Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <808b9d4a-1b01-be64-00ce-001930540de9@redhat.com>
Date:   Wed, 22 Mar 2023 12:42:01 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.9.0
Content-Language: en-US
To:     Zach O'Keefe <zokeefe@google.com>
Cc:     linux-kernel@vger.kernel.org, linux-mm@kvack.org,
        linux-kselftest@vger.kernel.org,
        Andrew Morton <akpm@linux-foundation.org>,
        Shuah Khan <shuah@kernel.org>, Hugh Dickins <hughd@google.com>,
        Peter Xu <peterx@redhat.com>, Vlastimil Babka <vbabka@suse.cz>,
        Nadav Amit <nadav.amit@gmail.com>,
        Andrea Arcangeli <aarcange@redhat.com>
References: <20230104144905.460075-1-david@redhat.com>
 <CAAa6QmSZTQ6=oxsTvCLoaFMcpamkNa7wY6VkDoipRTDAo5JhoQ@mail.gmail.com>
From:   David Hildenbrand <david@redhat.com>
Organization: Red Hat
Subject: Re: [PATCH mm-unstable v1] selftests/vm: cow: Add COW tests for
 collapsing of PTE-mapped anon THP
In-Reply-To: <CAAa6QmSZTQ6=oxsTvCLoaFMcpamkNa7wY6VkDoipRTDAo5JhoQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Precedence: bulk

On 16.03.23 00:28, Zach O'Keefe wrote:
>>
>> Currently, anonymous PTE-mapped THPs cannot be collapsed in-place:
>> collapsing (e.g., via MADV_COLLAPSE) implies allocating a fresh THP and
>> mapping that new THP via a PMD: as it's a fresh anon THP, it will get the
>> exclusive flag set on the head page and everybody is happy.
>>
>> However, if the kernel would ever support in-place collapse of anonymous
>> THPs (replacing a page table mapping each sub-page of a THP via PTEs with a
>> single PMD mapping the complete THP), exclusivity information stored for
>> each sub-page would have to be collapsed accordingly:
>>
>> (1) All PTEs map !exclusive anon sub-pages: the in-place collapsed THP
>>      must not not have the exclusive flag set on the head page mapped by
>>      the PMD. This is the easiest case to handle ("simply don't set any
>>      exclusive flags").
>>
>> (2) All PTEs map exclusive anon sub-pages: when collapsing, we have to
>>      clear the exclusive flag from all tail pages and only leave the
>>      exclusive flag set for the head page. Otherwise, fork() after
>>      collapse would not clear the exclusive flags from the tail pages
>>      and we'd be in trouble once PTE-mapping the shared THP when writing
>>      to shared tail pages that still have the exclusive flag set. This
>>      would effectively revert what the PTE-mapping code does when
>>      propagating the exclusive flag to all sub-pages.
>>
>> (3) PTEs map a mixture of exclusive and !exclusive anon sub-pages (can
>>      happen e.g., due to MADV_DONTFORK before fork()). We must not
>>      collapse the THP in-place, otherwise bad things may happen:
>>      the exclusive flags of sub-pages would get ignored and the
>>      exclusive flag of the head page would get used instead.
>>
>> Now that we have MADV_COLLAPSE in place to trigger collapsing a THP,
>> let's add some test cases that would bail out early, if we'd
>> voluntarily/accidantially unlock in-place collapse for anon THPs and
>> forget about taking proper care of exclusive flags.
> 
> Hey David,
> 
> Sorry for the (very) delayed review. As our helpful syncs offline, I'm in a
> better place to understand the intent of these tests.

Thanks for the review and sorry for the late reply!

