From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C4EB0C369B1
	for <linux-mm@archiver.kernel.org>; Wed, 16 Apr 2025 07:46:18 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id DF58928005F; Wed, 16 Apr 2025 03:46:17 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id DA60928005A; Wed, 16 Apr 2025 03:46:17 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C44D228005F; Wed, 16 Apr 2025 03:46:17 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id A561528005A
	for <linux-mm@kvack.org>; Wed, 16 Apr 2025 03:46:17 -0400 (EDT)
Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id C0A85583E3
	for <linux-mm@kvack.org>; Wed, 16 Apr 2025 07:46:17 +0000 (UTC)
X-FDA: 83339123994.26.0BE0FEF
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])
	by imf17.hostedemail.com (Postfix) with ESMTP id A60E14000B
	for <linux-mm@kvack.org>; Wed, 16 Apr 2025 07:46:15 +0000 (UTC)
Authentication-Results: imf17.hostedemail.com;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b=qWyiueii;
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=vKhkAg2H;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b=DKWK4vcs;
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=Te7u7FZq;
	dmarc=pass (policy=none) header.from=suse.de;
	spf=pass (imf17.hostedemail.com: domain of osalvador@suse.de designates 195.135.223.131 as permitted sender) smtp.mailfrom=osalvador@suse.de
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1744789576; a=rsa-sha256;
	cv=none;
	b=UqTiUK1ht+XwPX29qtpW4+cfCq0FaGJSWsqU4bEGgVI4aA3xXFpMtPymktLybG2qLeldT/
	zjvJttG+5rRD8U2zeOvMi+Jdw4l5mMuujbTHP4+YVilW0k7sL/SMoBd4Xd69HtEKXhWfZx
	HU5C2EhJl/gQjA8a9m3A3Hl3gO+gmcM=
ARC-Authentication-Results: i=1;
	imf17.hostedemail.com;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b=qWyiueii;
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=vKhkAg2H;
	dkim=pass header.d=suse.de header.s=susede2_rsa header.b=DKWK4vcs;
	dkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=Te7u7FZq;
	dmarc=pass (policy=none) header.from=suse.de;
	spf=pass (imf17.hostedemail.com: domain of osalvador@suse.de designates 195.135.223.131 as permitted sender) smtp.mailfrom=osalvador@suse.de
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1744789576;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=R73xuxwY1VYBD1D6OPjf8S0w7H765xR6uCfIjbAaInk=;
	b=xsz9cfbVWcr1bGUycqRdW6SGVltbBNME7TGHZeIAyfwdppM9TGxrNbUyiVn46+LjIQxS+G
	Uhrqg3pIp1jiR5GhUfim3I6nU+uVFL7ZxKjFRhxl+6JMbpKnPqjOI9kwelMj8lRj4izkjm
	F63i2VQUZieAYDkaQp/nxLKA4xteRPs=
Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-out2.suse.de (Postfix) with ESMTPS id E14561F445;
	Wed, 16 Apr 2025 07:46:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
	t=1744789574; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=R73xuxwY1VYBD1D6OPjf8S0w7H765xR6uCfIjbAaInk=;
	b=qWyiueii58M4ZoeYnM6SQnt5xhhYcSXVQ8QsBqRaev4HtSmJ3vx6d04H/BcM1MedQBJoKO
	ICQW6UdVx8cqjb17/GVVqp9hafsRIB1mLAbUYGSxQ2hIOoUQbbLM1Id4KgJgc/Km5Smafx
	xLEqOybAqWLfhdSLwke5ktIhKHK05ao=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
	s=susede2_ed25519; t=1744789574;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=R73xuxwY1VYBD1D6OPjf8S0w7H765xR6uCfIjbAaInk=;
