From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7BEF8C433F5 for ; Tue, 5 Oct 2021 02:26:47 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 97C5660F9D for ; Tue, 5 Oct 2021 02:26:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 97C5660F9D Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id C294C6B0071; Mon, 4 Oct 2021 22:26:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BD87E6B0072; Mon, 4 Oct 2021 22:26:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AC72B6B0073; Mon, 4 Oct 2021 22:26:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0252.hostedemail.com [216.40.44.252]) by kanga.kvack.org (Postfix) with ESMTP id 9A87E6B0071 for ; Mon, 4 Oct 2021 22:26:45 -0400 (EDT) Received: from smtpin13.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 5C8F9181A349C for ; Tue, 5 Oct 2021 02:26:45 +0000 (UTC) X-FDA: 78660795570.13.78DA16F Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com [209.85.219.50]) by imf24.hostedemail.com (Postfix) with ESMTP id 0D72CB00154E for ; Tue, 5 Oct 2021 02:26:44 +0000 (UTC) Received: by mail-qv1-f50.google.com with SMTP id o13so5442606qvm.4 for ; Mon, 04 Oct 2021 19:26:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=8cHPpsVizZea7NsbBw7SVnOsWB/6elo5w86EKzAOmIk=; b=j8DLVwTUpEAf6Y73mxShEhwi4H+DQpscONlj8i3Trup9IZM1OOuqRsEnn2w4sUqOSb B0+h1fbOcqYElpz7+3jKi943bfvpRx+sO6+ih7Ls1A4IAgB7nDqrn6wYnlhk4TTv6/01 AlmNFEzTggVNRd7dEvu/H80Z/52RcszT9UpYLOmC5gu8Tc9mew6AK8y6iHDw3LdiqCm2 /N/iIkiVr1cwGgitq+z9gjJd+tKbqX8+ZOSJhQSTsONflHCMs1gkmz609oXoL/tiCeGO phYPa9EqrK/cQGGsY/J2vWq2SF85ogcWz9AyQwtFr9/qoCQJAf8FYLdp9Ts11gAJ5Rs3 kEcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=8cHPpsVizZea7NsbBw7SVnOsWB/6elo5w86EKzAOmIk=; b=Bsg1DZtHW+I9zhVKB2wF5sYdUUEtlPLjKNeCfUTH4AestQU2V4YGSTSeCZz0M9ADUn jnaWACcuvupIzBquKr6P7au+qReraTZVpgq4XxuA7CeiYBJG5AVbEw98Nmgory1mVXnT 58XXXOXASCPIxYqIC+6TzDQ0UFEqGuT31nTW6Ik9sg29PGlz3Uakl5Bqx1iSaLns10GA OrzC0RGCETliuAJ0+iO7yRSHDJxkbNXceACBKX/gmRlA2LI/K1It5Yy+gNhzlIUQ1i6a WWIZYRHbKN0x3y60nwt/dgXPxqXhetz3f0T5cJv4tm+3HI4NsHYtxmpTEym/lQ9B79lT qacQ== X-Gm-Message-State: AOAM5302IgvzoZS+kc6ze5BxtOr21k6stGLDUgc6/THOW/ZRaOzo4ebZ BioyYcP/48fup2jSmwaTeEFs3A== X-Google-Smtp-Source: ABdhPJzyonfVmn1mBoFuvKgBM5UYIT9oqXrt17Nhvj6nKQ/v3gorQs900qw5CuXCpbP+//3WR3Eluw== X-Received: by 2002:ad4:4b09:: with SMTP id r9mr5044184qvw.10.1633400804146; Mon, 04 Oct 2021 19:26:44 -0700 (PDT) Received: from ripple.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id 130sm8713094qkh.99.2021.10.04.19.26.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Oct 2021 19:26:43 -0700 (PDT) Date: Mon, 4 Oct 2021 19:26:23 -0700 (PDT) From: Hugh Dickins X-X-Sender: hugh@ripple.anvils To: Matthew Wilcox cc: Yang Shi , Hao Sun , Hugh Dickins , Song Liu , Rongwei Wang , Andrew Morton , Linux MM , Linux Kernel Mailing List , William Kucharski Subject: Re: [PATCH v2 1/2] mm, thp: check page mapping when truncating page cache In-Reply-To: Message-ID: References: <67906bf5-4de9-8433-3d70-cc8fc5cc2347@linux.alibaba.com> <3d264ed9-f8fd-60d4-7125-f9f745ebeb52@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 0D72CB00154E X-Stat-Signature: uq8k649eg7s63o4ycwxp1rjphzc6xwqo Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=j8DLVwTU; spf=pass (imf24.hostedemail.com: domain of hughd@google.com designates 209.85.219.50 as permitted sender) smtp.mailfrom=hughd@google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspamd-Server: rspam06 X-HE-Tag: 1633400804-157512 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, 4 Oct 2021, Matthew Wilcox wrote: > On Mon, Oct 04, 2021 at 11:28:45AM -0700, Yang Shi wrote: > > On Sat, Oct 2, 2021 at 10:09 AM Matthew Wilcox wrote: > > > On Thu, Sep 30, 2021 at 10:39:14AM -0700, Yang Shi wrote: > > > > On Thu, Sep 30, 2021 at 9:49 AM Hugh Dickins wrote: > > > > > I assume you're thinking of one of the fuzzer blkdev ones: > > > > > https://lore.kernel.org/linux-mm/CACkBjsbtF_peC7N_4mRfHML_BeiPe+O9DahTfr84puSG_J9rcQ@mail.gmail.com/ > > > > > or > > > > > https://lore.kernel.org/lkml/CACkBjsYwLYLRmX8GpsDpMthagWOjWWrNxqY6ZLNQVr6yx+f5vA@mail.gmail.com/ > > > > > > > > > > I haven't started on those ones yet: yes, I imagine one or both of those > > > > > will need a further fix (S_ISREG() check somewhere if we're lucky; but > > > > > could well be nastier); but for the bug in this thread, I expect > > > > > > > > Makes sense to me. We should be able to check S_ISREG() in khugepaged, > > > > if it is not a regular file, just bail out. Sounds not that nasty to > > > > me AFAIU. > > > > > > I don't see why we should have an S_ISREG() check. I agree it's not the > > > intended usecase, but it ought to work fine. Unless there's something > > > I'm missing? > > > > Check out this bug report: > > https://lore.kernel.org/lkml/CACkBjsYwLYLRmX8GpsDpMthagWOjWWrNxqY6ZLNQVr6yx+f5vA@mail.gmail.com/ > > and the patch from me: > > https://lore.kernel.org/linux-mm/20210917205731.262693-1-shy828301@gmail.com/ > > > > I don't think we handle buffers correctly for file THP, right? My > > patch is ad hoc, so I thought Hugh's suggestion makes some sense to > > me. Why do we have THP collapsed for unintended usecase in the first > > place? > > OK, I've done some more digging. I think what's going on with this > report is userspace opens the block device RO, causes the page cache to > be loaded with data, then khugepaged comes in and creates THPs. Yes. > What confuses me is that these THPs have private data attached to them. > I don't know how that happens. If it's block device specific, then > yes, something like your S_ISREG() idea should work fine. Otherwise, > we might need to track down another problem. Agreed, the file THP is created without PagePrivate, so the puzzle was why the read-only cached page would later become page_has_private(). The C repro showed that it uses (a BTRFS_IOC_ADD_DEV ioctl which might not be relevant and) a BLKRRPART ioctl 0x125f: I didn't follow BLKRRPART all the way down, but imagine it has to attach buffer-heads to re-read the partition table. Which would explain it. Aside from that particular ioctl, it seems a good idea to insist on S_ISREG just to shrink the attack surface: as Yang Shi says, executable THP on block device was never an intended usecase, and not a usecase anyone is likely to miss! And that fuzzer appears to delight in tormenting /dev/nullb0, so let's just seal off that avenue. You're right to have some doubt, as to whether there might be other ways for buffer-heads to get attached, even on a read-only regular file; but no way has sprung to my mind, and READ_ONLY_THP_FOR_FS has survived well in its intended usage: so I think we should proceed on the assumption that no further bugs remain - then fix them when found. I wasn't able to reproduce the problem with the repro, would need to waste many hours to do so. But here's the untested S_ISREG patch I came up with. Sorry, I've mixed something else in: in moving the alignment part to clarify the conditions, I was alarmed to see that shmem with !shmem_huge_enabled was falling through to THP_FOR_FS to give unexpected huge pages: fixed that, though later found there's a separate shmem_huge_enabled() check which should exclude it. --- 5.15-rc4/mm/khugepaged.c 2021-09-12 17:39:21.943438422 -0700 +++ linux/khugepaged.c 2021-10-03 20:41:13.194822795 -0700 @@ -445,22 +445,25 @@ static bool hugepage_vma_check(struct vm if (!transhuge_vma_enabled(vma, vm_flags)) return false; + if (vma->vm_file && !IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) - + vma->vm_pgoff, HPAGE_PMD_NR)) + return false; + /* Enabled via shmem mount options or sysfs settings. */ - if (shmem_file(vma->vm_file) && shmem_huge_enabled(vma)) { - return IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) - vma->vm_pgoff, - HPAGE_PMD_NR); - } + if (shmem_file(vma->vm_file)) + return shmem_huge_enabled(vma); /* THP settings require madvise. */ if (!(vm_flags & VM_HUGEPAGE) && !khugepaged_always()) return false; /* Read-only file mappings need to be aligned for THP to work. */ - if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && vma->vm_file && - !inode_is_open_for_write(vma->vm_file->f_inode) && - (vm_flags & VM_EXEC)) { - return IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) - vma->vm_pgoff, - HPAGE_PMD_NR); + if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && + (vm_flags & VM_EXEC) && vma->vm_file) { + struct inode *inode = vma->vm_file->f_inode; + + return !inode_is_open_for_write(inode) && + S_ISREG(inode->i_mode); } if (!vma->anon_vma || vma->vm_ops)