From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=GvXl=HM=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E92DFC433DB
	for <linux-mm@archiver.kernel.org>; Wed, 10 Feb 2021 21:22:13 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 7078264ED0
	for <linux-mm@archiver.kernel.org>; Wed, 10 Feb 2021 21:22:13 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7078264ED0
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 1046C6B0070; Wed, 10 Feb 2021 16:22:13 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0B8B56B0071; Wed, 10 Feb 2021 16:22:13 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id EE71B6B0072; Wed, 10 Feb 2021 16:22:12 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0134.hostedemail.com [216.40.44.134])
	by kanga.kvack.org (Postfix) with ESMTP id D606B6B0070
	for <linux-mm@kvack.org>; Wed, 10 Feb 2021 16:22:12 -0500 (EST)
Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id A055CB791
	for <linux-mm@kvack.org>; Wed, 10 Feb 2021 21:22:12 +0000 (UTC)
X-FDA: 77803631304.30.place57_3b0a03527613
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin30.hostedemail.com (Postfix) with ESMTP id 72DCD181BFF93
	for <linux-mm@kvack.org>; Wed, 10 Feb 2021 21:22:12 +0000 (UTC)
X-HE-Tag: place57_3b0a03527613
X-Filterd-Recvd-Size: 9503
Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202])
	by imf23.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Wed, 10 Feb 2021 21:22:11 +0000 (UTC)
Received: by mail-pf1-f202.google.com with SMTP id 137so2639807pfw.4
        for <linux-mm@kvack.org>; Wed, 10 Feb 2021 13:22:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=sender:date:in-reply-to:message-id:mime-version:references:subject
         :from:to:cc;
        bh=hnaAeM5s+w8DJX76RPfJONuTnc8xLec37Vehd5HeKu4=;
        b=rT9xRNa1VIiUFPnpy4os5esD59yyOdCLADkE4Mt5k31roGAL/DqU3FLcMg6tUIty9o
         q6ErhrLk1CSPG6B5gBI4Vm1dKANSxKMPj6RPuZunzPWgZxxcvdzMfrhFeEpJ5JzVJIHE
         6gxDrphQPYCfBBQFIEHVuC0Xpuc8r2UaUydFrYogt68o05NBpU/i2sHIIy4JJN9Bzcx2
         MLtjyveEBrlyiV2AyFeva0A2EHcAlM6VAhdaI+XGccYzsB4Ks9rrMgN9SBJm0m4B/Hxg
         fEWIfjXl6UrWz/RZjEF5vaC2Bm1A3VFg2Odya5SIp4xbHT8IzbXYKchCftxzIwy0Ks+x
         u3ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=hnaAeM5s+w8DJX76RPfJONuTnc8xLec37Vehd5HeKu4=;
        b=gMtUTCcjMj+YVW5ZgCn04F8Zu+Y1KhH1TYav5UDqg/ADzU6Be7brDXtRA05JQd31Il
         CVWTxiWGpzdXcGvgFd+3Fh+TsVtdQ7UTgCfpZHRHW3yFGxat0qm2pQC5rtmpzpFqPAth
         gaS3hjDZfZBzSI9gzE1VQu3huIm2cVWhunozDXihZu1P61MTOf/Wccv6ubxmKE7lVDqN
