From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43561C43217 for ; Mon, 28 Nov 2022 13:53:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A68D06B0072; Mon, 28 Nov 2022 08:53:03 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A18AD6B0073; Mon, 28 Nov 2022 08:53:03 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9077A6B0074; Mon, 28 Nov 2022 08:53:03 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 7D3CA6B0072 for ; Mon, 28 Nov 2022 08:53:03 -0500 (EST) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 0E6C4C0C31 for ; Mon, 28 Nov 2022 13:53:03 +0000 (UTC) X-FDA: 80182992246.05.1CCA916 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf10.hostedemail.com (Postfix) with ESMTP id 72F7FC0012 for ; Mon, 28 Nov 2022 13:53:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1669643581; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XnlbsZkof5NJhewGi9OF3NjlblvQjvfpn1girlOlzgE=; b=SqbqXOpfmWkaR6kJkkluKACb9b3SsJq8KgbACnV8lkZuVlhDQwWOPzVdufdBF/NixoEZv2 07gptQ0ZuC5xhUefmrgWnndysYIJ2GDglz2SEkCyozGit8M52pg3hwf1HtPoVxRL0yWJVN OQHCkfsVjeXH0q+F5dJUZWK/87cqhBc= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-639-x-xfHwpRMcOnZcRb2UBy8w-1; Mon, 28 Nov 2022 08:53:00 -0500 X-MC-Unique: x-xfHwpRMcOnZcRb2UBy8w-1 Received: by mail-wr1-f69.google.com with SMTP id v14-20020adf8b4e000000b0024174021277so1958648wra.13 for ; Mon, 28 Nov 2022 05:53:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:subject:organization:from :references:cc:to:content-language:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XnlbsZkof5NJhewGi9OF3NjlblvQjvfpn1girlOlzgE=; b=2mdp76Gc5S+jZdsyb6zwJsqlz7NGH8CyLRGZGvMVrEPbjSP2IU7IDc9XrpsLrfrCXH M85In+oGyqRNNAH76XQ/Esl9uXau0+zbnl2tUa5FVVCoSJxjeMEjKypYTwjGIIEho9we YoOnu8gtKkOp9rjHpXdgrhhwWxDdNftR3GJ/yQK/KOUSMT7vTS+rrUF5BdP/0tE6w5Tr LZmkFN6/EiUuxK4NCINVjQirP3cFZLtUfmfx0S3jDBfBTkrV5Obh1evvOih8/2lwhQiV bDQ3RHW6sLkjiCNtNBGSVJ6y5VRBJ69RAlm2gCfbNf8kgC5XwzmVKP0M1fPcp3Tobs6i /C7A== X-Gm-Message-State: ANoB5pnZDHW1IA8afB7Fo+5ZhB8vU8p/PiIgnTez/BvlKusO9J1dE6WZ S1N3m4TLPR62gWoM+T7sUrY9FfsI9yUO8IaKA+NAXBRoOKGbGyh5Y/CHAPwldkKbDrOwQ2Fff10 /uq3CsLHFNXU= X-Received: by 2002:adf:ed8b:0:b0:241:d375:88b6 with SMTP id c11-20020adfed8b000000b00241d37588b6mr23251159wro.88.1669643579173; Mon, 28 Nov 2022 05:52:59 -0800 (PST) X-Google-Smtp-Source: AA0mqf5Jjj7LYEuOV8esn9R8v9jZohPzwib9S5dbPhEQEgekrVxpp2quDTIs9gUIoqvtI4JnGmAybA== X-Received: by 2002:adf:ed8b:0:b0:241:d375:88b6 with SMTP id c11-20020adfed8b000000b00241d37588b6mr23251139wro.88.1669643578854; Mon, 28 Nov 2022 05:52:58 -0800 (PST) Received: from ?IPV6:2003:cb:c702:9000:3d6:e434:f8b4:80cf? (p200300cbc702900003d6e434f8b480cf.dip0.t-ipconnect.de. [2003:cb:c702:9000:3d6:e434:f8b4:80cf]) by smtp.gmail.com with ESMTPSA id n11-20020adfe78b000000b0023677fd2657sm10935325wrm.52.2022.11.28.05.52.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 28 Nov 2022 05:52:57 -0800 (PST) Message-ID: Date: Mon, 28 Nov 2022 14:52:57 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.1 To: Jann Horn , security@kernel.org, Andrew Morton Cc: Yang Shi , Peter Xu , John Hubbard , linux-kernel@vger.kernel.org, linux-mm@kvack.org References: <20221125213714.4115729-1-jannh@google.com> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH v3 1/3] mm/khugepaged: Take the right locks for page table retraction In-Reply-To: <20221125213714.4115729-1-jannh@google.