	b=vKhkAg2H4U3CcJskdYGsZrEAOU4dN7/vqbOAzi9YRmihFFSKpcWi7wjz0lOp9Z4fZaYnUR
	RLTz4wRMFU9PUoDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
	t=1744789573; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=R73xuxwY1VYBD1D6OPjf8S0w7H765xR6uCfIjbAaInk=;
	b=DKWK4vcsW/AiDoWXMUkn17+m6dbWMR6K2FBZnbHAvKvfQ4OQ/qeBnaOM2uO2/y+d5ek9pe
	KAPsLrJAfmeNZBQQF2o9OCABb6oueuhzFCg6iUovELHNb0YWVnE2/R6fUucMfjBo2a3rkR
	Z+gTKzCE0QdQ7iluZ635S+VWUH6BlkI=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
	s=susede2_ed25519; t=1744789573;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=R73xuxwY1VYBD1D6OPjf8S0w7H765xR6uCfIjbAaInk=;
	b=Te7u7FZqDoADWsnaOpNR6cVdm+DTCaYxNjOar/AjzI9VMawP0D0qV8ljaPNXtoVkGnVTtH
	eAlf1pYDH81bqmDw==
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 7B9DD139A1;
	Wed, 16 Apr 2025 07:46:13 +0000 (UTC)
Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id RwxfG0Vg/2dCUgAAD6G6ig
	(envelope-from <osalvador@suse.de>); Wed, 16 Apr 2025 07:46:13 +0000
Date: Wed, 16 Apr 2025 09:46:03 +0200
From: Oscar Salvador <osalvador@suse.de>
To: David Hildenbrand <david@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	syzbot+5e8feb543ca8e12e0ede@syzkaller.appspotmail.com,
	Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH v1] mm/memory: move sanity checks in do_wp_page() after
 mapcount vs. refcount stabilization
Message-ID: <Z_9gO5KljRA3Rss8@localhost.localdomain>
References: <20250415095007.569836-1-david@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20250415095007.569836-1-david@redhat.com>
X-Rspamd-Server: rspam11
X-Rspamd-Queue-Id: A60E14000B
X-Stat-Signature: 3kyiwmektdbcgc9x3i9mjs9hxfdch5b5
X-Rspam-User: 
X-HE-Tag: 1744789575-192001
X-HE-Meta: U2FsdGVkX1/wIFPgMc8DzPKpDamatq7EyAcYud3h7YXcUxK23/Txkn5xGLpj9d9+AcuXM/DP642Ejckx3jkdg3NgaGBySBOxKfSQdzoPdXEFdmAAj+ZhK8MlX5p63RyEBiBkGi3oEbVrwnE5LKVwXdKO96gyJnUvcHRGI4wGT5zBW9dEcWgRtaekpcdB/hddiCx6B49Ftqf/KstvRmkyCy4lPP7L+D0MQPQYTxSWH1WJGWDqxJAVJOWBlRx4V2PpFPCgLhIt5VtMlYU9WOUJdMD7Ej0s1x4H62ZeKx3ZxfKa2ElsiWABBtp3fMc7WSNEYeIn3B6T2tltU+6o7fkH57r0LQslLWmnlT40zOmccRJVCDfNLJsL0gc1P+e+uATHLFyl0AoHbLgwu7kAzIK21SGzPrLkvTGgVIVW/C8dfNL6Z+119T3aFNS7cZeYyvqpRJ41tugWYjl9dhEwp/U6GHMe5EegQiq3wmumPyi85TbonAa5USI8HgyvPtjwmJwoLd4hQ216I12t18Fh0wLGnrZ8HOnNl84AwgqLcCg8tziyv01QQuAK07KVvnkJUcGLuT2HeKjPm0Bw5o5ZLtWftsGkVtv+qZbD2l1Kc7ccIvDvIi1Dho7gVU8GqPa/VHkI1PmBv+dQi4jNZNrSiO8faevWqoBtN9REAIMMnTQUaZcJ+CIA+VSG3UmSMqO5c8QRbw7DNcmZFuRPieNgKojyR+Oakp+aT2JVrjzegTaLNepEm8yNGBzz6R6qxz5nYwWkqaFEtxoX8r3nI5kjCmE/TEFrYYb+IeyAO4aWyb3dS/46hoswtO8Bjp0FFBralazyJ4MYZxncs3QxR0SUGm9eY46xZEleTEwRqjfjmMuN0xwnMu3xt6uPwMlTSm1bL6jfbpRLGainQO17kZuNv9STU4n1gSOOqFEiwaQLoZ55GofpDJ+U5fuaKwTidac1RSjkZIZ8StxdeN3La39iZvV
 KqA+Emoo
 VcPc1BdRSRvf1bS5CfIl+17/K0cRCnHCE9doX9Tm5gVLPwc+WP/5NUTa+NPEMhJVighenv2jy8murK+9mltPNtOcTMA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Tue, Apr 15, 2025 at 11:50:07AM +0200, David Hildenbrand wrote:
> In __folio_remove_rmap() for RMAP_LEVEL_PMD/RMAP_LEVEL_PUD and with
> CONFIG_PAGE_MAPCOUNT we first decrement the folio mapcount (and
> recompute mapped shared vs. mapped exclusively) to then adjust the
> entire mapcount.
