From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=wawx=37=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 40CABC35242
	for <linux-mm@archiver.kernel.org>; Tue, 11 Feb 2020 22:40:23 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id EEDBD20659
	for <linux-mm@archiver.kernel.org>; Tue, 11 Feb 2020 22:40:22 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=shutemov-name.20150623.gappssmtp.com header.i=@shutemov-name.20150623.gappssmtp.com header.b="0TBKocZG"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EEDBD20659
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=shutemov.name
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 766E56B0348; Tue, 11 Feb 2020 17:40:22 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 7187A6B0349; Tue, 11 Feb 2020 17:40:22 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 606236B034A; Tue, 11 Feb 2020 17:40:22 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0102.hostedemail.com [216.40.44.102])
	by kanga.kvack.org (Postfix) with ESMTP id 449366B0348
	for <linux-mm@kvack.org>; Tue, 11 Feb 2020 17:40:22 -0500 (EST)
Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id F0F87824556B
	for <linux-mm@kvack.org>; Tue, 11 Feb 2020 22:40:21 +0000 (UTC)
X-FDA: 76479316242.27.debt49_778102c04f82e
X-HE-Tag: debt49_778102c04f82e
X-Filterd-Recvd-Size: 5839
Received: from mail-lj1-f196.google.com (mail-lj1-f196.google.com [209.85.208.196])
	by imf35.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue, 11 Feb 2020 22:40:21 +0000 (UTC)
Received: by mail-lj1-f196.google.com with SMTP id e18so806415ljn.12
        for <linux-mm@kvack.org>; Tue, 11 Feb 2020 14:40:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=shutemov-name.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=o/NVfh7wdKtojOcYa8hsuzmNO7b2ia40uSV9IAVwSyA=;
        b=0TBKocZGbghr1jZTh6iDjmJ81daQJ8DVwOp6r4eLOHrxRhvyLrxwqXH/Ll5umcqGav
         DLKaZ56mk79h5pRG8wkOyq+zltksmK5kIlmPjUA0mB4g2bqJowztNGj4eg8ajpsh/BmO
         IvCnTtWVBJOD1Zhg/6Dn/wbp+ow5I0+kIgqbEZuldp930s1CwyWfnsJG9lGkr2m+d1bR
         KbrZw1N+K8Pd3DYEPcW7M592ZTtNPWtHjnpNAoQivapTSM9wjf9CkISyCbm+nU1aplYg
         +C7lucX8lyPdZePQSV0g/fCa15i+wVtgtVFSFDLP8D6yvM7VVRNWP+PkNHqni2gPnw2X
         LP+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=o/NVfh7wdKtojOcYa8hsuzmNO7b2ia40uSV9IAVwSyA=;
        b=t6xhFRSMn5hYoG9XTj3pvkX2lUpRxsOWeBtBzftPTu/3QSV27fSplSN7qGNlgPFd5E
         +o++ASnxAG9OV8ukcOL5nt9HD9Nx2J/loRbqqCkGfEZGVdix/9h7KHakAXqBoGMSiJev
         aLqTKYxGiBLbBxkVUCvpxErBg1c3KPP5jRfUiDAmisshv3IV3XBrMOsGW7f37ZzLaC5t
         Uz+fDWef8qcisaV6sgUsLUGqD+qPckIPFFoUkH8q7oTx81ItogEXREBWF/4/M1Mo5xOM
         9uyL0+NLsozsJXXSUHz6lHxIR/WZqAuJbw4g9v/BDyS4uGJnZCJ8+zw2fkctx7mMgtpc
         v8Yg==
X-Gm-Message-State: APjAAAXAZwui5K0+V6cX1dBP8WqekxnDWt2QRUqqPUQmWXxjQEjPfIBg
	4KO59bnDK6lSxFgKbuqininPUg==
X-Google-Smtp-Source: APXvYqxBvXnrjcD4hY9e/l3jl9uqeMXEbUMYYhxbnmmKgkr8IkbRTIMCnTB0+tsWddczgQmD3IyXCQ==
X-Received: by 2002:a2e:3a12:: with SMTP id h18mr5477165lja.81.1581460819702;
        Tue, 11 Feb 2020 14:40:19 -0800 (PST)
Received: from box.localdomain ([86.57.175.117])
        by smtp.gmail.com with ESMTPSA id d24sm2819907lja.82.2020.02.11.14.40.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Feb 2020 14:40:19 -0800 (PST)
Received: by box.localdomain (Postfix, from userid 1000)
	id 18711100E99; Wed, 12 Feb 2020 01:40:38 +0300 (+03)
Date: Wed, 12 Feb 2020 01:40:38 +0300
From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Jeff Moyer <jmoyer@redhat.com>
Cc: Jia He <justin.he@arm.com>, Catalin Marinas <catalin.marinas@arm.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	linux-mm@kvack.org
Subject: Re: bug: data corruption introduced by commit 83d116c53058 ("mm: fix
 double page fault on arm64 if PTE_AF is cleared")
Message-ID: <20200211224038.4u6au5jwki7lofpq@box>
References: <x49tv3yys1l.fsf@segfault.boston.devel.redhat.com>
 <20200211145158.5wt7nepe3flx25bj@box>
 <x49wo8tnl6v.fsf@segfault.boston.devel.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <x49wo8tnl6v.fsf@segfault.boston.devel.redhat.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Feb 11, 2020 at 11:27:36AM -0500, Jeff Moyer wrote:
> > The real solution would be to retry __copy_from_user_inatomic() under ptl
> > if the first attempt fails. I expect it to be ugly.
> 
> So long as it's correct.  :)