         /jG9+0duKR47sjKgBKZU/ygLEM09U7zL5A03OLaPl9e1/tZb19xJv97NedgM5Vd3WUfx
         +jeWXvyYmnZxVxEfNpTEvkLo4+SBIY0KI2rYOWgXEulUlvTX1pUPtCQCHU2sSuYt0Pw1
         5gfA==
X-Gm-Message-State: AOAM531xhgAUaenmPTm17t/sGrdfeDTEecC4hShrVHL3juPR01ifiQWg
	X4bKgnIp6OIYR8oQ3XiQ1vNhiMC3WCca+4eZW2ah
X-Google-Smtp-Source: ABdhPJwMBNBgVFnVfutXp93h4VFnNAN1Zy0Grp7R/VpQFaqM0x0RCowKe+s4eVo9U3hnShVH8b//2tNlEpLT0e9b208b
X-Received: from ajr0.svl.corp.google.com ([2620:15c:2cd:203:94ee:de01:168:9f20])
 (user=axelrasmussen job=sendgmr) by 2002:a17:902:cd13:b029:e2:efc5:d33d with
 SMTP id g19-20020a170902cd13b02900e2efc5d33dmr4879127ply.61.1612992130552;
 Wed, 10 Feb 2021 13:22:10 -0800 (PST)
Date: Wed, 10 Feb 2021 13:21:52 -0800
In-Reply-To: <20210210212200.1097784-1-axelrasmussen@google.com>
Message-Id: <20210210212200.1097784-3-axelrasmussen@google.com>
Mime-Version: 1.0
References: <20210210212200.1097784-1-axelrasmussen@google.com>
X-Mailer: git-send-email 2.30.0.478.g8a0d178c01-goog
Subject: [PATCH v5 02/10] hugetlb/userfaultfd: Forbid huge pmd sharing when
 uffd enabled
From: Axel Rasmussen <axelrasmussen@google.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>, Alexey Dobriyan <adobriyan@gmail.com>, 
	Andrea Arcangeli <aarcange@redhat.com>, Andrew Morton <akpm@linux-foundation.org>, 
	Anshuman Khandual <anshuman.khandual@arm.com>, Catalin Marinas <catalin.marinas@arm.com>, 
	Chinwen Chang <chinwen.chang@mediatek.com>, Huang Ying <ying.huang@intel.com>, 
	Ingo Molnar <mingo@redhat.com>, Jann Horn <jannh@google.com>, Jerome Glisse <jglisse@redhat.com>, 
	Lokesh Gidra <lokeshgidra@google.com>, "Matthew Wilcox (Oracle)" <willy@infradead.org>, 
	Michael Ellerman <mpe@ellerman.id.au>, "=?UTF-8?q?Michal=20Koutn=C3=BD?=" <mkoutny@suse.com>, 
	Michel Lespinasse <walken@google.com>, Mike Kravetz <mike.kravetz@oracle.com>, 
	Mike Rapoport <rppt@linux.vnet.ibm.com>, Nicholas Piggin <npiggin@gmail.com>, 
	Peter Xu <peterx@redhat.com>, Shaohua Li <shli@fb.com>, Shawn Anastasio <shawn@anastas.io>, 
	Steven Rostedt <rostedt@goodmis.org>, Steven Price <steven.price@arm.com>, 
	Vlastimil Babka <vbabka@suse.cz>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, 
	linux-mm@kvack.org, Adam Ruprecht <ruprecht@google.com>, 
	Axel Rasmussen <axelrasmussen@google.com>, Cannon Matthews <cannonmatthews@google.com>, 
	"Dr . David Alan Gilbert" <dgilbert@redhat.com>, David Rientjes <rientjes@google.com>, 
	Mina Almasry <almasrymina@google.com>, Oliver Upton <oupton@google.com>
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Peter Xu <peterx@redhat.com>

