Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3492382pxf; Mon, 29 Mar 2021 03:54:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzpTZj/8r45f7Co9PwwqiGCzsJi4/DkY/SCvbFEGg9coQuzR3VsQ2VdLQcznHE28uOLIfp X-Received: by 2002:a05:6402:26d3:: with SMTP id x19mr15987264edd.349.1617015288892; Mon, 29 Mar 2021 03:54:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617015288; cv=none; d=google.com; s=arc-20160816; b=qy8S7bDo+N9pZYUo1PFUpjEIf5OhvUY2hZxUORFwGOQ0tY2rPOVAl+d94Z28DP1O5o eqwq7WmOCUkeRUnHwyaYBZrsS3kEPuGuXWOz+lxTUXkeTlB4rmhESNCNSyztqmWrVxG0 bhoyAnf7y8YBxDy6UBvRjvgWFIoOszYj+MX8ZIvoRb+dJI20k4h3fUqe/CxqNrVkv0hH 5ToGcvKbhrh8dUbClQLsDtUyDsc/kWE2qBWLszN2a8R1CAyx0fM71Yf1jewaes7GilMY dDThwvKI5caEbA4FhzYZe06L6RnzmbmMoKqTJtFUT/FTmueprn5RWXiIShL9N/sWTPm5 XL7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=OFbVRLH7fi9sbyl0hnUfDhLm3jNp5nLYG+GIQtH5CJg=; b=E0NBNZjrNQ0odaQhi5Rc8+N7UXebB2KvrOGGyiS9YnuoAHCufoaVaEelIIG7aNegNL pLfUaA4AHUc5L2chpN22baNuaorwcuZtIS1KmW2HZmV/Eqa6r9STM4JyoX0rm/YLMYj3 p2mKF1GsG32XIQr1wdDIGbEPgvzgi/j58MDu0nz3L1dCmQeOZ42f+8k1e/qO8F2qGbFB tRyLC4wpqY55ta+n3J1TNE4RUlxKLuWNbSwywfickX25HWGXfobBvy6tTr7Ge2G+MvFI KUXCtpx9epgwlA56mBmBjzsF/C5OlW8qN66gy3JOFAN7Fhdp1CludE+yK7eqdNBC4EOL F8Og== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=doL8Pshs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z25si13074646ejw.647.2021.03.29.03.54.26; Mon, 29 Mar 2021 03:54:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=doL8Pshs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232411AbhC2Ind (ORCPT + 99 others); Mon, 29 Mar 2021 04:43:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:41084 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233662AbhC2IZy (ORCPT ); Mon, 29 Mar 2021 04:25:54 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A2D25619AD; Mon, 29 Mar 2021 08:25:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617006307; bh=KaYd8dVXMt9M6AZMf3IdFWvp7nB0CJPh5ckzuu6pDN4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=doL8Pshs/udgVD69/bl4xwS+o3/YnT4H1k9MgCBKKG/QvTDECyRCX9oQeFZMLErJA qRk+e1/zQJSwYv36RSRI11eqKOwD6NDJnDTaSTWRs76rwPurnHEHlHHBmuF0nyxVd8 czKTtj6DLxUbUfGJLkc5t+ZLvKtJ3KdbZH2h6p+0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Christopherson , Jason Gunthorpe , Jason Gunthorpe , David Rientjes , Ben Gardon , Michal Hocko , =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= , Andrea Arcangeli , Johannes Weiner , Dimitri Sivanich , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 5.10 194/221] mm/mmu_notifiers: ensure range_end() is paired with range_start() Date: Mon, 29 Mar 2021 09:58:45 +0200 Message-Id: <20210329075635.600543100@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210329075629.172032742@linuxfoundation.org> References: <20210329075629.172032742@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson [ Upstream commit c2655835fd8cabdfe7dab737253de3ffb88da126 ] If one or more notifiers fails .invalidate_range_start(), invoke .invalidate_range_end() for "all" notifiers. If there are multiple notifiers, those that did not fail are expecting _start() and _end() to be paired, e.g. KVM's mmu_notifier_count would become imbalanced. Disallow notifiers that can fail _start() from implementing _end() so that it's unnecessary to either track which notifiers rejected _start(), or had already succeeded prior to a failed _start(). Note, the existing behavior of calling _start() on all notifiers even after a previous notifier failed _start() was an unintented "feature". Make it canon now that the behavior is depended on for correctness. As of today, the bug is likely benign: 1. The only caller of the non-blocking notifier is OOM kill. 2. The only notifiers that can fail _start() are the i915 and Nouveau drivers. 