> 
> This means that another process might stumble in do_wp_page() over a
> PTE-mapped PMD folio that is indicated as "exclusively mapped", but still
> has an entire mapcount (PMD mapping), because it is racing with the process
> that is unmapping the folio (PMD mapping). Note that do_wp_page() will
> back off once it detects the remaining folio reference from the process
> that is in the process of unmapping the folio.
> 
> This will trigger the early VM_WARN_ON_ONCE(folio_entire_mapcount(folio))
> check in do_wp_page(), that can easily be reproduced by looping a couple
> of times over allocating a PMD THP, forking a child where we immediately
> unmap it again, and writing in the parent concurrently to the THP.
> 
> [  252.738129][T16470] ------------[ cut here ]------------
> [  252.739267][T16470] WARNING: CPU: 3 PID: 16470 at mm/memory.c:3738 do_wp_page+0x2a75/0x2c00
> [  252.740968][T16470] Modules linked in:
> [  252.741958][T16470] CPU: 3 UID: 0 PID: 16470 Comm: ...
> ...
> [  252.765841][T16470]  <TASK>
> [  252.766419][T16470]  ? srso_alias_return_thunk+0x5/0xfbef5
> [  252.767558][T16470]  ? rcu_is_watching+0x12/0x60
> [  252.768525][T16470]  ? srso_alias_return_thunk+0x5/0xfbef5
> [  252.769645][T16470]  ? srso_alias_return_thunk+0x5/0xfbef5
> [  252.770778][T16470]  ? lock_acquire+0x33/0x80
> [  252.771697][T16470]  ? __handle_mm_fault+0x5e8/0x3e40
> [  252.772735][T16470]  ? __handle_mm_fault+0x5e8/0x3e40
> [  252.773781][T16470]  __handle_mm_fault+0x1869/0x3e40
> [  252.774839][T16470]  handle_mm_fault+0x22a/0x640
> [  252.775808][T16470]  do_user_addr_fault+0x618/0x1000
> [  252.776847][T16470]  exc_page_fault+0x68/0xd0
> [  252.777775][T16470]  asm_exc_page_fault+0x26/0x30
> 
> While we could adjust the sequence in __folio_remove_rmap(), let's rater
> move the mapcount sanity checks after the mapcount vs. refcount
> stabilization phase. With this fix, a simple reproducer is happy.
> 
> While at it, convert the two VM_WARN_ON_ONCE() we are moving to
> VM_WARN_ON_ONCE_FOLIO().
> 
> Reported-by: syzbot+5e8feb543ca8e12e0ede@syzkaller.appspotmail.com
> Closes: https://lkml.kernel.org/r/67fab4fe.050a0220.2c5fcf.0011.GAE@google.com
> Fixes: 1da190f4d0a6 ("mm: Copy-on-Write (COW) reuse support for PTE-mapped THP")
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: David Hildenbrand <david@redhat.com>

Reviewed-by: Oscar Salvador <osalvador@suse.de>

 

-- 
Oscar Salvador
SUSE Labs