Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1150817lqm; Thu, 2 May 2024 06:48:24 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUSKV5II6v4sNqibpCbShSXIuFdqCCKPFbFnuJ5TiEPNwTIiB7SJ68pVSTkybx6HNtnIOsjUOc4OBy9zvDULNxNLqWmSMDYstyTV19BHA== X-Google-Smtp-Source: AGHT+IFGykw3CTqovEk++goBICYAU0cKNth0dLmRj9gegFWL0ET6bH9BI0/YnOafbKWzhdeHS/xM X-Received: by 2002:a17:902:c40a:b0:1e4:2451:c2b5 with SMTP id k10-20020a170902c40a00b001e42451c2b5mr6301413plk.13.1714657704534; Thu, 02 May 2024 06:48:24 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714657704; cv=pass; d=google.com; s=arc-20160816; b=RkZIut3Ty8ndVHAj1nVVnq4/QvKjaFi9kKjZrYQAQJoCb1mfWYsYiAG7TsSOYcDuUO bSo7zUEzlbzr/iELXYdgEGVkJf9jhYY3Zzd8bATg5jlCIigo21B+cIgztjjsoohmFCPr FyK9mPA46J9EYpbaz9YfA6shO06aQlIRAjYKFaeUjtyootbFriGTI5qbmKWis9P9WicH kHv7aNOSbYyOxvvBzWveJ0dwhJDILI8ALgUqh6Qt/X7ITd9cObsiOQAte6kOm/ca49NQ CLJxL7tmwMQCdkCUBxllcFBlhcYXVPSM/p0vDPDeRCKuiCJhqLnqB9q4WW3ThcTLhaRP 0lMg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=zz5RaZl9k154TDIXcj/FWxczbnfO8VXEFFPMSfS5LqA=; fh=4CxHTIMfWkQvTT8wlT2HjaHOyCO6DeT8gA/I++IlIPc=; b=ns/5bqCTSAzolhwYsnKp0c7/+FMvSovoIH8KEpOW9WIdLlV5+SdFfj+S4/WCcft5j9 VBmEbymaJndqw6rGZ/it45ZzmQpDzA2kduU1qqhpYB2vZH/yBp6F6AXgGlMBYkw1pKOM q2lANgs0CTlGnEJD+z9P5Rdzp9DBvwT6jv1KWXepwmjVfPUJzmyuwkMS7T55K8SzMI1m XsdoEW9mgqJlUQTjwDL3UHg9OOYZFwDAUsLbK2Sp4S+hEw4N1oLhyoF53nzqBSANCEbr KZ8WWpVu38BJjC3Kzfn3SPkVAIELGo54qjkMH+FQ4W0z6GvtdsBsx6vVnwYmZNlBkhrN FB9A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-166528-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-166528-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id p11-20020a170902e74b00b001ec9b4f7ab4si1050235plf.30.2024.05.02.06.48.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 May 2024 06:48:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-166528-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-166528-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-166528-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 3842AB22266 for ; Thu, 2 May 2024 13:47:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 96C1F13C681; Thu, 2 May 2024 13:47:14 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 03C6412DDBF; Thu, 2 May 2024 13:47:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714657634; cv=none; b=et6hXQxDb1yaYh9tTgqc1GuE0QX5x46S+Y1lT13bohDSwnukCYMEl9+rKldu+OuYGJLmhi14BSKdKgDhEg1Ar53y69g7c7HX5a8afk8LSrjkKv/+n7ywt++nVh8F13lN8Fqx7BbDiEt9Lb79BJ5qNXAMxmHP6lEm2p1HpkUT2BE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714657634; c=relaxed/simple; bh=fBzUvqjwf3rMXOX/TEUF7dBRHEWsyfdKpPRDIqtC7V4=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Tlyo8JZXEWknXybs4HLUW86+4IqDFe+cEh9qRw5hVEHeHyFBpj6W7cHt7vWh7w0x6Y8gpkG02haWNc2pCM0t9M3X0SdhmSrSc+dhUUleJF5Pu3OQORHbljqTCThkXkZCRMbBUdfAQdVtJMfy7a0/pZgIdycU1dTq4zAE1VcOGAw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C48D92F4; Thu, 2 May 2024 06:47:36 -0700 (PDT) Received: from [10.1.37.181] (XHFQ2J9959.cambridge.arm.com [10.1.37.181]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 11C9D3F73F; Thu, 2 May 2024 06:47:06 -0700 (PDT) Message-ID: <60739cf6-42ff-44c7-8e33-6c42eed71a66@arm.com> Date: Thu, 2 May 2024 14:47:05 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3] mm: Fix race between __split_huge_pmd_locked() and GUP-fast Content-Language: en-GB To: David Hildenbrand , Andrew Morton , Catalin Marinas , Will Deacon , Mark Rutland , Anshuman Khandual , Zi Yan , "Aneesh Kumar K.V" , Jonathan Corbet , Nicholas Piggin , Christophe Leroy , "Naveen N. Rao" , Christian Borntraeger , Sven Schnelle , "David S. Miller" , Andreas Larsson , Dave Hansen , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov Cc: linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Felix Kuehling References: <20240501143310.1381675-1-ryan.roberts@arm.com> <3d88297b-ce6f-4b97-8a25-75f0987af6fd@redhat.com> From: Ryan Roberts In-Reply-To: <3d88297b-ce6f-4b97-8a25-75f0987af6fd@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 02/05/2024 14:08, David Hildenbrand wrote: > On 01.05.24 16:33, Ryan Roberts wrote: >> __split_huge_pmd_locked() can be called for a present THP, devmap or >> (non-present) migration entry. It calls pmdp_invalidate() >> unconditionally on the pmdp and only determines if it is present or not >> based on the returned old pmd. This is a problem for the migration entry >> case because pmd_mkinvalid(), called by pmdp_invalidate() must only be >> called for a present pmd. >> >> On arm64 at least, pmd_mkinvalid() will mark the pmd such that any >> future call to pmd_present() will return true. And therefore any >> lockless pgtable walker could see the migration entry pmd in this state >> and start interpretting the fields as if it were present, leading to >> BadThings (TM). GUP-fast appears to be one such lockless pgtable walker. >> >> x86 does not suffer the above problem, but instead pmd_mkinvalid() will >> corrupt the offset field of the swap entry within the swap pte. See link >> below for discussion of that problem. > > Could that explain: > > https://lore.kernel.org/all/YjoGbhreg8lGCGIJ@linutronix.de/ > > Where the PFN of a migration entry might have been corrupted? Ahh interesting! Yes, it seems to fit... > > Ccing Felix Are you able to reliably reproduce the bug, Felix? If so, would you mind trying with this patch to see if it goes away? > > > Patch itself looks good to me > > Acked-by: David Hildenbrand Thanks!