From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=2sRG=ZK=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 034CBC43215
	for <linux-mm@archiver.kernel.org>; Mon, 18 Nov 2019 12:58:20 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id B216220692
	for <linux-mm@archiver.kernel.org>; Mon, 18 Nov 2019 12:58:19 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (1024-bit key) header.d=shipmail.org header.i=@shipmail.org header.b="eabxb1st"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B216220692
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=shipmail.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 4D99D6B0006; Mon, 18 Nov 2019 07:58:19 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 48A9E6B0007; Mon, 18 Nov 2019 07:58:19 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 351E66B000D; Mon, 18 Nov 2019 07:58:19 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0004.hostedemail.com [216.40.44.4])
	by kanga.kvack.org (Postfix) with ESMTP id 20C3C6B0006
	for <linux-mm@kvack.org>; Mon, 18 Nov 2019 07:58:19 -0500 (EST)
Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with SMTP id C8D14180AD806
	for <linux-mm@kvack.org>; Mon, 18 Nov 2019 12:58:18 +0000 (UTC)
X-FDA: 76169401476.28.edge73_827e0e437bd0e
X-HE-Tag: edge73_827e0e437bd0e
X-Filterd-Recvd-Size: 4953
Received: from ste-pvt-msa2.bahnhof.se (ste-pvt-msa2.bahnhof.se [213.80.101.71])
	by imf41.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Mon, 18 Nov 2019 12:58:16 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by ste-pvt-msa2.bahnhof.se (Postfix) with ESMTP id E7CA83F731;
	Mon, 18 Nov 2019 13:58:14 +0100 (CET)
Authentication-Results: ste-pvt-msa2.bahnhof.se;
	dkim=pass (1024-bit key; unprotected) header.d=shipmail.org header.i=@shipmail.org header.b=eabxb1st;
	dkim-atps=neutral
X-Virus-Scanned: Debian amavisd-new at bahnhof.se
Authentication-Results: ste-ftg-msa2.bahnhof.se (amavisd-new);
	dkim=pass (1024-bit key) header.d=shipmail.org
Received: from ste-pvt-msa2.bahnhof.se ([127.0.0.1])
	by localhost (ste-ftg-msa2.bahnhof.se [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 1OKBn0n20cbF; Mon, 18 Nov 2019 13:58:10 +0100 (CET)
Received: from mail1.shipmail.org (h-205-35.A357.priv.bahnhof.se [155.4.205.35])
	(Authenticated sender: mb878879)
	by ste-pvt-msa2.bahnhof.se (Postfix) with ESMTPA id 8B8783F6AF;
	Mon, 18 Nov 2019 13:58:05 +0100 (CET)
Received: from localhost.localdomain (h-205-35.A357.priv.bahnhof.se [155.4.205.35])
	by mail1.shipmail.org (Postfix) with ESMTPSA id C6DA0360070;
	Mon, 18 Nov 2019 13:58:04 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shipmail.org; s=mail;
	t=1574081884; bh=AFDCrmlbjICMQZSk5hGF7cpQTlFoaR/bVow1qk93kfs=;
	h=Subject:To:Cc:References:From:Date:In-Reply-To:From;
	b=eabxb1stIuKrkqGocBX6wlcN+Vsl3Ml+lvM15Z9rzFU/k6+3D1OOmGzr/0RdpYC4C
	 EyVHCjUubPlth+gEJoRjOTwLwmbWcIPDYJz/E/Ul1iAxbVUaHjihH2oxXW1Fm1yzxi
	 9Mflq8G4RASgUVWHN9eI0QWRr+zFMe3SmpidQ6Lk=
Subject: Re: [PATCH 2/2] mm: Fix a huge pud insertion race during faulting
To: "Kirill A. Shutemov" <kirill@shutemov.name>,
 Andrew Morton <akpm@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
 Thomas Hellstrom <thellstrom@vmware.com>, Arnd Bergmann <arnd@arndb.de>,
 "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
 Matthew Wilcox <willy@infradead.org>
References: <20191115115808.21181-1-thomas_os@shipmail.org>
 <20191115115808.21181-2-thomas_os@shipmail.org>
 <20191115115800.45c053abcdb550d70b9baec9@linux-foundation.org>
 <20191118102219.om5monxih7kfodyz@box>
From: =?UTF-8?Q?Thomas_Hellstr=c3=b6m_=28VMware=29?= <thomas_os@shipmail.org>
Organization: VMware Inc.
Message-ID: <b8600932-517d-99d3-90b4-d9b9e8a6f641@shipmail.org>
Date: Mon, 18 Nov 2019 13:58:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <20191118102219.om5monxih7kfodyz@box>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 11/18/19 11:22 AM, Kirill A. Shutemov wrote:
> On Fri, Nov 15, 2019 at 11:58:00AM -0800, Andrew Morton wrote:
>> On Fri, 15 Nov 2019 12:58:08 +0100 Thomas Hellstr=C3=B6m (VMware) <tho=
mas_os@shipmail.org> wrote:
>>
>>> A huge pud page can theoretically be faulted in racing with pmd_alloc=
()
>>> in __handle_mm_fault(). That will lead to pmd_alloc() returning an
>>> invalid pmd pointer. Fix this by adding a pud_trans_unstable() functi=
on
>>> similar to pmd_trans_unstable() and check whether the pud is really s=
table
>>> before using the pmd pointer.
>>>
>>> Race:
>>> Thread 1:             Thread 2:                 Comment
>>> create_huge_pud()                               Fallback - not taken.
>>> 		      create_huge_pud()         Taken.
>>> pmd_alloc()                                     Returns an invalid po=
inter.
>> What are the user-visible runtime effects of this change?
> Data corruption: kernel writes to a huge page thing it's page table.
>
>> Is a -stable backport warranted?
> I believe it is.

Note that this was caught during a code audit rather than a real=20
experienced problem. It looks to me like the only implementation that=20
currently creates huge pud pagetable entries is dev_dax_huge_fault()=20
which doesn't appear to care much about private (COW) mappings or=20
write-tracking which is, I believe, a prerequisite for create_huge_pud()=20
falling back on thread 1, but not in thread 2.

This means (assuming that's intentional) that a stable backport=20
shouldn't be needed.

For the WIP huge page support for graphics memory we'll be allowing both=20
COW mappings and write-tracking, though, but that's still some time away.

In any case, I think this patch needs -rc testing to catch potential=20
pud_devmap issues before submitted to stable.

Thanks,

Thomas

>
> Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
>