The first attempt on the real solution is below.

Yeah, this is ugly. Any suggestion on clearing up this mess is welcome.

Jeff, could you give it a try?

diff --git a/mm/memory.c b/mm/memory.c
index 0bccc622e482..e8bfdf0d9d1d 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2257,7 +2257,7 @@ static inline bool cow_user_page(struct page *dst, struct page *src,
 	bool ret;
 	void *kaddr;
 	void __user *uaddr;
-	bool force_mkyoung;
+	bool locked = false;
 	struct vm_area_struct *vma = vmf->vma;
 	struct mm_struct *mm = vma->vm_mm;
 	unsigned long addr = vmf->address;
@@ -2282,11 +2282,11 @@ static inline bool cow_user_page(struct page *dst, struct page *src,
 	 * On architectures with software "accessed" bits, we would
 	 * take a double page fault, so mark it accessed here.
 	 */
-	force_mkyoung = arch_faults_on_old_pte() && !pte_young(vmf->orig_pte);
-	if (force_mkyoung) {
+	if (arch_faults_on_old_pte() && !pte_young(vmf->orig_pte)) {
 		pte_t entry;
 
 		vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl);
+		locked = true;
 		if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) {
 			/*
 			 * Other thread has already handled the fault
@@ -2310,18 +2310,37 @@ static inline bool cow_user_page(struct page *dst, struct page *src,
 	 * zeroes.
 	 */
 	if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) {
+		if (locked)
+			goto warn;
+
+		/* Re-validate under PTL if the page is still mapped */
+		vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl);
+		locked = true;
+		if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) {
+			/* The PTE changed under us. Retry page fault. */
+			ret = false;
+			goto pte_unlock;
+		}
+
 		/*
-		 * Give a warn in case there can be some obscure
-		 * use-case
+		 * The same page can be mapped back since last copy attampt.
+		 * Try to copy again under PTL.
 		 */
-		WARN_ON_ONCE(1);
-		clear_page(kaddr);
+		if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) {
+			/*
+			 * Give a warn in case there can be some obscure
+			 * use-case
+			 */
+warn:
+			WARN_ON_ONCE(1);
+			clear_page(kaddr);
+		}
 	}
 
 	ret = true;
 
 pte_unlock:
-	if (force_mkyoung)
+	if (locked)
 		pte_unmap_unlock(vmf->pte, vmf->ptl);
 	kunmap_atomic(kaddr);
 	flush_dcache_page(dst);
-- 
 Kirill A. Shutemov