From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3F6E9C28B2F
	for <linux-mm@archiver.kernel.org>; Tue, 11 Mar 2025 08:14:18 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 43642280002; Tue, 11 Mar 2025 04:14:15 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3E699280001; Tue, 11 Mar 2025 04:14:15 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2D41C280002; Tue, 11 Mar 2025 04:14:15 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id 11756280001
	for <linux-mm@kvack.org>; Tue, 11 Mar 2025 04:14:15 -0400 (EDT)
Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id B4A6957AB4
	for <linux-mm@kvack.org>; Tue, 11 Mar 2025 08:14:16 +0000 (UTC)
X-FDA: 83208557712.15.BD58BA3
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
	by imf10.hostedemail.com (Postfix) with ESMTP id 505FBC0003
	for <linux-mm@kvack.org>; Tue, 11 Mar 2025 08:14:12 +0000 (UTC)
Authentication-Results: imf10.hostedemail.com;
	dkim=none;
	spf=pass (imf10.hostedemail.com: domain of tujinjiang@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1741680854;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Qus97uD435jBQdwy8AxNIUrCUoxav0UU13FeIjb95bk=;
	b=kbOrySYbtOzDqfon2hE/Vhtm7PwwCIrUhvf4PvCqosa75pFuV3+oEEu9c7lFZIMtraC3vM
	FviAty3WBHz3r7WgWVEM10K0Auz+Bm/ErhxiJJlMgVgsszKd3ZknpyDJ9UB3x5lvCYQUrm
	N67N8hq6s5qqtCfvIQYQCPpY3xYsZvo=
ARC-Authentication-Results: i=1;
	imf10.hostedemail.com;
	dkim=none;
	spf=pass (imf10.hostedemail.com: domain of tujinjiang@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741680854; a=rsa-sha256;
	cv=none;
	b=JjIyfy4CVRvDtVr9LbnTXA31huXTPPDuSiTxPoAOrHawPw3GKTLs5MYFQjPX63mukL0PnC
	LjpgTOZvGkMxDxFogYYqVTEDORqylgfrh+hlVSEWEJK1NLUt6woUAQx46MFBhnNa0eWZkZ
	il2wTqN7gq1X8YuBtKLcsiwiVUR5Eng=
Received: from mail.maildlp.com (unknown [172.19.163.252])
	by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4ZBmkP6jSjzyRrm;
	Tue, 11 Mar 2025 16:14:05 +0800 (CST)
Received: from kwepemo200002.china.huawei.com (unknown [7.202.195.209])
	by mail.maildlp.com (Postfix) with ESMTPS id 2627B1800C9;
	Tue, 11 Mar 2025 16:14:09 +0800 (CST)
Received: from [10.174.179.13] (10.174.179.13) by
 kwepemo200002.china.huawei.com (7.202.195.209) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.11; Tue, 11 Mar 2025 16:14:08 +0800
Message-ID: <bb6bba1d-fabe-cc14-2521-ffbf2e31ac63@huawei.com>
Date: Tue, 11 Mar 2025 16:14:07 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.1
Subject: Re: Using userfaultfd with KVM's async page fault handling causes
 processes to hung waiting for mmap_lock to be released
To: Peter Xu <peterx@redhat.com>
CC: jimsiak <jimsiak@cslab.ece.ntua.gr>, <linux-fsdevel@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, <viro@zeniv.linux.org.uk>,
	<linux-mm@kvack.org>, <wangkefeng.wang@huawei.com>
References: <79375b71-db2e-3e66-346b-254c90d915e2@cslab.ece.ntua.gr>
 <20250307072133.3522652-1-tujinjiang@huawei.com>
 <46ac83f7-d3e0-b667-7352-d853938c9fc9@huawei.com>
 <dee238e365f3727ab16d6685e186c53c@cslab.ece.ntua.gr>
 <Z8t2Np8fOM9jWmuu@x1.local> <bb6eb768-2e3b-0419-6a7d-9ed9165a2024@huawei.com>
 <Z880ejmfqjY1cuX7@x1.local>
From: Jinjiang Tu <tujinjiang@huawei.com>
In-Reply-To: <Z880ejmfqjY1cuX7@x1.local>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.174.179.13]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 kwepemo200002.china.huawei.com (7.202.195.209)
X-Rspam-User: 
X-Rspamd-Queue-Id: 505FBC0003
X-Stat-Signature: sik9sbgydmkjhc58nnbfio68qqjo1pod
X-Rspamd-Server: rspam09
X-HE-Tag: 1741680852-33764
X-HE-Meta: U2FsdGVkX1/ByTUqoMPNYKQc3hzEUApE2nzsbO+/hSm6BgTOnMlOwhZAFT6N27vFTnkC76ZSiNtSwNRdTzufiHwKinOFjvdzEaRbWrG9/kr3/LzCcoZ4XmFKMBknpnFtPiJ76OV5nb6efg2le6vMwYcoBwplEMpOQ+PMuj2SHsXoYAUnMq7sab52vsZDcq2CZeiokyE/XhpFTXrqxFEzcear+EAP1KRd7KVhg4PD80N1l0rBgvvSzVIsT+D47QmkqsPi0MN5y537sGmexWjJSgPEAGFVUktJ+olaonKivbeE+H5W4LaPrnRf2TQu8hFXDYcxOKj4N7XYfz4SYgi9P7+pUpnKShgG4Ipa+YyLtYlY4ISmig36VhFdSC+tm8MfDm0cp2mnhXFaSE73GyaRCSmhtGcoHXxz1GyNjHItq7CoW6Av8KO9qA2D597NuM3E1eV3MWqj3PbSAocYuXoEYBKR5SieK4sZQWA1MUwssrnQY+vRLgw7sp/7NDTBGQSxYufgGOwnbXj5gzKO2bLcn2QzYVysjdzpNu2n/IjUBkJxvAQTcjVHb2kEYgvBrQESPUGchMuGqHychyIjnw03waEQKnhbyZ1BSzxZ7YcYypSzLPODukthtL3051cp6jETp+cRAH6bauRfqs1MX5FvZiXbQ9JKk6zckLOCHHeoOplANuDoB8WWqEfRbwNUHOrC9366GtNLlUQsFxwai90wM5wIpGgbr+J8/ZBIVGYl/mCRGeYoXhtXbq+M+pDooTHPyVuBCfu2xi7fWnMPPxXy/g+HX3NtNs/2uMOGaLJpQxdBWTQbdtdx19u9fnzt0STV7RkXO8aTq6vMdBB1CA0o+8/mhcrGNvCmofJ9GGf3wURrzHWy3JWaJF2spP2frB/nnKQMIT59IdzRkYwDXR5jp9B5l5q0DnNZ1qFIJLChs1w1Y55Xw7NdGZAJg+xbx9dipb33toB34AKvnndfD+d
 7+DvqC8l
 eWcrh1vmUrxnu+HwtEU/qlozd9YeuLyDKpy2SpqnPpE/wkSKOxA2s6tzP6wwo71HZz/IjsZFcWRnWrLEuAF8Lu/bT18R1ZU2YPA2QYorPgJzcLZSu4zGrg44wCHshmiFy8Ep5kOkcRFr3N5TsfLpoj1VrvOYE9ZglDhoX6IMfvrUYe78lAWLh7S6+pGqPar7KQ+m3PRvKEjqaW6m4Q1DmVFL6FzXmSyfZ2F8iIRvH/SZUKpf/X5/NKD38xHEgXeMga0dWRiWlgTopO7quvH5qQMV7mW9I3jjPIDsqNthFRX2J0mF9Gx3W0jQ+6w==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>


在 2025/3/11 2:50, Peter Xu 写道:
> On Mon, Mar 10, 2025 at 02:40:35PM +0800, Jinjiang Tu wrote:
>> 在 2025/3/8 6:41, Peter Xu 写道:
>>> On Fri, Mar 07, 2025 at 03:11:09PM +0200, jimsiak wrote:
>>>> Hi,
>>>>
>>>>   From my side, I managed to avoid the freezing of processes with the
>>>> following change in function userfaultfd_release() in file fs/userfaultfd.c
>>>> (https://elixir.bootlin.com/linux/v5.13/source/fs/userfaultfd.c#L842):
>>>>
>>>> I moved the following command from line 851:
>>>> WRITE_ONCE(ctx->released, true);
>>>> (https://elixir.bootlin.com/linux/v5.13/source/fs/userfaultfd.c#L851)
>>>>
>>>> to line 905, that is exactly before the functions returns 0.
>>>>
>>>> That simple workaround worked for my use case but I am far from sure that is
>>>> a correct/sufficient fix for the problem at hand.
>>> Updating the field after userfaultfd_ctx_put() might mean UAF, afaict.
>>>
>>> Maybe it's possible to remove ctx->released but only rely on the mmap write
>>> lock.  However that'll need some closer look and more thoughts.
>>>
>>> To me, the more straightforward way to fix it is to use the patch I
>>> mentioned in the other email:
>>>
>>> https://lore.kernel.org/all/ZLmT3BfcmltfFvbq@x1n/
>>>
>>> Or does it mean it didn't work at all?
>> This patch works for me. mlock() syscall calls GUP with FOLL_UNLOCKABLE and
>> allows to release mmap lock and retry.
>>
>> But other GUP call without FOLL_UNLOCKABLE will return VM_FAULT_SIGBUS,
>> is it a regression for the below commit？
> Do you have an explicit reproducer / use case of such?
>
> AFAIU, below commit should only change it from SIGBUS to NOPAGE when
> "released" is set.  I don't see how it can regress on !FOLL_UNLOCKABLE.
>
> Thanks,

You are right, the below commit seems to only care about page fault from userspace (which has
FAULT_FLAG_ALLOW_RETRY flag), and doesn't care about GUP from drivers (which may be !FOLL_UNLOCKABLE)

Thanks.

>> commit 656710a60e3693911bee3a355d2f2bbae3faba33
>> Author: Andrea Arcangeli <aarcange@redhat.com>
>> Date:   Fri Sep 8 16:12:42 2017 -0700
>>
>>      userfaultfd: non-cooperative: closing the uffd without triggering SIGBUS
>>
>>> Thanks,
>>>