHILnC7kFqh/NJGdxSxmXw2qPJcw5NOXjT9Fs5/nWMN65ddJbr58UKwgb4eYv/jxXqh7uommnQlhIBdMjC8r1KSzfxXCqj2tAgKg8cv47MVgGzLASz0VikhVE0KL88jMhlyNJ+BC524EUrhKBwimDbszfO5BTqoAKzGBGTwxcxB+SL01uiimGyIgJwr0vMDsaF8UIUzvmoONvAEOPsC6lWIfELQ3p4Wi4nAr6AgEMaChG5EbjazsltoPrnq+qsuk37Oj/Aka4GNXP3ZsoFCnKFe/XYr5UA6Oc9+sG3UCVcSwfoT05Gs8mrcOMYI7c6IFOaqbwaIOMenJ1cKUntuiqcsX2gzd7Z4Izp8LODveiBh985tktJ3JPbD+1wqT5Nph7z2CW+Gcs7ytj+
 aTzSyr1h
 5/Bll5KKzq72ByEzpi7DauUAqnbEWogeOy8WnIbjdJ5kCHTD71LBElZWuug==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, Jan 12, 2023 at 2:06 AM Yang Shi <shy828301@gmail.com> wrote:
>
> On Wed, Jan 11, 2023 at 5:33 AM Jann Horn <jannh@google.com> wrote:
> >
> > If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires
> > it to be locked. retract_page_tables() bails out if an ->anon_vma is
> > attached, but does this check before holding the mmap lock (as the comment
> > above the check explains).
> >
> > If we racily merge an existing ->anon_vma (shared with a child process)
> > from a neighboring VMA, subsequent rmap traversals on pages belonging to
> > the child will be able to see the page tables that we are concurrently
> > removing while assuming that nothing else can access them.
> >
> > Repeat the ->anon_vma check once we hold the mmap lock to ensure that there
> > really is no concurrent page table access.
> >
> > Reported-by: Zach O'Keefe <zokeefe@google.com>
> > Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Jann Horn <jannh@google.com>
> > ---
> > zokeefe@ pointed out to me that the current code (after my last round of patches)
> > can hit a lockdep assert by racing, and after staring at it a bit I've
>
> I'm supposed the lockdep is the one in collapse_and_free_pmd(). It is
> better to have the splat included in the commit log.

I pasted the splat in
https://lore.kernel.org/linux-mm/CAG48ez3434wZBKFFbdx4M9j6eUwSUVPd4dxhzW_k_POneSDF+A@mail.gmail.com/
- which part do you think should go into the commit log? Just the
"WARNING: CPU: 14 PID: 116 at
mm/khugepaged.c:1406 collapse_and_free_pmd+0x364/0x420"? Or the whole
ASAN splat below the lockdep complaint with all three backtraces?

> > convinced myself that this is a real, preexisting bug.
> > (I haven't written a reproducer for it though. One way to hit it might be
> > something along the lines of:
> >
> >  - set up a process A with a private-file-mapping VMA V1
> >  - let A fork() to create process B, thereby copying V1 in A to V1' in B
> >  - let B extend the end of V1'
> >  - let B put some anon pages into the extended part of V1'
>
> I don't quite get why we need this step. A cow fault on A's V1 isn't
> enough to have anon_vma for V1? This should not prevent V1 and V2 from
> sharing anon_vma. Did I miss something?

You're right, these steps don't work.