Received: by 10.223.164.202 with SMTP id h10csp3872255wrb;
        Tue, 28 Nov 2017 19:23:44 -0800 (PST)
X-Google-Smtp-Source: AGs4zMYCNY83pn3Iprfe9qTyPClRt6rjA039o6ggfNqtODIVvnpqigPOzmEW6+sJM9rz+2LDImBT
X-Received: by 10.84.218.193 with SMTP id g1mr1435898plm.63.1511925824320;
        Tue, 28 Nov 2017 19:23:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511925824; cv=none;
        d=google.com; s=arc-20160816;
        b=c/Xh4AGwmnQAaf+fjaYmMzkI8wHbNACSZR6lav6KbKVjEIoyV3ZhkYUDx5UqyIYwK6
         eVO11SpzFaHr11fE3y7UeWZMOGe8J7Ps/dFUcHyTzISducsbrWDSxi9MONrNI7/pPzOL
         O7aMnb1QehAiPMAPu70oAFWxggwqpaMLAvnHo3F0QKvjyDLDeEGF+KzQbxvQ81QYcl1J
         +NwZz3QLT4Q69snac0NvLODylMvSMH3O2qzEViJu/XHC/NtlTO56IkrQ8yFodWMt2oc7
         usDpdb7kvQRlAH3Mzsoec1YBTeOhrqncV1ut3w+wxFOSXnq13MIIcmA9r0jy5kzvO1R/
         BtfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:arc-authentication-results;
        bh=/Tms6aWHVskv7N3b82VGrMoYdgu5LDKLEaE9BwaZm7c=;
        b=MN6LxLImDed4euZghtvr8lLAyZYoKWJ9kNnt6BV0vu4Gq6pRlZFzxu0p520HR/2Ung
         junySw+hEdsBPDFVqvUPYTRCm3O34ktSPzjxD4YEvCIBRBy0DgTSKJ1DjzhWm1LYUiyK
         I/+tS0pQEwN67wOfeTP6F+JJ+L2O2MfDM0+XdWK7uDlNt1qqSyes0p7TntZeGmT6lkio
         w4GNx3n/Gl8kR2zukVob/Pid2ppami1ViN6tSxZEz1+opsPs3gn6yAAd+IXS8EhXRfrj
         /HXMFbRV0F7BHC3YP+wKrAomHbM5FcamH1jgtbGXOG9nm26au1xRvk4RLfO+3X137SI8
         ij5g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v4si389245plo.831.2017.11.28.19.23.33;
        Tue, 28 Nov 2017 19:23:44 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752342AbdK2DWz (ORCPT <rfc822;c14006078@gmail.com> + 71 others);
        Tue, 28 Nov 2017 22:22:55 -0500
Received: from userp1040.oracle.com ([156.151.31.81]:26881 "EHLO
        userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751368AbdK2DWy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Nov 2017 22:22:54 -0500
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71])
        by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id vAT3Mjnc005959
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 29 Nov 2017 03:22:45 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
        by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id vAT3MjsR024502
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 29 Nov 2017 03:22:45 GMT
Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16])
        by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id vAT3Mi5X018281;
        Wed, 29 Nov 2017 03:22:44 GMT
Received: from [192.168.1.164] (/98.246.252.205)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Tue, 28 Nov 2017 19:22:44 -0800
Subject: Re: [PATCH] hugetlbfs: change put_page/unlock_page order in
 hugetlbfs_fallocate()
To:     Eric Biggers <ebiggers3@gmail.com>, Nadav Amit <namit@vmware.com>
Cc:     Nadia Yvette Chambers <nyc@holomorphy.com>,
        linux-kernel@vger.kernel.org, Nadav Amit <nadav.amit@gmail.com>,
        Michal Hocko <mhocko@kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>
References: <20170826210905.GA21712@zzz.localdomain>
 <20170826191124.51642-1-namit@vmware.com>
 <20171129023747.GB24001@zzz.localdomain>
From:   Mike Kravetz <mike.kravetz@oracle.com>
Message-ID: <856db20b-79bb-c584-63a6-19df24ac2d95@oracle.com>
Date:   Tue, 28 Nov 2017 19:22:42 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <20171129023747.GB24001@zzz.localdomain>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[CC Andrew, Michal]

On 11/28/2017 06:37 PM, Eric Biggers wrote:
> On Sat, Aug 26, 2017 at 12:11:24PM -0700, Nadav Amit wrote:
>> hugetlfs_fallocate() currently performs put_page() before unlock_page().
>> This scenario opens a small time window, from the time the page is added
>> to the page cache, until it is unlocked, in which the page might be
>> removed from the page-cache by another core. If the page is removed
>> during this time windows, it might cause a memory corruption, as the
>> wrong page will be unlocked.
>>
>> It is arguable whether this scenario can happen in a real system, and
>> there are several mitigating factors. The issue was found by code
>> inspection (actually grep), and not by actually triggering the flow.
>> Yet, since putting the page before unlocking is incorrect it should be
>> fixed, if only to prevent future breakage or someone copy-pasting this
>> code.
>>
>> Fixes: 70c3547e36f5c ("hugetlbfs: add hugetlbfs_fallocate()")
>>
>> cc: Eric Biggers <ebiggers3@gmail.com>
>> cc: Mike Kravetz <mike.kravetz@oracle.com>
>>
>> Signed-off-by: Nadav Amit <namit@vmware.com>
>> ---
>>  fs/hugetlbfs/inode.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
>> index 28d2753be094..9475fee79cee 100644
>> --- a/fs/hugetlbfs/inode.c
>> +++ b/fs/hugetlbfs/inode.c
>> @@ -655,11 +655,11 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset,
>>  		mutex_unlock(&hugetlb_fault_mutex_table[hash]);
>>  
>>  		/*
>> -		 * page_put due to reference from alloc_huge_page()
>>  		 * unlock_page because locked by add_to_page_cache()
>> +		 * page_put due to reference from alloc_huge_page()
>>  		 */
>> -		put_page(page);
>>  		unlock_page(page);
>> +		put_page(page);
>>  	}
>>  
>>  	if (!(mode & FALLOC_FL_KEEP_SIZE) && offset + len > inode->i_size)
>> -- 
> 
> This patch wasn't ever applied.  Nadia, do you take patches for hugetlbfs, or
> does this need to go through Andrew Morton?
> 
> Eric

Nadia has not been active for some time on hugetlbfs, so best to go through
Andrew.  Added Andrew and Michal on CC.

This patch has a:
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Michal Hocko <mhocko@suse.com>

I am still of the opinion that this does not need to be sent to stable.
Although the ordering is current code is incorrect, there is no way for
this to be a problem with current locking.   In addition, I verified
that the perhaps bigger issue with sys_fadvise64(POSIX_FADV_DONTNEED)
for hugetlbfs and other filesystems is addressed in commit 3a77d214807c.
-- 
Mike Kravetz

From 1585366376880266776@xxx Wed Nov 29 02:39:55 +0000 2017
X-GM-THRID: 1576849154661183388
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread