From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E7C5C001DC for ; Thu, 27 Jul 2023 11:36:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B19956B0072; Thu, 27 Jul 2023 07:36:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ACB986B0074; Thu, 27 Jul 2023 07:36:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 969C46B0075; Thu, 27 Jul 2023 07:36:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 84ACE6B0072 for ; Thu, 27 Jul 2023 07:36:14 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 5D9EB1C8F4C for ; Thu, 27 Jul 2023 11:36:14 +0000 (UTC) X-FDA: 81057188268.25.7083136 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by imf06.hostedemail.com (Postfix) with ESMTP id CCAD6180011 for ; Thu, 27 Jul 2023 11:36:10 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=ibm.com header.s=pp1 header.b=Jzp7tHA2; spf=pass (imf06.hostedemail.com: domain of svens@linux.ibm.com designates 148.163.156.1 as permitted sender) smtp.mailfrom=svens@linux.ibm.com; dmarc=pass (policy=none) header.from=ibm.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1690457771; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=n77xLrBjesMnqc8Ua0RijNJREe5KgIP06dXhf+Po4jI=; b=5G6ZUoO2JqVF/3o8W2ywtj/D4Ptg0t6z1+xOR3qM2SocTHdF2hyi7S4Pjb5ELCeZOFTPAe HBN+slUoBSiix9ZgVg8t43oizEONuFH/9WuvRJoCRdZM+Qabop9/71BJg34OKIKr3Bedrz a7iJnZcb+bGqzFSDypzlDWmxxaI43wo= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=ibm.com header.s=pp1 header.b=Jzp7tHA2; spf=pass (imf06.hostedemail.com: domain of svens@linux.ibm.com designates 148.163.156.1 as permitted sender) smtp.mailfrom=svens@linux.ibm.com; dmarc=pass (policy=none) header.from=ibm.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1690457771; a=rsa-sha256; cv=none; b=eGywe8lxej4CYcIaTcirZOHObh/Ftz06C0eWeO/x5/92IvWX0QoOuRWFxlhlvEt7M6HJEM Kgj2aKycIxbrjZP6Ifvkf2TU7YLS0xMGCY1iAGE+BwZZcbC/nmnHWiuXuElD8IU0tUTLRM 5apbPUjXXnq4RUsbhbbJ2fQXwgqDzP4= Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36RBXTlA013624; Thu, 27 Jul 2023 11:35:56 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : references : date : in-reply-to : message-id : content-type : mime-version; s=pp1; bh=n77xLrBjesMnqc8Ua0RijNJREe5KgIP06dXhf+Po4jI=; b=Jzp7tHA2fE4y3z4d8hBRWxWU4QkgvSPT7PvaRbfANllP6nf0im0JqzIbO0wIFigN5dsD MG6LJsmqFEJBufS2T2tIXLUQKeP14g1BT/vrHyZNCkly0H2L7PcHZOrpbpfVc9Vgfxp3 r9nC3/CK8CdRANGyiEv1NLBcz+tqz7LxYtskFFE8LTbd7a0x8/KRPF0445abYFZoLhp5 y5Qh7ZRhyL3qmk2jm+tiFmds3COfdea5rtVwRVNSSAkAMW4VyWDZ0gXnWmYHiE8gcNYc ezWaKRR1IrXMTmm80YyU4dsznbjeVvl1UdOBxJWKykmRM/2HlIinvPgXk7EiwqYtLqqf Sg== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3s3qn609mk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 11:35:55 +0000 Received: from m0356517.ppops.net (m0356517.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 36RBOhwA021459; Thu, 27 Jul 2023 11:35:55 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3s3qn609k4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 11:35:55 +0000 Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 36RBWAGp003634; Thu, 27 Jul 2023 11:35:53 GMT Received: from smtprelay07.fra02v.mail.ibm.com ([9.218.2.229]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 3s0txkcyg1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 27 Jul 2023 11:35:53 +0000 Received: from smtpav01.fra02v.mail.ibm.com (smtpav01.fra02v.mail.ibm.com [10.20.54.100]) by smtprelay07.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 36RBZpYP50659618 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jul 2023 11:35:51 GMT Received: from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9496020043; Thu, 27 Jul 2023 11:35:51 +0000 (GMT) Received: from smtpav01.