3. The only notifiers that utilize _end() are the SGI UV GRU driver and KVM. 4. The GRU driver will never coincide with the i195/Nouveau drivers. 5. An imbalanced kvm->mmu_notifier_count only causes soft lockup in the _guest_, and the guest is already doomed due to being an OOM victim. Fix the bug now to play nice with future usage, e.g. KVM has a potential use case for blocking memslot updates in KVM while an invalidation is in-progress, and failure to unblock would result in said updates being blocked indefinitely and hanging. Found by inspection. Verified by adding a second notifier in KVM that periodically returns -EAGAIN on non-blockable ranges, triggering OOM, and observing that KVM exits with an elevated notifier count. Link: https://lkml.kernel.org/r/20210311180057.1582638-1-seanjc@google.com Fixes: 93065ac753e4 ("mm, oom: distinguish blockable mode for mmu notifiers") Signed-off-by: Sean Christopherson Suggested-by: Jason Gunthorpe Reviewed-by: Jason Gunthorpe Cc: David Rientjes Cc: Ben Gardon Cc: Michal Hocko Cc: "Jérôme Glisse" Cc: Andrea Arcangeli Cc: Johannes Weiner Cc: Dimitri Sivanich Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- include/linux/mmu_notifier.h | 10 +++++----- mm/mmu_notifier.c | 23 +++++++++++++++++++++++ 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/include/linux/mmu_notifier.h b/include/linux/mmu_notifier.h index b8200782dede..1a6a9eb6d3fa 100644 --- a/include/linux/mmu_notifier.h +++ b/include/linux/mmu_notifier.h @@ -169,11 +169,11 @@ struct mmu_notifier_ops { * the last refcount is dropped. * * If blockable argument is set to false then the callback cannot - * sleep and has to return with -EAGAIN. 0 should be returned - * otherwise. Please note that if invalidate_range_start approves - * a non-blocking behavior then the same applies to - * invalidate_range_end. - * + * sleep and has to return with -EAGAIN if sleeping would be required. + * 0 should be returned otherwise. Please note that notifiers that can + * fail invalidate_range_start are not allowed to implement + * invalidate_range_end, as there is no mechanism for informing the + * notifier that its start failed. */ int (*invalidate_range_start)(struct mmu_notifier *subscription, const struct mmu_notifier_range *range); diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c index 5654dd19addc..07f42a7a6065 100644 --- a/mm/mmu_notifier.c +++ b/mm/mmu_notifier.c @@ -501,10 +501,33 @@ static int mn_hlist_invalidate_range_start( ""); WARN_ON(mmu_notifier_range_blockable(range) || _ret != -EAGAIN); + /* + * We call all the notifiers on any EAGAIN, + * there is no way for a notifier to know if + * its start method failed, thus a start that + * does EAGAIN can't also do end. + */ + WARN_ON(ops->invalidate_range_end); ret = _ret; } } } + + if (ret) { + /* + * Must be non-blocking to get here. If there are multiple + * notifiers and one or more failed start, any that succeeded + * start are expecting their end to be called. Do so now. + */ + hlist_for_each_entry_rcu(subscription, &subscriptions->list, + hlist, srcu_read_lock_held(&srcu)) { + if (!subscription->ops->invalidate_range_end) + continue; + + subscription->ops->invalidate_range_end(subscription, + range); + } + } srcu_read_unlock(&srcu, id); return ret; -- 2.30.1