Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Tue, 6 Dec 2022 19:07:43 -0500
From:   Peter Xu <peterx@redhat.com>
To:     John Hubbard <jhubbard@nvidia.com>
Cc:     Mike Kravetz <mike.kravetz@oracle.com>, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org,
        James Houghton <jthoughton@google.com>,
        Jann Horn <jannh@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Rik van Riel <riel@surriel.com>,
        Nadav Amit <nadav.amit@gmail.com>,
        Miaohe Lin <linmiaohe@huawei.com>,
        Muchun Song <songmuchun@bytedance.com>,
        David Hildenbrand <david@redhat.com>
Subject: Re: [PATCH 08/10] mm/hugetlb: Make walk_hugetlb_range() safe to pmd
 unshare
Message-ID: <Y4/ZT3ab9TL1j5TL@x1n>
References: <20221129193526.3588187-1-peterx@redhat.com>
 <20221129193526.3588187-9-peterx@redhat.com>
 <Y45/5ezH6uwn7Cfy@monkey>
 <0813b9ed-3c92-088c-4fb9-45fb648c6e73@nvidia.com>
 <Y49xlV8I2/92Flha@x1n>
 <97e3a8f2-df75-306e-2edf-85976c168955@nvidia.com>
 <Y4+5R+nh0W0RUX9R@x1n>
 <c5d839da-cb7e-e887-11a6-30ccd1c3c845@nvidia.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <c5d839da-cb7e-e887-11a6-30ccd1c3c845@nvidia.com>
Precedence: bulk

On Tue, Dec 06, 2022 at 02:31:30PM -0800, John Hubbard wrote:
> On 12/6/22 13:51, Peter Xu wrote:
> > On Tue, Dec 06, 2022 at 01:03:45PM -0800, John Hubbard wrote:
> > > On 12/6/22 08:45, Peter Xu wrote:
> > > > I've got a fixup attached.  John, since this got your attention please also
> > > > have a look too in case there's further issues.
> > > > 
> > > 
> > > Well, one question: Normally, the pattern of "release_lock(A); call f();
> > > acquire_lock(A);" is tricky, because one must revalidate that the state
> > > protected by A has not changed while the lock was released. However, in
> > > this case, it's letting page fault handling proceed, which already
> > > assumes that pages might be gone, so generally that seems OK.
> > 
> > Yes it's tricky, but not as tricky in this case.
> > 
> > I hope my documentation supplemented that (in the fixup patch):
> > 
> > + * @hugetlb_entry:     if set, called for each hugetlb entry.  Note that
> > + *                     currently the hook function is protected by hugetlb
> > + *                     vma lock to make sure pte_t* and the spinlock is valid
> > + *                     to access.  If the hook function needs to yield the

[1]

> 
> So far so good...
> 
> > + *                     thread or retake the vma lock for some reason, it
> > + *                     needs to properly release the vma lock manually,
> > + *                     and retake it before the function returns.
> 
> ...but you can actually delete this second sentence. It does not add
> any real information--clearly, if you must drop the lock, then you must
> "manually" drop the lock.
> 
> And it still ignores my original question, which I don't think I've
> fully communicated. Basically, what can happen to the protected data
> during the time when the lock is not held?

I thought I answered this one at [1] above.  If not, I can extend the
answer.

What can happen is some thread can firstly unshare the pmd pgtable page
(e.g. by clearing the PUD entry in current mm), then release the pmd
pgtable page (e.g. by unmapping it) even if current thread is still
accessing it.  It will cause use-after-free on the pmd pgtable page on this
thread in various ways.

One way to trigger this is when the current thread tries to take the
pgtable lock and it'll trigger warning like the call stack referenced in
the cover letter of this series:

https://lore.kernel.org/r/20221129193526.3588187-1-peterx@redhat.com

Please also feel free to read the reproducer attached in the cover letter,
it has details on how this can trigger (even though it's so hard to trigger
so I added a delay in the kernel to make it trigger).  The idea should be
the same.

> 
> > 
> > The vma lock here makes sure the pte_t and the pgtable spinlock being
> > stable.  Without the lock, they're prone to be freed in parallel.
> > 
> 
> Yes, but think about this: if the vma lock protects against the pte
> going away, then:
> 
> lock()
>    get a pte
> unlock()
> 
> ...let hmm_vma_fault() cond_resched() run...
> 
> lock()
>    ...whoops, something else release the pte that I'd previously
>    retrieved.

Here the pte_t* is never referenced again after hugetlb_entry() returned.

The loop looks like:

	do {
		next = hugetlb_entry_end(h, addr, end);
		pte = hugetlb_walk(vma, addr & hmask, sz);
		if (pte)
			err = ops->hugetlb_entry(pte, hmask, addr, next, walk);
		else if (ops->pte_hole)
			err = ops->pte_hole(addr, next, -1, walk);
		if (err)
			break;
	} while (addr = next, addr != end);

After hugetlb_entry() returned, we'll _never_ touch that pte again we got
from either huge_pte_offset() or hugetlb_walk() after this patchset
applied.

If we touch it, it's a potential bug as you mentioned.  But we didn't.

Hope it explains.

> 
> > > 
> > > However, I'm lagging behind on understanding what the vma lock actually
> > > protects. It seems to be a hugetlb-specific protection for concurrent
> > > freeing of the page tables?
> > 
> > Not exactly freeing, but unsharing.  Mike probably has more to say.  The
> > series is here:
> > 
> > https://lore.kernel.org/all/20220914221810.95771-1-mike.kravetz@oracle.com/#t
> > 
> > > If so, then running a page fault handler seems safe. If there's something
> > > else it protects, then we might need to revalidate that after
> > > re-acquiring the vma lock.
> > 
> > Nothing to validate here.  The only reason to take the vma lock is to match
> > with the caller who assumes the lock taken, so either it'll be released
> > very soon or it prepares for the next hugetlb pgtable walk (huge_pte_offset).
> > 
> 
> ummm, see above. :)
> 
> > > 
> > > Also, scattering hugetlb-specific locks throughout mm seems like an
> > > unfortuate thing, I wonder if there is a longer term plan to Not Do
> > > That?
> > 
> > So far HMM is really the only one - normally hugetlb_entry() hook is pretty
> > light, so not really throughout the whole mm yet.  It's even not urgently
> > needed for the other two places calling cond_sched(), I added it mostly
> > just for completeness, and with the slight hope that maybe we can yield
> > earlier for some pmd unsharers.
> > 
> > But yes it's unfortunate, I just didn't come up with a good solution.
> > Suggestion is always welcomed.
> > 
> 
> I guess it's on me to think of something cleaner, so if I do I'll pipe
> up. :)

That'll be very much appricated.

It's really that I don't know how to make this better, or I can rework the
series as long as it hasn't land upstream.

Thanks,

-- 
Peter Xu