From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F208BEE4996 for ; Mon, 21 Aug 2023 21:26:50 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6BE9794000C; Mon, 21 Aug 2023 17:26:50 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 66E8894000B; Mon, 21 Aug 2023 17:26:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 50EC394000C; Mon, 21 Aug 2023 17:26:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 415B694000B for ; Mon, 21 Aug 2023 17:26:50 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 125F31A059A for ; Mon, 21 Aug 2023 21:26:50 +0000 (UTC) X-FDA: 81149396580.18.CDAECDF Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf03.hostedemail.com (Postfix) with ESMTP id 0274420005 for ; Mon, 21 Aug 2023 21:26:47 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="g8PHI/G7"; spf=pass (imf03.hostedemail.com: domain of peterx@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1692653208; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Kc1lL9HfVMeZHEEA4arnyJkoU4jVLawdPSW/zCLOVpk=; b=QNK61gROg4hirIvttEH7v9pj6frQwF8IGZynUjbaign9BF5yEDQImjYL9PaaMHKHztfAlV l51ryUhszynzEIXcFfi7Mig2TXPYDPyFyAoZrxF1VK1kkRl5um7QVuNjBkLRXC7qKXU51x wwZpupKx3wOWRUjkUN7irvZFxYe74fY= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1692653208; a=rsa-sha256; cv=none; b=BODQrq7aVxQsONKq8AR8pJLz9uSxHEFooGe8Jx8yWPRd4myx1waaVvbxGHV3pSDZwI9k6H Co61euTXL7NrJUZyWV5dFE27qy5fo0PVC8/25ngKxBfcaOeX3wtIw5wKYGdy2gou8wpxxJ XUygCOMygfP4xit1TfgYj1UlwqBBrC8= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="g8PHI/G7"; spf=pass (imf03.hostedemail.com: domain of peterx@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=none) header.from=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692653207; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Kc1lL9HfVMeZHEEA4arnyJkoU4jVLawdPSW/zCLOVpk=; b=g8PHI/G77N+BcCEErppR0F+43FEgw2yB/aqG5rL19NqVnRHgASwynobCReel63jdV6Z6/q Y2WOaf4AWRVTMTeLQpbaPp8yvTx2vIBoqGxw5yV/yBuULHYNnaqo21Cs0O6AcZOy+PWFsY JrpH31xky5AqOtcU6HRYU5HEP0gKcVU= Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-317-RuAE-GPvOamr5fv6iSNk0w-1; Mon, 21 Aug 2023 17:26:45 -0400 X-MC-Unique: RuAE-GPvOamr5fv6iSNk0w-1 Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-63d2b88325bso10466736d6.1 for ; Mon, 21 Aug 2023 14:26:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692653205; x=1693258005; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Kc1lL9HfVMeZHEEA4arnyJkoU4jVLawdPSW/zCLOVpk=; b=iiddRO+VrAum/nQFkGbdbYlpzHmCYAFuLkztwrxU+RV6nJTonJ6W6ROjRMWQ35UB3v DFaYlW2aftiKQMSPMAIJfv5dfvWvL9rpz1sy6ko56kIgBVqN/dhDZNNLnICqrJsF4S3K YXmw3SVzrACMAtVS2LAlleqy4QJCbPpN3j47u8y2XW7MARdUtzRtNBO0LDinbLZVLixw RY2zw/0WSORizVdlWdzX21P1vMFFE3kqCOle9R9bJ1CqckRS4KC8egF37VpZ6gJhUJ4I EPjYvBrloEuZCyvOJd4AQXHbhJmliVEQuXWpPqcwWmEoTY9aI5cVqddkueeu44LKCdi+ Y9zA== X-Gm-Message-State: AOJu0YzZpnWtfdTtRYoJXIzsDEFX20PF+EbJ0DVuh4HrkJk3HyjxuxJV sZXmkGH5MV8nZzd27hFkKpbdN2Rxzob4UrxjxtL0qKYT0vUVSeV+CUO7eDbstVI6A80QWKL46mV UaIiK0T3p0Vo= X-Received: by 2002:ad4:5c63:0:b0:645:3c6:56ab with SMTP id i3-20020ad45c63000000b0064503c656abmr9748566qvh.1.1692653205312; Mon, 21 Aug 2023 14:26:45 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEgtWCOPeUpEzGq/iv0oKzAPjh78y7co8OVUrk5dfltW9vOj/sBZqVpomm+P1HZkyDqvpN/4A== X-Received: by 2002:ad4:5c63:0:b0:645:3c6:56ab with SMTP id i3-20020ad45c63000000b0064503c656abmr9748513qvh.1.1692653205030; Mon, 21 Aug 2023 14:26:45 -0700 (PDT) Received: from x1n (cpe5c7695f3aee0-cm5c7695f3aede.cpe.net.cable.rogers.com. [99.254.144.39]) by smtp.gmail.com with ESMTPSA id d28-20020a0cb2dc000000b0063d0b792469sm3261672qvf.136.2023.08.21.14.26.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Aug 2023 14:26:44 -0700 (PDT) Date: Mon, 21 Aug 2023 17:26:41 -0400 From: Peter Xu To: Hugh Dickins Cc: Andrew Morton , Jann Horn , Mike Kravetz , Mike Rapoport , "Kirill A. Shutemov" , Matthew Wilcox , David Hildenbrand , Suren Baghdasaryan , Qi Zheng , Yang Shi , Mel Gorman , Peter Zijlstra , Will Deacon , Yu Zhao , Alistair Popple , Ralph Campbell , Ira Weiny , Steven Price , SeongJae Park , Lorenzo Stoakes , Huang Ying , Naoya Horiguchi , Christophe Leroy , Zack Rusin , Jason Gunthorpe , Axel Rasmussen , Anshuman Khandual , Pasha Tatashin , Miaohe Lin , Minchan Kim , Christoph Hellwig , Song Liu , Thomas Hellstrom , Russell King , "David S. Miller" , Michael Ellerman , "Aneesh Kumar K.V" , Heiko Carstens , Christian Borntraeger , Claudio Imbrenda , Alexander Gordeev , Gerald Schaefer , Vasily Gorbik , Vishal Moola , Vlastimil Babka , Zi Yan , Zach O'Keefe , Linux ARM , sparclinux@vger.kernel.org, linuxppc-dev , linux-s390 , kernel list , Linux-MM Subject: Re: [PATCH mm-unstable] mm/khugepaged: fix collapse_pte_mapped_thp() versus uffd Message-ID: References: <4d31abf5-56c0-9f3d-d12f-c9317936691@google.com> MIME-Version: 1.0 In-Reply-To: <4d31abf5-56c0-9f3d-d12f-c9317936691@google.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-Rspamd-Queue-Id: 0274420005 X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: s7hozsjdpco3zbxrn8e1j8pnber48bsf X-HE-Tag: 1692653207-897645 X-HE-Meta: U2FsdGVkX1+/0xBpsmkt6hDbDjJZJk6i2Kt9Q4qaVmkLcdazo3vN6cpgfkOl658VNKulxwefZ2vWxDhte4ku/2y6h6BWxi5vSrBGXy6uL/v5Yna819CmtWYhdeoklJSY4VSdSFHc381whrURpy4yTmK0HHuqbaRaB9Qq+ONl+zQuTThaiGmnTaRZT+pYrKJ2R6z/uBPcKQwHNTwHpE9BUhqOAs+lhXXkty3yRoW4rCCqCTzcDjp5v0eGD9IKvQ62qItjfsD8C9ddz0gJsh5rdf7Swyx43yQY/zAcYdeyZUBUSMmxjiaDiBdbuTxO0aPp+Y1dcPAN/nscsw6DOUZBshkp1mCiDt4J4Hf0K5YpW1reKtNOZaOGStKQyXDIAF0WDZY2IuhLuj90LLeR/y+RsxN2PAK3z+za3gvpNVt+1jXTVkshF8qM8KifnlhtISdCpfmV+sHizQdQsz4vW1s7+thDPORwFXGmcgaxtO0a9AhZNICgaIQxCHnEOAh2ZLFe1YQAJst5najCPSbLBZQpNEXVi2HgSoLS+g7X2l5xCwKu7rCxfDCgwZmzAa6ux0ynnduNIUmKbfT+FH/X4G2KZ0wEK4iQ1yKLKfQ8Q6aupD7ahADZsv94UDlooAzN4QzbHrcOfIAfaebfUkgfBGpxBNW4NsQxgOIYzxWKKQLo/wV+CSpGRspMJhxtb0BfXaq0CS515EQ+YY2CgtAEqKEbRWEBj34oJJpHmKmVFOqOBS2vniDIPYUrrfyzTq29B8fwxagMAGXlRNIPq2z2VLpAydwh/Sq4OhZHwPbxqmKmfIGuEyMJtsDF+UePweJfPxC0sR4N/Gmdvj54bnUgNtvvkAdAy2rgc+eAX9K1e2woEMpwfUC73iBtcfBSauHQdagZifavXH1cV7IEHEJX3upt+99uVPs2FCz4wm75dm8nvL8otST8vQ+3olZuTLMqKzgLaZFu3ofaVbBnDW0P8e2 foAOeqNg DD65qE1wE5WexQmfLmBUiTEn0UkxMTLBB/J7CF7cCBtEYgrzh/GJetZvG+rGbfNKq2aLXJ9YgJMdz7SRbahSc7+R/MzfhLZEObtw2I4E2fT+UNMIQVDNitrHrxWTZ9MEtqfECdkY0bSs2L+lNz6svq1sHCZHgDuew4/Zv+LX+8HnWnxlXlj7SEPGevG71WpujX7R1/JYiwK5AkFUw6UULosYLxq/hCEHY7kw+eSo3LJzNtnSfy2TGfECNMea0emuSMXeOgGCnm8M74pbImEPMOdSpzr3CnTxn+PTiPok+2TtL7g0/AqRKzTJ9omgeBxpHQc+O38WGeIBj96r7fpRCUTlA71LIm05DDHLYqT6yssfBBcRBKflpAPcmTSrgThJD8BexIiMZmgMryAU4B/8FpXj9P3mcMhnjM15IGBu2n7iLHoT+46nCLpTJCR7VnUDa2KXnE9PNgJ6pu9ugWTzg4//3/ZmNOJD3TAiIF5Ja4j1GUR5r5qcDo0FCYaMUrXp4B69xSKtSLSZFotm3tX09hdFLKQ+e/zi73iANzamMVfeq2zK0mE4q62sajJ15OSf+tZNY8tlS3WkGlkSJ0n/0QoNXVtfvS1GLI2RU X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Aug 21, 2023 at 12:51:20PM -0700, Hugh Dickins wrote: > Jann Horn demonstrated how userfaultfd ioctl UFFDIO_COPY into a private > shmem mapping can add valid PTEs to page table collapse_pte_mapped_thp() > thought it had emptied: page lock on the huge page is enough to protect > against WP faults (which find the PTE has been cleared), but not enough > to protect against userfaultfd. "BUG: Bad rss-counter state" followed. > > retract_page_tables() protects against this by checking !vma->anon_vma; > but we know that MADV_COLLAPSE needs to be able to work on private shmem > mappings, even those with an anon_vma prepared for another part of the > mapping; and we know that MADV_COLLAPSE needs to work on shared shmem > mappings which are userfaultfd_armed(). Whether it needs to work on > private shmem mappings which are userfaultfd_armed(), I'm not so sure: > but assume that it does. > > Just for this case, take the pmd_lock() two steps earlier: not because > it gives any protection against this case itself, but because ptlock > nests inside it, and it's the dropping of ptlock which let the bug in. > In other cases, continue to minimize the pmd_lock() hold time. > > Reported-by: Jann Horn > Closes: https://lore.kernel.org/linux-mm/CAG48ez0FxiRC4d3VTu_a9h=rg5FW-kYD5Rg5xo_RDBM0LTTqZQ@mail.gmail.com/ > Fixes: 1043173eb5eb ("mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock()") > Signed-off-by: Hugh Dickins The locking is indeed slightly complicated.. but I didn't spot anything wrong. Acked-by: Peter Xu Thanks, -- Peter Xu