From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7FB0EC433FE for ; Tue, 22 Nov 2022 11:11:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232924AbiKVLL0 (ORCPT ); Tue, 22 Nov 2022 06:11:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58384 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231318AbiKVLLX (ORCPT ); Tue, 22 Nov 2022 06:11:23 -0500 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 90F2E2CCAC for ; Tue, 22 Nov 2022 03:11:21 -0800 (PST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5EBD91FB; Tue, 22 Nov 2022 03:11:27 -0800 (PST) Received: from FVFF77S0Q05N (unknown [10.57.3.127]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C7E2E3F587; Tue, 22 Nov 2022 03:11:19 -0800 (PST) Date: Tue, 22 Nov 2022 11:11:14 +0000 From: Mark Rutland To: Will Deacon Cc: Anshuman Khandual , linux-arm-kernel@lists.infradead.org, catalin.marinas@arm.com, Andrew Morton , linux-kernel@vger.kernel.org Subject: Re: [PATCH] arm64/mm: Intercept pfn changes in set_pte_at() Message-ID: References: <20221116031001.292236-1-anshuman.khandual@arm.com> <20221118141317.GF4046@willie-the-truck> <879e561c-e834-196c-b9c5-6e44ac2c0296@arm.com> <20221122095748.GA19471@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221122095748.GA19471@willie-the-truck> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 22, 2022 at 09:57:49AM +0000, Will Deacon wrote: > On Tue, Nov 22, 2022 at 01:43:17PM +0530, Anshuman Khandual wrote: > > > > > > On 11/18/22 19:43, Will Deacon wrote: > > > On Wed, Nov 16, 2022 at 08:40:01AM +0530, Anshuman Khandual wrote: > > >> Changing pfn on a user page table mapped entry, without first going through > > >> break-before-make (BBM) procedure is unsafe. This just updates set_pte_at() > > >> to intercept such changes, via an updated pgattr_change_is_safe(). This new > > >> check happens via __check_racy_pte_update(), which has now been renamed as > > >> __check_safe_pte_update(). > > >> > > >> Cc: Catalin Marinas > > >> Cc: Will Deacon > > >> Cc: Mark Rutland > > >> Cc: Andrew Morton > > >> Cc: linux-arm-kernel@lists.infradead.org > > >> Cc: linux-kernel@vger.kernel.org > > >> Signed-off-by: Anshuman Khandual > > >> --- > > >> This applies on v6.1-rc4 > > >> > > >> arch/arm64/include/asm/pgtable.h | 8 ++++++-- > > >> arch/arm64/mm/mmu.c | 8 +++++++- > > >> 2 files changed, 13 insertions(+), 3 deletions(-) > > > > > > I remember Mark saying that BBM is sometimes violated by the core code in > > > cases where the pte isn't actually part of a live pgtable (e.g. if it's on > > > the stack or part of a newly allocated table). Won't that cause false > > > positives here? > > > > Could you please elaborate ? If the pte is not on a live page table, then > > pte_valid() will return negative on such entries. So any update there will > > be safe. I am wondering, how this change will cause false positives which > > would not have been possible earlier. > > I don't think pte_valid() will always return false for these entries. > Consider, for example, ptes which are valid but which live in a table that > is not reachable by the MMU. I think this is what Mark had in mind, but it > would be helpful if he could chime in with the specific example he ran into. Yup -- that was the case I had in mind. IIRC I hit that in the past when trying to do something similar, but I can't recall exactly where that was. I suspect that was probably to do with page migration or huge page splitting/merging. Looking around, at least __split_huge_zero_page_pmd() and __split_huge_pmd_locked() do something like that, creating a temporary pmd entry on the stack, populating a table of non-live but valid ptes, then plumbing it into the real pmd. We'd need to check that there aren't other cases like that. Thanks, Mark. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8B6BCC4332F for ; Tue, 22 Nov 2022 11:12:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=uZoM3CsBktwVpBI6KaNg/+w0ehupHt4D1DJRNdo199E=; b=LvnxiOQVd+blu6 hHXQV+61d/OQVFSFlBiEEGSNyrqH2sFEdE+RozBJAE6W7U5gCNMBgx0a8ejSuft1qcI+WzoeWBgRm laD49OWg0qj/3MZJIkmkkT/cYu6dFxyMwqNcCtWp2iYCrKPhy3bM5DuSlZucOAUAwFzc0j3XJoWyT V14q0qtVi8R/o7suGAGijDrEHj6gHXvxK39MLVkijrTL3YsNEs822mGK2imsj5+KO4u2rwg+wMxgn y4r7H8dC+XVKGjpXvCUsELWrMR+05Or/w4hhy61C6wshe3t1Zz0moFmxY79hyXVue/YZNCKyC5SeD wNjXSI3Pxi5XY2DTEOOQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxRBZ-008GhA-TI; Tue, 22 Nov 2022 11:11:29 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxRBV-008Gek-Bt for linux-arm-kernel@lists.infradead.org; Tue, 22 Nov 2022 11:11:28 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5EBD91FB; Tue, 22 Nov 2022 03:11:27 -0800 (PST) Received: from FVFF77S0Q05N (unknown [10.57.3.127]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C7E2E3F587; Tue, 22 Nov 2022 03:11:19 -0800 (PST) Date: Tue, 22 Nov 2022 11:11:14 +0000 From: Mark Rutland To: Will Deacon Cc: Anshuman Khandual , linux-arm-kernel@lists.infradead.org, catalin.marinas@arm.com, Andrew Morton , linux-kernel@vger.kernel.org Subject: Re: [PATCH] arm64/mm: Intercept pfn changes in set_pte_at() Message-ID: References: <20221116031001.292236-1-anshuman.khandual@arm.com> <20221118141317.GF4046@willie-the-truck> <879e561c-e834-196c-b9c5-6e44ac2c0296@arm.com> <20221122095748.GA19471@willie-the-truck> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20221122095748.GA19471@willie-the-truck> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221122_031125_494100_FD439FD0 X-CRM114-Status: GOOD ( 30.12 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Nov 22, 2022 at 09:57:49AM +0000, Will Deacon wrote: > On Tue, Nov 22, 2022 at 01:43:17PM +0530, Anshuman Khandual wrote: > > > > > > On 11/18/22 19:43, Will Deacon wrote: > > > On Wed, Nov 16, 2022 at 08:40:01AM +0530, Anshuman Khandual wrote: > > >> Changing pfn on a user page table mapped entry, without first going through > > >> break-before-make (BBM) procedure is unsafe. This just updates set_pte_at() > > >> to intercept such changes, via an updated pgattr_change_is_safe(). This new > > >> check happens via __check_racy_pte_update(), which has now been renamed as > > >> __check_safe_pte_update(). > > >> > > >> Cc: Catalin Marinas > > >> Cc: Will Deacon > > >> Cc: Mark Rutland > > >> Cc: Andrew Morton > > >> Cc: linux-arm-kernel@lists.infradead.org > > >> Cc: linux-kernel@vger.kernel.org > > >> Signed-off-by: Anshuman Khandual > > >> --- > > >> This applies on v6.1-rc4 > > >> > > >> arch/arm64/include/asm/pgtable.h | 8 ++++++-- > > >> arch/arm64/mm/mmu.c | 8 +++++++- > > >> 2 files changed, 13 insertions(+), 3 deletions(-) > > > > > > I remember Mark saying that BBM is sometimes violated by the core code in > > > cases where the pte isn't actually part of a live pgtable (e.g. if it's on > > > the stack or part of a newly allocated table). Won't that cause false > > > positives here? > > > > Could you please elaborate ? If the pte is not on a live page table, then > > pte_valid() will return negative on such entries. So any update there will > > be safe. I am wondering, how this change will cause false positives which > > would not have been possible earlier. > > I don't think pte_valid() will always return false for these entries. > Consider, for example, ptes which are valid but which live in a table that > is not reachable by the MMU. I think this is what Mark had in mind, but it > would be helpful if he could chime in with the specific example he ran into. Yup -- that was the case I had in mind. IIRC I hit that in the past when trying to do something similar, but I can't recall exactly where that was. I suspect that was probably to do with page migration or huge page splitting/merging. Looking around, at least __split_huge_zero_page_pmd() and __split_huge_pmd_locked() do something like that, creating a temporary pmd entry on the stack, populating a table of non-live but valid ptes, then plumbing it into the real pmd. We'd need to check that there aren't other cases like that. Thanks, Mark. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel