From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4583AC38A2D for ; Mon, 24 Oct 2022 21:55:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D5F0E940009; Mon, 24 Oct 2022 17:55:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D0F73940007; Mon, 24 Oct 2022 17:55:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B8956940009; Mon, 24 Oct 2022 17:55:48 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id AB3B6940007 for ; Mon, 24 Oct 2022 17:55:48 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 86758AB2C7 for ; Mon, 24 Oct 2022 21:55:48 +0000 (UTC) X-FDA: 80057200776.07.D15F623 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by imf21.hostedemail.com (Postfix) with ESMTP id 1247F1C002D for ; Mon, 24 Oct 2022 21:55:47 +0000 (UTC) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 29OKpD07010282; Mon, 24 Oct 2022 21:55:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : content-type : in-reply-to : mime-version; s=corp-2022-7-12; bh=I75nGouLWpzndbtSO+oe5SHKpbpDtNTHazhDdIbKQvc=; b=T67ke40hMwxXjUSOnVS5NTHnj1HBHTIFNSVOeCyzYApBFHWMFdFugDi4h5lPOT69Y8dU 5qi5BrZOwHoJylEPgB0vJjDQ+O6+HElbhyqoxPWTNXbQkLObMmLIWn1iMb829navGUUj d0Dt/WqICkHugAu14cn8OJZRfYylUfiRPLDoJWt2ywzpOqrRHnlFBTvMJLDz3UgxXZ9m 2vrYFrBkEbM4ZeM0U9K1+KGrv6SAUIBe6jprp2DZy5CiLnXDvNJxziV6590iFoRtE4Fn ZJHmpLzORKTLmggmx7WkW2e9P298U5kvtD2edAHRqYPmcDsFwNEm2W0n+9Jc2kXynR8r Ww== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3kc7a2wt1t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2022 21:55:35 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 29OLbH4q012770; Mon, 24 Oct 2022 21:55:33 GMT Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2043.outbound.protection.outlook.com [104.47.56.43]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3kc6y416ww-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 24 Oct 2022 21:55:32 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B/o01NUoI9wbzpWRCHIenZE/9a78xCNIJ+0hkSXJOZzLsg3lb7/Q8aEfojPE/kOM1B+DBROoT/PIcx5n77IIz9xDEfrPqKFd999pbz6+KPrjAliqWQ0KAF13YDrRIoRVyZvTyinHOBIGZPOWF/8CoRB6iPoB2ZSpTyTXhQ42TP9J3f5bnWgd+KS0ErllT3AQ3I0AZPCMgWVVi02bFzsqc2asGuOdfZ/GJ0TN3qXHkxcIpfTdAbkC2sLnAcO9vccWfxE0rR/7/JuB9ZmfbIIWLAKpM+m9tO9xoKSLDrr3dQwWwRNJ0AQGiC3f7Pj5nhuYu/Ns86CJuGLzoLSuXwW4ZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=I75nGouLWpzndbtSO+oe5SHKpbpDtNTHazhDdIbKQvc=; b=iiNLgDqzO9dYevScjTcQLrwKdNSnzsgRWGLbYj2NS2EWrfo3hMQq/nQhNjF13tXKHU0aoD3XCkebuwvqQV+TquZZ8NDxMvFy7QE+G5OSJOu2cheUOBZGpACjnfgSYemr27lJhw48/HpVX4S2cav/qsW2y6df+dCEbk48eFMEuo4iP6i6zUnCrJ4JHE9wwtRC7AjVvHp0jT4Q8YfmwSw0KY8yksSTcNdmvltokMqh0qUWNPfnbzmY1fIpdvI2XX1NRJZpHg3FuPkNTDZfkn3Y+wDhHrERhY/G4hliRrhYtlZltpkOh7Oxc28NVeUTZb19Mk+mJTMwLbAbPA3T1VKi1A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I75nGouLWpzndbtSO+oe5SHKpbpDtNTHazhDdIbKQvc=; b=laX7nkQQdvicXKanFtYXJdv0Xy6C5s1OgC2fEI6+WnQhI3R2/4E3Bys2bi+kh6UHrRJi3SxqkcsajlhEH2Iik3e+nADQzAMv48zzwO6rD8Wuh9PAzI5egsMb7c/eGBVEx8wwpXLAlLzmC6h8ZhVsEcmTBUi7xzck7KyNruiA9/k= Received: from BY5PR10MB4196.namprd10.prod.outlook.com (2603:10b6:a03:20d::23) by PH7PR10MB6652.namprd10.prod.outlook.com (2603:10b6:510:20b::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.21; Mon, 24 Oct 2022 21:55:30 +0000 Received: from BY5PR10MB4196.namprd10.prod.outlook.com ([fe80::58e9:95ba:d31e:ddd3]) by BY5PR10MB4196.namprd10.prod.outlook.com ([fe80::58e9:95ba:d31e:ddd3%5]) with mapi id 15.20.5746.026; Mon, 24 Oct 2022 21:55:30 +0000 Date: Mon, 24 Oct 2022 14:55:27 -0700 From: Mike Kravetz To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Naoya Horiguchi , David Hildenbrand , Axel Rasmussen , Mina Almasry , Peter Xu , Rik van Riel , Vlastimil Babka , Matthew Wilcox , Andrew Morton , Wei Chen , stable@vger.kernel.org Subject: Re: [PATCH v2] hugetlb: don't delete vma_lock in hugetlb MADV_DONTNEED processing Message-ID: References: <20221023025047.470646-1-mike.kravetz@oracle.com> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221023025047.470646-1-mike.kravetz@oracle.com> X-ClientProxiedBy: MW4PR03CA0037.namprd03.prod.outlook.com (2603:10b6:303:8e::12) To BY5PR10MB4196.namprd10.prod.outlook.com (2603:10b6:a03:20d::23) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BY5PR10MB4196:EE_|PH7PR10MB6652:EE_ X-MS-Office365-Filtering-Correlation-Id: 292a4c87-daf2-4cc0-00ea-08dab60a77ef X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: z9nqmV2woe0xCyQE61szEA+GlHIRT3aU2AoQ25HanbjKF2WrmUvDSXuHxhtJmLK9CpBEwC3jjBXiQLZ4g4TA9i+t8q2wYef7eSvVGjbRoZyIN6OGGJBDlEhGwrV/MPiVvUSuY9dxyB2PJqlZ3UCPfpd4VHrkNIHrJkgr2X7iwMwH3SGVx5avvjJ+JZiA6UHsW8EuEACU6KDO4nFRtLP4o6IPuGvAS/PjgQX+AtqWelt81XKftRqX/u92serOy1or4oWB6mA1LLTb0sbcm7yADZNgz85HUMv5Lnu4q2EAiFGd8vNigevkX0IsuI9zcY2Rvqa/e0FDv263rDkDvGNBnLrGmHxm6d5w7fZt2CXEP5wadZ+eaWdP9cizAZWE+QLpePjAUQ8DznmDxZ3E2xxq7ymtVy8Rwe6aeIpi4v0Gctt2DvDxUERKdn2czOK1T2xYJLlM+rdkNu9SeJI35udq7W3La8nBv4KRRlhJBZ3zevD3iNCMUIl00IxKL/VHBYUO5kNmQ3rnMA+31r5URkg1VmWkUXCu7xoCbtzDNYZGcrkZpVLiy+6ima03JINCHXwFWRIAhUWSmCa/ylW2m4p7KtNR+n1rJau6k626NatZfDH2Yf7+7MKfbgVookVXlDrMMrrVSpdbSIM7AMs6NyuGUzTxO4+xKrpAKQxeMf/Hk50QtbmW9hVX6V18wjm9mAjJcLJLK/DVLu3Z2WWAJWnrpGXj0aSCyw9uJI+SmWUs3JQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR10MB4196.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(7916004)(366004)(39860400002)(136003)(376002)(346002)(396003)(451199015)(66476007)(66556008)(6506007)(4326008)(8676002)(66946007)(33716001)(6666004)(7416002)(6512007)(26005)(41300700001)(9686003)(5660300002)(53546011)(8936002)(54906003)(2906002)(316002)(86362001)(83380400001)(38100700002)(44832011)(186003)(966005)(478600001)(6486002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?ShRYfgJUWxxHRuoM0nxGIVHXpns36+pFRUAI65GmNPqbu+eUwmi2BaAtr5ZH?= =?us-ascii?Q?XFzp1+5IiXabiw5NZmpjF3Y3fcbWQ72vJYVEhWANVu2IR6P2whVvlEaRCEwe?= =?us-ascii?Q?JlJK+K+yTeJgehVqJYc5eh8N2W1+N6hFh75PwFyP//CNJYSIkSc65VOmtsqM?= =?us-ascii?Q?uih3dklADgYkDhEzmPIOqZj56l5SKjV+FQWrbX22jgESxIhWgsqr9TAHE1Cn?= =?us-ascii?Q?VIZ9rdBRSL8uANTVkDeYG+gy4twCRK5JV0RE7m6mA9PavvVgubCvhRI1eCv7?= =?us-ascii?Q?NMuaaDNAhJkbpMskDmCljgeHr/icvo5yt9CT7WC02rBbjaQb5hUVjqXVQSzT?= =?us-ascii?Q?aH+jXWxqXtSte4WpvzhpF7/F6v2YshZtOJxoD9ud4nuQQEQEZZjBil+uLWQm?= =?us-ascii?Q?W5QSnerWXGsyCmMkxkJNgHZ8QRvEXJujlvjhzgS2WCgNNvs/8LxJ19SZjJu/?= =?us-ascii?Q?xjaXC6x7kuABJXsnDFwFcNImzqGfN4R8hZtV27VcKp7GGTNgpy0J6WJQxDRW?= =?us-ascii?Q?upLYarOVNBwkAeA4D8kF9qto3cKbnEQo143ABo9Dp3DaiYP2ZDNLkIGu4Z+k?= =?us-ascii?Q?+aaunxE4otLA1wAU6Zh1mqCcb9HL+NHM/gJxMABNMeOh9DncC7FaV8MNwYgV?= =?us-ascii?Q?pgnf0cN3GkAh8pUAZMwuUwcSHNwGnBf8QPeu18dmrXsUNi6DsnmdoDGEF5Yh?= =?us-ascii?Q?iBZSBCMcOB6vCySF8sd0YbrkLenofx4fxA/2CozF8SzGz+D+emIdBdb1XiMB?= =?us-ascii?Q?V6HxcX89OvJ5lO+3Jbad+5nyPmdJaRD/hbUN/67EipY0PO3uw4vV0T/tSIp7?= =?us-ascii?Q?lzclqOKOxIytpJDpkGGjNaHIKH34T1E0As1On6kcsGDMw2mFRQLuIGkHp6wh?= =?us-ascii?Q?i4dskMz8qaGDZOGDc3LrUV3OY0quZt7RQwVAiO2sV1mZ/I9anISZsSrKlOrz?= =?us-ascii?Q?8QstvmofPpiD+odg53gS/QA8A+8TjYgdrlzf7XlxDWX/vi0ubdpWxzGv1aJ+?= =?us-ascii?Q?ylNNV8Veht/jbMBHARptfJ4tw1eaUHxR+TKHuHIJjMMa4yYIPvguY7PIsr8t?= =?us-ascii?Q?79kwBFfGOjZOgmoJ7CYwDXWxYD7w0Ug5+Rq2UhpCwox3Bg+uLt2F4TRC5Yu6?= =?us-ascii?Q?KEIJXjHmf5VK7zpwM7+TR5msLg3tAkLTWpsMZYqKKlSfGs9chxY+E+xJkTdC?= =?us-ascii?Q?R1bzhQ+w3wV77xxI/PvLigWvHgSubN3KOCHNWnYfz6vgm/vkiibFj1rjY+U4?= =?us-ascii?Q?P2lnk7itvlLDI+uLgvJMbUNAzhUhNW6qmryb24cicoDf12DSw015k2nBXFSZ?= =?us-ascii?Q?3bFLX3nyb4jd13iso5EmCcHLNbUykfQZ8cJMwOkvqjt57Xa5p55R3d4O3oWO?= =?us-ascii?Q?ggjpA2z234mBbM+vahdgGTOZCb0vcoP5+cBR9L0GdPkGJweusXFH+ozE5EM5?= =?us-ascii?Q?Mz45FWMpPdPcmOAWGCP5w8yP8MVnTTin8YqVd6EbIXvhn1ujXo5/G98g6kH6?= =?us-ascii?Q?7vYWMEjyN3LPLp/HWu1P2vrH4Cs2fsmbIVahx7CWfq+vA2i/FzP4sCSTyGM9?= =?us-ascii?Q?yPvfL7znhmQITNiJ8ibleRC9GWZlE8bdDCrLARCRuX/Eji/kn8As2ykPOW5t?= =?us-ascii?Q?Wg=3D=3D?= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 292a4c87-daf2-4cc0-00ea-08dab60a77ef X-MS-Exchange-CrossTenant-AuthSource: BY5PR10MB4196.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Oct 2022 21:55:30.6926 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ePuJkS3IEx7Zni+VU07HA47PSzOvvQ04C4eZqoGAAlxcv4QEYVhhpTtq/ixRgNC/HGL8y5kZwXFjXQ+6Eu4ZQQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR10MB6652 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-10-24_07,2022-10-21_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=739 bulkscore=0 suspectscore=0 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2210240131 X-Proofpoint-GUID: l_YoxmKm-Bu4kgo4Ywe88O45d5dxRjGL X-Proofpoint-ORIG-GUID: l_YoxmKm-Bu4kgo4Ywe88O45d5dxRjGL ARC-Seal: i=2; s=arc-20220608; d=hostedemail.com; t=1666648548; a=rsa-sha256; cv=pass; b=2KoJn1uefXA0AEycditFChFL/GElfubM3YNlPAhSn98BgXAstV3IlQu4A1VmqJSI9LJ3D+ VnbfCZ+uOpePK+5LsIEcvLZYCxEXyI+yy3eYIxgrCB2O4LBTQeMV6a9sesI4aWHWH+/9O8 takxdAVlpOjaXF8smx0EwAQXnCaBPOc= ARC-Authentication-Results: i=2; imf21.hostedemail.com; dkim=pass header.d=oracle.com header.s=corp-2022-7-12 header.b=T67ke40h; dkim=pass header.d=oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=laX7nkQQ; dmarc=pass (policy=none) header.from=oracle.com; arc=pass ("microsoft.com:s=arcselector9901:i=1"); spf=pass (imf21.hostedemail.com: domain of mike.kravetz@oracle.com designates 205.220.177.32 as permitted sender) smtp.mailfrom=mike.kravetz@oracle.com ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1666648548; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=I75nGouLWpzndbtSO+oe5SHKpbpDtNTHazhDdIbKQvc=; b=tHYCAk2xN0jeONL5O3vcyOXkApu8mBWVMT9lb/hDShIbjR7/XdhPrkTKEse0orJ4NMmqV8 oWK+ejRsm8GGRMv4kP/0YAHUT1iGzI9z/HLU6zPdQFOKG/c4YiVxvCg6yqIwQEzHgCWsox qtZh2qq5ubHVTNbgjUP7/n7iPazeM+A= X-Stat-Signature: fjsmdeefenmii67dqq15izkpxnwiridz X-Rspam-User: X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 1247F1C002D Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=oracle.com header.s=corp-2022-7-12 header.b=T67ke40h; dkim=pass header.d=oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=laX7nkQQ; dmarc=pass (policy=none) header.from=oracle.com; arc=pass ("microsoft.com:s=arcselector9901:i=1"); spf=pass (imf21.hostedemail.com: domain of mike.kravetz@oracle.com designates 205.220.177.32 as permitted sender) smtp.mailfrom=mike.kravetz@oracle.com X-HE-Tag: 1666648547-612676 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 10/22/22 19:50, Mike Kravetz wrote: > madvise(MADV_DONTNEED) ends up calling zap_page_range() to clear the > page tables associated with the address range. For hugetlb vmas, > zap_page_range will call __unmap_hugepage_range_final. However, > __unmap_hugepage_range_final assumes the passed vma is about to be > removed and deletes the vma_lock to prevent pmd sharing as the vma is > on the way out. In the case of madvise(MADV_DONTNEED) the vma remains, > but the missing vma_lock prevents pmd sharing and could potentially > lead to issues with truncation/fault races. > > This issue was originally reported here [1] as a BUG triggered in > page_try_dup_anon_rmap. Prior to the introduction of the hugetlb > vma_lock, __unmap_hugepage_range_final cleared the VM_MAYSHARE flag to > prevent pmd sharing. Subsequent faults on this vma were confused as > VM_MAYSHARE indicates a sharable vma, but was not set so page_mapping > was not set in new pages added to the page table. This resulted in > pages that appeared anonymous in a VM_SHARED vma and triggered the BUG. > > Create a new routine clear_hugetlb_page_range() that can be called from > madvise(MADV_DONTNEED) for hugetlb vmas. It has the same setup as > zap_page_range, but does not delete the vma_lock. After seeing a syzbot use after free report [2] that is also addressed by this patch, I started thinking ... When __unmap_hugepage_range_final was created, the only time unmap_single_vma was called for hugetlb vmas was during process exit time via exit_mmap. I got in trouble when I added a call via madvise(MADV_DONTNEED) which calls zap_page_range. This patch takes care of that calling path by having madvise(MADV_DONTNEED) call a new routine clear_hugetlb_page_range instead of zap_page_range for hugetlb vmas. The use after free bug had me auditing code paths to make sure __unmap_hugepage_range_final was REALLY only called at process exit time. If not, and we could fault on a vma after calling __unmap_hugepage_range_final we would be in trouble. My thought was, what if we had __unmap_hugepage_range_final check mm->mm_users to determine if it was being called in the process exit path? If !mm_users, then we can delete the vma_lock to prevent pmd sharing as we know the process is exiting. If not, we do not delete the lock. That seems to be more robust and would prevent issues if someone accidentally introduces a new code path where __unmap_hugepage_range_final (unmap_single_vma for a hugetlb vma) could be called outside process exit context. Thoughts? [2] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/ -- Mike Kravetz