Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751377AbdH0UJF (ORCPT ); Sun, 27 Aug 2017 16:09:05 -0400 Received: from mail-dm3nam03on0081.outbound.protection.outlook.com ([104.47.41.81]:19808 "EHLO NAM03-DM3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751294AbdH0UJD (ORCPT ); Sun, 27 Aug 2017 16:09:03 -0400 From: Nadav Amit To: Mike Kravetz CC: Nadia Yvette Chambers , Linux Kernel Mailing List , Eric Biggers Subject: Re: [PATCH] hugetlbfs: change put_page/unlock_page order in hugetlbfs_fallocate() Thread-Topic: [PATCH] hugetlbfs: change put_page/unlock_page order in hugetlbfs_fallocate() Thread-Index: AQHTHts0J+385z4Mlk2DsvMiMwZ9ZqKYcnsAgAAwcAA= Date: Sun, 27 Aug 2017 20:08:58 +0000 Message-ID: References: <20170826210905.GA21712@zzz.localdomain> <20170826191124.51642-1-namit@vmware.com> <6bf36198-0693-5735-7180-6529aa4c29e4@oracle.com> In-Reply-To: <6bf36198-0693-5735-7180-6529aa4c29e4@oracle.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [208.91.2.2] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BY2PR05MB048;20:Ok4xqH85dfJX2vaWXoH7v/tsKOhypUZ3khYad3Nc1WKDK6yYE232zwXiru1BcDJzkv7q1WzfcEP/uODMJbt3fpsnXaE3ayo+K9X/jMqo+ynlwYr+gMdu9UPAfaMo6lA463uqvUE9cuazXjDl6oWON2Gp3dEo9r0+Q8SbueodcoE= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: 046991a3-9d0f-45fa-4214-08d4ed8773cf x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BY2PR05MB048; authentication-results: spf=none (sender IP is ) smtp.mailfrom=namit@vmware.com; x-exchange-antispam-report-test: UriScan:(61668805478150)(146099531331640); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(100000703101)(100105400095)(6041248)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123560025)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BY2PR05MB048;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BY2PR05MB048; x-forefront-prvs: 0412A98A59 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(24454002)(377454003)(199003)(189002)(39060400002)(83716003)(33656002)(25786009)(66066001)(8676002)(77096006)(7736002)(53936002)(54906002)(8936002)(86362001)(97736004)(105586002)(6486002)(81156014)(54356999)(2950100002)(106356001)(4326008)(229853002)(14454004)(2906002)(53546010)(6916009)(6246003)(3660700001)(478600001)(76176999)(189998001)(3846002)(110136004)(3280700002)(68736007)(101416001)(305945005)(81166006)(6116002)(36756003)(2900100001)(6436002)(99286003)(50986999)(6506006)(6512007)(5660300001)(102836003)(82746002);DIR:OUT;SFP:1101;SCL:1;SRVR:BY2PR05MB048;H:BY2PR05MB2215.namprd05.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-ID: <29B4404CB65C0A408A26FA7D80C80B8C@namprd05.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Aug 2017 20:08:58.4006 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR05MB048 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by nfs id v7RK9Cfh028316 Content-Length: 2022 Lines: 51 Mike Kravetz wrote: > On 08/26/2017 12:11 PM, Nadav Amit wrote: >> hugetlfs_fallocate() currently performs put_page() before unlock_page(). >> This scenario opens a small time window, from the time the page is added >> to the page cache, until it is unlocked, in which the page might be >> removed from the page-cache by another core. If the page is removed >> during this time windows, it might cause a memory corruption, as the >> wrong page will be unlocked. >> >> It is arguable whether this scenario can happen in a real system, and >> there are several mitigating factors. The issue was found by code >> inspection (actually grep), and not by actually triggering the flow. >> Yet, since putting the page before unlocking is incorrect it should be >> fixed, if only to prevent future breakage or someone copy-pasting this >> code. >> >> Fixes: 70c3547e36f5c ("hugetlbfs: add hugetlbfs_fallocate()") >> >> cc: Eric Biggers >> cc: Mike Kravetz >> >> Signed-off-by: Nadav Amit > > Thank you Nadav. No problem. > > Reviewed-by: Mike Kravetz > > Since hugetlbfs is an in memory filesystem, the only way one 'should' be > able to remove a page (file content) is through an inode operation such as > truncate, hole punch, or unlink. That was the basis for my response that > the inode lock would be required for page freeing. > > Eric's question about sys_fadvise64(POSIX_FADV_DONTNEED) is interesting. > I was expecting to see a check for hugetlbfs pages and exit (without > modification) if encountered. A quick review of the code did not find > any such checks. > > I'll take a closer look to determine exactly how hugetlbfs files are > handled. IMO, there should be something similar to the DAX check where > the routine quickly exits. I did not cc stable when submitting the patch, based on your previous response. Let me know if you want me to send v2 which does so. Thanks, Nadav