Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp2225786ybx; Fri, 8 Nov 2019 01:41:17 -0800 (PST) X-Google-Smtp-Source: APXvYqzyCK+PTMwXzCVTKNDQpZSqrlqgYDitSS9y629C3p532yWT97MiHvnMT+IjIaFBbrY0qE7C X-Received: by 2002:a17:906:2654:: with SMTP id i20mr7682713ejc.163.1573206077272; Fri, 08 Nov 2019 01:41:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573206077; cv=none; d=google.com; s=arc-20160816; b=jFTy3+lxYlaGWncO0QDS2QGeM91VgaXfe4zN2U75rwsrXg7cVl+XNx/l6vEfhuc4kv mAuY2rIlKrSWrglzkpQmXsqwDSx01J8KT7qwbJwIVmwNEktqlJjZ7cfeOLD4Pd0ih3xv oWMpeEUpbDEjEUbzKGEd2uPRgWevfofxBj9VBvqc5jTO1LRF/zG/EpfN9R2mutSJg1eE /ylr8QItAPepN24M3Cu8ehgh8wTpIEspM+SztjUf1tHbxi7EUo895csgFT28AB+UvTet HSr51ZdjwOdwDufj1AvrflXjnCljxgwFgcrEJZwPx27Ola4ENCfpb7B43DTaM2AhEnr5 DM8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=MMdzT+5jrOFF4cEyThQ5EKXhoJm1Jcv4DuBbHcDUnMQ=; b=E1l65VLb+ZtxiNrSLPlD3GBqu/GYHcmC7ECmBXlO6X12hlbZB27IY+CWoo2G1E1ROS 2nMJIM+fuJ2mpuuk/xS5Ic16QfmsNYE2Z0XplflfIKkff3qiwyaIyuNXdxvD3CISfPfa acVmmN4CVePdy1RfdJpzpHMJJm0jNKvIZ7KXZnkSckgvvq7ekQWLMQDuhrF3JWIEP+Vm QbZoJUO+THxRbRCPtKIm8ysm1iM+z2bc0ncUYni6waU0Kqt28R515ZWr66egH747qkBS Rv63i8jjEHPL+HI1lwFpHa2D0rtKTT41Bk0uN6ftwh0ZnNCseWczYMHQbm9xxAXRi7Yl 14Bg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z44si4037114edz.211.2019.11.08.01.40.24; Fri, 08 Nov 2019 01:41:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731501AbfKHJi1 (ORCPT + 99 others); Fri, 8 Nov 2019 04:38:27 -0500 Received: from mx2.suse.de ([195.135.220.15]:39674 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731147AbfKHJi1 (ORCPT ); Fri, 8 Nov 2019 04:38:27 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 99ECAAE61; Fri, 8 Nov 2019 09:38:24 +0000 (UTC) From: Vlastimil Babka To: stable@vger.kernel.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Ajay Kaher , Vlastimil Babka , Oscar Salvador , Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Juergen Gross , "Kirill A . Shutemov" , Vitaly Kuznetsov , Linus Torvalds , Borislav Petkov , Dave Hansen , Andy Lutomirski Subject: [PATCH STABLE 4.4 8/8] x86, mm, gup: prevent get_page() race with munmap in paravirt guest Date: Fri, 8 Nov 2019 10:38:14 +0100 Message-Id: <20191108093814.16032-9-vbabka@suse.cz> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191108093814.16032-1-vbabka@suse.cz> References: <20191108093814.16032-1-vbabka@suse.cz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The x86 version of get_user_pages_fast() relies on disabled interrupts to synchronize gup_pte_range() between gup_get_pte(ptep); and get_page() against a parallel munmap. The munmap side nulls the pte, then flushes TLBs, then releases the page. As TLB flush is done synchronously via IPI disabling interrupts blocks the page release, and get_page(), which assumes existing reference on page, is thus safe. However when TLB flush is done by a hypercall, e.g. in a Xen PV guest, there is no blocking thanks to disabled interrupts, and get_page() can succeed on a page that was already freed or even reused. We have recently seen this happen with our 4.4 and 4.12 based kernels, with userspace (java) that exits a thread, where mm_release() performs a futex_wake() on tsk->clear_child_tid, and another thread in parallel unmaps the page where tsk->clear_child_tid points to. The spurious get_page() succeeds, but futex code immediately releases the page again, while it's already on a freelist. Symptoms include a bad page state warning, general protection faults acessing a poisoned list prev/next pointer in the freelist, or free page pcplists of two cpus joined together in a single list. Oscar has also reproduced this scenario, with a patch inserting delays before the get_page() to make the race window larger. Fix this by removing the dependency on TLB flush interrupts the same way as the generic get_user_pages_fast() code by using page_cache_add_speculative() and revalidating the PTE contents after pinning the page. Mainline is safe since 4.13 where the x86 gup code was removed in favor of the common code. Accessing the page table itself safely also relies on disabled interrupts and TLB flush IPIs that don't happen with hypercalls, which was acknowledged in commit 9e52fc2b50de ("x86/mm: Enable RCU based page table freeing (CONFIG_HAVE_RCU_TABLE_FREE=y)"). That commit with follups should also be backported for full safety, although our reproducer didn't hit a problem without that backport. Reproduced-by: Oscar Salvador Signed-off-by: Vlastimil Babka Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Peter Zijlstra Cc: Juergen Gross Cc: Kirill A. Shutemov Cc: Vitaly Kuznetsov Cc: Linus Torvalds Cc: Borislav Petkov Cc: Dave Hansen Cc: Andy Lutomirski Signed-off-by: Vlastimil Babka --- arch/x86/mm/gup.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c index 6612d532e42e..6379a4883c0a 100644 --- a/arch/x86/mm/gup.c +++ b/arch/x86/mm/gup.c @@ -9,6 +9,7 @@ #include #include #include +#include #include @@ -95,10 +96,23 @@ static noinline int gup_pte_range(pmd_t pmd, unsigned long addr, } VM_BUG_ON(!pfn_valid(pte_pfn(pte))); page = pte_page(pte); - if (unlikely(!try_get_page(page))) { + + if (WARN_ON_ONCE(page_ref_count(page) < 0)) { + pte_unmap(ptep); + return 0; + } + + if (!page_cache_get_speculative(page)) { pte_unmap(ptep); return 0; } + + if (unlikely(pte_val(pte) != pte_val(*ptep))) { + put_page(page); + pte_unmap(ptep); + return 0; + } + SetPageReferenced(page); pages[*nr] = page; (*nr)++; -- 2.23.0