Huge pmd sharing could bring problem to userfaultfd.  The thing is that
userfaultfd is running its logic based on the special bits on page table
entries, however the huge pmd sharing could potentially share page table
entries for different address ranges.  That could cause issues on either:

  - When sharing huge pmd page tables for an uffd write protected range, the
    newly mapped huge pmd range will also be write protected unexpectedly, or,

  - When we try to write protect a range of huge pmd shared range, we'll first
    do huge_pmd_unshare() in hugetlb_change_protection(), however that also
    means the UFFDIO_WRITEPROTECT could be silently skipped for the shared
    region, which could lead to data loss.

Since at it, a few other things are done altogether:

  - Move want_pmd_share() from mm/hugetlb.c into linux/hugetlb.h, because
    that's definitely something that arch code would like to use too

  - ARM64 currently directly check against CONFIG_ARCH_WANT_HUGE_PMD_SHARE when
    trying to share huge pmd.  Switch to the want_pmd_share() helper.

Since at it, move vma_shareable() from huge_pmd_share() into want_pmd_share().

Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>
---
 arch/arm64/mm/hugetlbpage.c   |  3 +--
 include/linux/hugetlb.h       |  2 ++
 include/linux/userfaultfd_k.h |  9 +++++++++
 mm/hugetlb.c                  | 20 ++++++++++++++------
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c
index 6e3bcffe2837..58987a98e179 100644
--- a/arch/arm64/mm/hugetlbpage.c
+++ b/arch/arm64/mm/hugetlbpage.c
@@ -284,8 +284,7 @@ pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma,
 		 */
 		ptep = pte_alloc_map(mm, pmdp, addr);
 	} else if (sz == PMD_SIZE) {
-		if (IS_ENABLED(CONFIG_ARCH_WANT_HUGE_PMD_SHARE) &&
-		    pud_none(READ_ONCE(*pudp)))
+		if (want_pmd_share(vma, addr) && pud_none(READ_ONCE(*pudp)))
 			ptep = huge_pmd_share(mm, vma, addr, pudp);
 		else
 			ptep = (pte_t *)pmd_alloc(mm, pudp, addr);
diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
index ca6e5ba56f73..d971e7efd17d 100644
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -1030,4 +1030,6 @@ static inline __init void hugetlb_cma_check(void)
 }
 #endif
 
+bool want_pmd_share(struct vm_area_struct *vma, unsigned long addr);
+
 #endif /* _LINUX_HUGETLB_H */
diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h
index a8e5f3ea9bb2..c63ccdae3eab 100644
--- a/include/linux/userfaultfd_k.h
+++ b/include/linux/userfaultfd_k.h
@@ -52,6 +52,15 @@ static inline bool is_mergeable_vm_userfaultfd_ctx(struct vm_area_struct *vma,
 	return vma->vm_userfaultfd_ctx.ctx == vm_ctx.ctx;
 }
 
+/*
+ * Never enable huge pmd sharing on uffd-wp registered vmas, because uffd-wp
+ * protect information is per pgtable entry.
+ */
+static inline bool uffd_disable_huge_pmd_share(struct vm_area_struct *vma)
+{
+	return vma->vm_flags & VM_UFFD_WP;
+}
+
 static inline bool userfaultfd_missing(struct vm_area_struct *vma)
 {
 	return vma->vm_flags & VM_UFFD_MISSING;
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 32d4d2e277ad..5710286e1984 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5245,6 +5245,18 @@ static bool vma_shareable(struct vm_area_struct *vma, unsigned long addr)
 	return false;
 }
 
+bool want_pmd_share(struct vm_area_struct *vma, unsigned long addr)
+{
+#ifndef CONFIG_ARCH_WANT_HUGE_PMD_SHARE
+	return false;
+#endif
+#ifdef CONFIG_USERFAULTFD
+	if (uffd_disable_huge_pmd_share(vma))
+		return false;
+#endif
+	return vma_shareable(vma, addr);
+}
+
 /*
  * Determine if start,end range within vma could be mapped by shared pmd.
  * If yes, adjust start and end to cover range associated with possible
@@ -5301,9 +5313,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
 	pte_t *pte;
 	spinlock_t *ptl;
 
-	if (!vma_shareable(vma, addr))
-		return (pte_t *)pmd_alloc(mm, pud, addr);
-
 	i_mmap_assert_locked(mapping);
 	vma_interval_tree_foreach(svma, &mapping->i_mmap, idx, idx) {
 		if (svma == vma)
@@ -5367,7 +5376,7 @@ int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
 	*addr = ALIGN(*addr, HPAGE_SIZE * PTRS_PER_PTE) - HPAGE_SIZE;
 	return 1;
 }
-#define want_pmd_share()	(1)
+
 #else /* !CONFIG_ARCH_WANT_HUGE_PMD_SHARE */
 pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct vma,
 		      unsigned long addr, pud_t *pud)
@@ -5385,7 +5394,6 @@ void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma,
 				unsigned long *start, unsigned long *end)
 {
 }
-#define want_pmd_share()	(0)
 #endif /* CONFIG_ARCH_WANT_HUGE_PMD_SHARE */
 
 #ifdef CONFIG_ARCH_WANT_GENERAL_HUGETLB
@@ -5407,7 +5415,7 @@ pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma,
 			pte = (pte_t *)pud;
 		} else {
 			BUG_ON(sz != PMD_SIZE);
-			if (want_pmd_share() && pud_none(*pud))
+			if (want_pmd_share(vma, addr) && pud_none(*pud))
 				pte = huge_pmd_share(mm, vma, addr, pud);
 			else
 				pte = (pte_t *)pmd_alloc(mm, pud, addr);
-- 
2.30.0.478.g8a0d178c01-goog