> 
> On Wed, Jan 4, 2023 at 6:49 AM David Hildenbrand <david@redhat.com> wrote:
> 
>> Running the test on a kernel with MADV_COLLAPSE support:
>>    # [INFO] Anonymous THP tests
>>    # [RUN] Basic COW after fork() when collapsing before fork()
>>    ok 169 No leak from parent into child
>>    # [RUN] Basic COW after fork() when collapsing after fork() (fully shared)
>>    ok 170 # SKIP MADV_COLLAPSE failed: Invalid argument
>>    # [RUN] Basic COW after fork() when collapsing after fork() (lower shared)
>>    ok 171 No leak from parent into child
>>    # [RUN] Basic COW after fork() when collapsing after fork() (upper shared)
>>    ok 172 No leak from parent into child
>>
>> For now, MADV_COLLAPSE always seems to fail if all PTEs map shared
>> sub-pages.
> 
> Thanks for pointing this out. I have had a TODO / pending patch to verify this
> for awhile. It seems this is due to some old requirement of requiring a single
> writeable pte. I don't know this history well here, but I don't think it's

Interesting. A single writable PTE would indicate that at least some 
part of the range is exclusive (!shared) without looking at mapcounts. 
But of course, it's an unreliable check.

> required anymore, and, as this test shows, prevents collapse of
> pte-mapped-hugepage shared across fork().

[...]

>>
>> +#ifndef MADV_COLLAPSE
>> +#define MADV_COLLAPSE 25
>> +#endif
>> +
>>   static size_t pagesize;
>>   static int pagemap_fd;
>>   static size_t thpsize;
>> @@ -1178,6 +1182,228 @@ static int tests_per_anon_test_case(void)
>>          return tests;
>>   }
>>
>> +enum anon_thp_collapse_test {
>> +       ANON_THP_COLLAPSE_UNSHARED,
> 
> OK, so this test checks case 2: we see all PG_anon_exclusive, and need to make
> sure we clear the bit on tails. Had we not, after fork(), the bit would still be
> set on tails (since copy_huge_pmd() -> page_try_dup_anon_rmap() only clears it
> on head), and so write to said tails would go through after wp fault, and since
> collapse was in-place, this leaks data from parent to child.
> 
>> +       ANON_THP_COLLAPSE_FULLY_SHARED,
> 
> This checks case 1: we see all !PG_anon_exclusive, we aught to set the flag on
> head page in parent, after fork(). Had we not, subsequent write will be allowed
> to go through after wp fault and hit backing page -- which, since collapse was
> in-place, is same as child, leaking data.
> 
>> +       ANON_THP_COLLAPSE_LOWER_SHARED,
>> +       ANON_THP_COLLAPSE_UPPER_SHARED,
> 
> IIUC, this check only partially tests case 3. Had we introduced a bug where we
> set PG_anon_exclusive on the head in this mixed-case, it's very similar to
> ANON_THP_COLLAPSE_FULLY_SHARED.
> 
> However, if we decided to still attempt in-place collapse, and cleared the bit
> in the parent, then the write here will be CoW'd and we won't see data leak
> into the child. In order for problems to occur, we'd need something to trip
> the improper CoW. The example you've shared with me was a io_uring fixed buffer
> mapping the non-shared pages, which, after CoW, would disagree.
> 
> That said, I'm not sure the extra work required to catch this case is worth the
> effort.

Yes, just like most tests, covering all corner cases takes a lot of 
effort and is probably not worth it. Wiring up io_uring (also used in 
the file already for these purposes) would be possible, however the 
initial tests are really more targeted at "bail out early" and to catch 
the obvious things one might miss when collapsing THP.

IOW: when people ignore exclusivity information when collapsing; the 
failing tests would directly tell you what needs to be done: better not 
mess with case #3. So IMHO, the basic tests for #3 are sufficient to 
express "see, you did it wrong: better be careful".

There are scenarios where we could handle #3: for example, if we're the 
only one mapping all sub-pages of a THP and there are no other 
references (i.e., page_count() == 512), we could collapse and mark the 
head page exclusive (clearing the marker from any tail pages). Once we 
really want to optimize these cases, we can add more such tests.

-- 
Thanks,

David / dhildenb