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1C49620040; Thu, 27 Jul 2023 11:35:51 +0000 (GMT) Received: from tuxmaker.linux.ibm.com (unknown [9.152.85.9]) by smtpav01.fra02v.mail.ibm.com (Postfix) with ESMTPS; Thu, 27 Jul 2023 11:35:51 +0000 (GMT) From: Sven Schnelle To: Ryan Roberts Cc: David Hildenbrand , Andrew Morton , Matthew Wilcox , Yin Fengwei , Yu Zhao , Yang Shi , "Huang, Ying" , Zi Yan , Nathan Chancellor , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-s390@vger.kernel.org Subject: Re: [PATCH v1] mm: Fix use-after-free for MMU_GATHER_NO_GATHER References: <20230727110224.3333682-1-ryan.roberts@arm.com> Date: Thu, 27 Jul 2023 13:35:50 +0200 In-Reply-To: (David Hildenbrand's message of "Thu, 27 Jul 2023 13:15:27 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Content-Type: text/plain X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 1fMRO_cBvEkR_-lCWMaUkQPrL7-Znlwz X-Proofpoint-GUID: MMyYcl_1-ZH4XEtHsy1_2Tnl6VRhg6oA X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-27_06,2023-07-26_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 malwarescore=0 suspectscore=0 bulkscore=0 mlxlogscore=418 impostorscore=0 priorityscore=1501 spamscore=0 mlxscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2306200000 definitions=main-2307270103 X-Rspamd-Queue-Id: CCAD6180011 X-Rspam-User: X-Stat-Signature: cg4jj55m68m1ngm7ejixt8qogeonbk7y X-Rspamd-Server: rspam01 X-HE-Tag: 1690457770-776391 X-HE-Meta: U2FsdGVkX18jy5ZoNXzahWjEZyFowgGl/cDoZPlkL+hAlWYDMspkOmTOTnOHYyVx8TTmfniWniylwDhcGV+gDFKfda9w8taN971S7fDWciovVfKiPkR/e1CI1ehXSJ/Wq7iLtmAMbRXigJGep+PIKKc5kp4pUN94bRX1G4eeUn+YiP9HYNwTLkMwNZBlkGpqedss+ojYPPrGdC1geqhHjdvB2cvE8bAk348l0RIuPNoZK6pvwBZLEB/qWngQZdCqyMlX3Ox8KEhqOEgwRzNcLkxFff0uiJ9XNCanLpFQnDUV3cwLTupzV3N25XMAkDkk6kjAWbnEkSNN5n2vqYnMdCWWe820Y6iZgjooXn83Rt/eLiEPP8tqINOekrPcuM1twB3Caw+SClEYnpJKHvPjj+Z6kS1bwojYcUK3KTvOE6TcfoShGH+o1/4X70Y31ui53PC68vsBKsxJcmxeX0eew3YwWB16c8XVNsAPL9zGRQTt4SfAL1kmSThSDTK4+W27YiwRdIHJefPSM+LPXjSdhjEd9o0dPjAKNxy14G34mRkBUBa6wr6AP3I3mMapkG0cxMzGatXJsR39jhn4/ixPdJB7dVCZbQHFXhQlkKwIjQdAMQlC17hwLbrtFo9U3sA+IcjWjvcfLPbAPTqJzjpuqjeVo2DpScHgqfLNrKuJUAEsMNo/K2KztcBaYj9kikTWO+z4ijYKwGfTVdk8GPp0sd00djTPIOkBiPePzUETpDfJhrXR8ub8lcBfglzNRd6y7zecHVE4NRwCTwQvbAlgR71l+mcotKSrW6gCextvLa3MniK41EOKyMrWSQ3JsJGACDhDKyALDmMquo6YLZgFrF9Rjml/upP24Wkyh8C8X6z3IVTrhQXY8M5/KKWjTU+KowJe5jIq3h44w0EhemP+Bdh4dEIDLzYGMRiShpmI0MqAe5EFiSbRo8vG+/HPhFH415bL7hibPilkt7w/yxD 1oUgIsQL iXm4ZyfA1HfUs2C1lG1WzSVW96oewKk+NaVm97AWVLxaJuH1QsKdHF/lnUMij3XkxpTt2TIs9zBa+O3KcK8NOCWCfPdNJz+EHEQZY5SkP75KJn02mmeoEQc3qgBsZQAWdNniff69521YgEjOY2T23P3qHTdsPkAtd3b4/xpPbKpRVIh8sINlh8YPSkn6TQS3pBbSa5kf8cyaq3XAarU0UsmNRiex1j8g54OTBKOHsfaBXRvcyBPiQWZ4MUtrz5X+bVCSuMAsjhPVxP9NwJyJTJGIEHA2Ibqeed0Dq2m0uFb5/6Lk= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Ryan, David Hildenbrand writes: > On 27.07.23 13:02, Ryan Roberts wrote: >> The recent change to batch-zap anonymous ptes did not take into account >> that for platforms where MMU_GATHER_NO_GATHER is enabled (e.g. s390), >> __tlb_remove_page() drops a reference to the page. This means that the >> folio reference count can drop to zero while still in use (i.e. before >> folio_remove_rmap_range() is called). This does not happen on other >> platforms because the actual page freeing is deferred. >> Solve this by appropriately getting/putting the folio to guarrantee >> it >> does not get freed early. >> Given the new need to get/put the folio in the batch path, let's >> stick >> to the non-batched path if the folio is not large. In this case batching >> is not helpful since the batch size is 1. >> Signed-off-by: Ryan Roberts >> Fixes: 904d9713b3b0 ("mm: batch-zap large anonymous folio PTE mappings") >> Reported-by: Nathan Chancellor >> Link: https://lore.kernel.org/linux-mm/20230726161942.GA1123863@dev-arch.thelio-3990X/ >> --- >> Hi Andrew, >> This fixes patch 3 in the series at [1], which is currently in >> mm-unstable. I'm >> not sure whether you want to take the fix or whether I should re-post the entire >> series? >> > > Please repost the complete thing, you're touching some sensible places > that really need decent review. Please also add: Alexander Gordeev Gerald Schaefer when reposting. Thanks!