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1669643582; a=rsa-sha256; cv=none; b=8cOH8SmhQyvTSd2Ajf5mNfZ4owqOXDj2ioUuPqN5s8UBLbMMQZQkK1mCQWtSwnKY6ZqHqc aDQWjKPgVm5PjT4sbNHqym2n5l917NHvmXQg+Ke6dmodh1pFeffLeKr0KwQ+XK22wcr2Hw PzS7uk5MQ8ZSLPDTwxZCFY22DIvJLic= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=SqbqXOpf; spf=pass (imf10.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1669643582; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=XnlbsZkof5NJhewGi9OF3NjlblvQjvfpn1girlOlzgE=; b=yA3UlAtZG8oKLbHL3IundIUr5hyDyt+DEy7CK74cMKRbcoFXrnQFcVBNisy/UtgATp8DuG 9nN63TihUMRA+rNMbGi5O4i1TVaIbTeKjrVEyiKPJLKQBFpTq7k5hlgEST3KNLFWqyyoBR zzTdLk8cGy8AWxRKYIEozlB4VvztM8g= X-Rspam-User: Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=SqbqXOpf; spf=pass (imf10.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com X-Stat-Signature: icssz183sruknfrwdsj575y5qfmk369h X-Rspamd-Queue-Id: 72F7FC0012 X-Rspamd-Server: rspam06 X-HE-Tag: 1669643582-300189 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 25.11.22 22:37, Jann Horn wrote: > pagetable walks on address ranges mapped by VMAs can be done under the mmap > lock, the lock of an anon_vma attached to the VMA, or the lock of the VMA's > address_space. Only one of these needs to be held, and it does not need to > be held in exclusive mode. > > Under those circumstances, the rules for concurrent access to page table > entries are: > > - Terminal page table entries (entries that don't point to another page > table) can be arbitrarily changed under the page table lock, with the > exception that they always need to be consistent for > hardware page table walks and lockless_pages_from_mm(). > This includes that they can be changed into non-terminal entries. > - Non-terminal page table entries (which point to another page table) > can not be modified; readers are allowed to READ_ONCE() an entry, verify > that it is non-terminal, and then assume that its value will stay as-is. > > Retracting a page table involves modifying a non-terminal entry, so > page-table-level locks are insufficient to protect against concurrent > page table traversal; it requires taking all the higher-level locks under > which it is possible to start a page walk in the relevant range in > exclusive mode. > > The collapse_huge_page() path for anonymous THP already follows this rule, > but the shmem/file THP path was getting it wrong, making it possible for > concurrent rmap-based operations to cause corruption. This sounds sane and correct to me. No expert on file-THP, though. For anon-THP it's the mmap lock and the rmap locks. I assume the only difference for file-THP is that the rmap lock is actually the mapping lock. Looking at rmap_walk_file(), that seems to be the case. I wish at least PTE table removal could be done easier ... I already experimented some time ago with some ideas (e.g., lock in PMD table memmap) but it's all far from trivial and space in the memmap is rare. -- Thanks, David / dhildenb