Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1437792pxk; Thu, 10 Sep 2020 15:42:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx93aR0y+oNuC66WPHUTc2yke6iVmHT/Sc6uEXaVl3cEK/uv0XCRM7v1xaJsRQrFQoUZVgk X-Received: by 2002:a17:906:a415:: with SMTP id l21mr10564768ejz.431.1599777727121; Thu, 10 Sep 2020 15:42:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599777727; cv=none; d=google.com; s=arc-20160816; b=eCtuLY6Ee2aGSWZ0Pvrvw1ZjC5uu/f70WYWnpHZEGQ/CZYaK4fnRNs/Grun+tdtR6o +eoqy+edoMo4vJXWjdVE1oiuyvxjc1NNc5FwojgNmRfwdSvt/KwWsPmqNiXBx34nOdUT EiYT/4t+j0tlx3KGhZI+KS7aGAyFn06JQmSEJUgOYxc03qCK5xds67L7VML8a8BkRWNA zFWKhJXPtt+bJTWz2a7s0CIbf7jI8jr31TmOcUWZIOwAc7x7FMbusLJIIk2OX0AtS6wT DgGFGQTB3g5lYNV6SgJ/IdhCyrv5Llk1cPzoLKoeIqpf24M6r6lq4U0pfLq+qL5x5BVe 7YNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:dkim-signature:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=iwRoz1y5O8TbYdNUszhiA+vAQr7U9YxF7ekZoQ5W1Yk=; b=lKRt3+jnpydYHeZc6RksaXGyBqmGvzohOQCgmIsSxZaiVZr925FjCRY5cR+KLuezOp M8ME9gl6x4y++O0VCJTaOzu94pkbun1PqH6bmM8ZazBtcbXK75J3HGn8YgoJgoyjQbvu h6bHiMtvrWVKU27tf5P+PD9L3OypmW0f3HB4TuIItg2UBT0X2M55yAO8sj3a8B3JlBEN 8G1wwfUEl8XJr6VZPvx/PxSRbq4eXvoWbXhmz4hY2gvKfE5aTYW+eQpx6TZGfO79TMA8 sjcE6DFM2MiSOErnpFbtP8aO8l5r0RPfnfbfAwLAcohwrvJQjDMD5hi9+KcrMU+gQu79 quGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nvidia.com header.s=n1 header.b="pf7Gb/6Y"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c5si22175ejs.330.2020.09.10.15.41.43; Thu, 10 Sep 2020 15:42:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@nvidia.com header.s=n1 header.b="pf7Gb/6Y"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725775AbgIJWSJ (ORCPT + 99 others); Thu, 10 Sep 2020 18:18:09 -0400 Received: from hqnvemgate26.nvidia.com ([216.228.121.65]:2148 "EHLO hqnvemgate26.nvidia.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725294AbgIJWSH (ORCPT ); Thu, 10 Sep 2020 18:18:07 -0400 Received: from hqpgpgate102.nvidia.com (Not Verified[216.228.121.13]) by hqnvemgate26.nvidia.com (using TLS: TLSv1.2, DES-CBC3-SHA) id ; Thu, 10 Sep 2020 15:17:49 -0700 Received: from hqmail.nvidia.com ([172.20.161.6]) by hqpgpgate102.nvidia.com (PGP Universal service); Thu, 10 Sep 2020 15:18:02 -0700 X-PGP-Universal: processed; by hqpgpgate102.nvidia.com on Thu, 10 Sep 2020 15:18:02 -0700 Received: from [10.2.54.52] (10.124.1.5) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 10 Sep 2020 22:17:55 +0000 Subject: Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding To: Jason Gunthorpe CC: Linus Torvalds , Alexander Gordeev , Gerald Schaefer , Dave Hansen , LKML , linux-mm , linux-arch , Andrew Morton , Russell King , Mike Rapoport , Catalin Marinas , Will Deacon , Michael Ellerman , Benjamin Herrenschmidt , "Paul Mackerras" , Jeff Dike , "Richard Weinberger" , Dave Hansen , "Andy Lutomirski" , Peter Zijlstra , "Thomas Gleixner" , Ingo Molnar , "Borislav Petkov" , Arnd Bergmann , Andrey Ryabinin , linux-x86 , linux-arm , linux-power , linux-sparc , linux-um , linux-s390 , Vasily Gorbik , "Heiko Carstens" , Christian Borntraeger , Claudio Imbrenda References: <20200907180058.64880-2-gerald.schaefer@linux.ibm.com> <0dbc6ec8-45ea-0853-4856-2bc1e661a5a5@intel.com> <20200909142904.00b72921@thinkpad> <20200909192534.442f8984@thinkpad> <20200909180324.GI87483@ziepe.ca> <20200910093925.GB29166@oc3871087118.ibm.com> <20200910181319.GO87483@ziepe.ca> <0c9bcb54-914b-e582-dd6d-3861267b6c94@nvidia.com> <20200910221116.GQ87483@ziepe.ca> From: John Hubbard Message-ID: <7188221f-37db-9792-4885-d2fa14ff894d@nvidia.com> Date: Thu, 10 Sep 2020 15:17:55 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20200910221116.GQ87483@ziepe.ca> X-Originating-IP: [10.124.1.5] X-ClientProxiedBy: HQMAIL101.nvidia.com (172.20.187.10) To HQMAIL107.nvidia.com (172.20.187.13) Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1; t=1599776269; bh=iwRoz1y5O8TbYdNUszhiA+vAQr7U9YxF7ekZoQ5W1Yk=; h=X-PGP-Universal:Subject:To:CC:References:From:Message-ID:Date: User-Agent:MIME-Version:In-Reply-To:X-Originating-IP: X-ClientProxiedBy:Content-Type:Content-Language: Content-Transfer-Encoding; b=pf7Gb/6YBDTqOCEDJuZ+rf4BfPFTGAk8OcLbOb7K+v6FIaG9RzNB0J3T6fe9quopL Z+ZPOoYzy+CPdC8eNfwxG52K013+7dFLb6XoB+71dt5jaaUjgW3/Yd+Qa0g/akV9fA tQooYBDWtKesVkRQCkYEkicElTFs+3GtpIu0ue7DQtpJI1f7AfE94uKLP6KsjC8rjc gBnPKFdEZZjBDt9zvqWyzMyouKLws8HP3qsfGIVfi7dffxmHX6EBFD/EhSz445AfW2 xdXCwOn/c+CRugCswXB9NnGL9VhGOiW9DFF76qT//6Pd4taPGNhkyd7b8sw4GeB8yW gUNk5AGewIISQ== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/10/20 3:11 PM, Jason Gunthorpe wrote: > On Thu, Sep 10, 2020 at 02:22:37PM -0700, John Hubbard wrote: > >> Or am I way off here, and it really is possible (aside from the current >> s390 situation) to observe something that "is no longer a page table"? > > Yes, that is the issue. Remember there is no locking for GUP > fast. While a page table cannot be freed there is nothing preventing > the page table entry from being concurrently modified. > OK, then we are saying the same thing after all, good. > Without the stack variable it looks like this: > > pud_t pud = READ_ONCE(*pudp); > if (!pud_present(pud)) > return > pmd_offset(pudp, address); > > And pmd_offset() expands to > > return (pmd_t *)pud_page_vaddr(*pud) + pmd_index(address); > > Between the READ_ONCE(*pudp) and (*pud) inside pmd_offset() the value > of *pud can change, eg to !pud_present. > > Then pud_page_vaddr(*pud) will crash. It is not use after free, it > is using data that has not been validated. > Right, that matches what I had in mind, too: you can still have a problem even though you're in the same page table. I just wanted to confirm that there's not some odd way to launch out into completely non-page-table memory. thanks, -- John Hubbard NVIDIA