From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id 8D36E6B04CE for ; Mon, 10 Jul 2017 20:52:28 -0400 (EDT) Received: by mail-pf0-f199.google.com with SMTP id u17so130208245pfa.6 for ; Mon, 10 Jul 2017 17:52:28 -0700 (PDT) Received: from mail-pg0-x236.google.com (mail-pg0-x236.google.com. [2607:f8b0:400e:c05::236]) by mx.google.com with ESMTPS id g128si9016111pgc.343.2017.07.10.17.52.27 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jul 2017 17:52:27 -0700 (PDT) Received: by mail-pg0-x236.google.com with SMTP id t186so57916128pgb.1 for ; Mon, 10 Jul 2017 17:52:27 -0700 (PDT) From: Nadav Amit Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Potential race in TLB flush batching? Message-Id: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> Date: Mon, 10 Jul 2017 17:52:25 -0700 Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman , Andy Lutomirski Cc: "open list:MEMORY MANAGEMENT" Something bothers me about the TLB flushes batching mechanism that Linux uses on x86 and I would appreciate your opinion regarding it. As you know, try_to_unmap_one() can batch TLB invalidations. While doing = so, however, the page-table lock(s) are not held, and I see no indication of = the pending flush saved (and regarded) in the relevant mm-structs. So, my question: what prevents, at least in theory, the following = scenario: CPU0 CPU1 ---- ---- user accesses memory using RW = PTE=20 [PTE now cached in TLB] try_to_unmap_one() =3D=3D> ptep_get_and_clear() =3D=3D> set_tlb_ubc_flush_pending() mprotect(addr, PROT_READ) =3D=3D> change_pte_range() =3D=3D> [ PTE non-present - no = flush ] user writes using cached RW PTE ... try_to_unmap_flush() As you see CPU1 write should have failed, but may succeed.=20 Now I don=E2=80=99t have a PoC since in practice it seems hard to create = such a scenario: try_to_unmap_one() is likely to find the PTE accessed and the = PTE would not be reclaimed. Yet, isn=E2=80=99t it a problem? Am I missing something? Thanks, Nadav= -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f198.google.com (mail-wr0-f198.google.com [209.85.128.198]) by kanga.kvack.org (Postfix) with ESMTP id 4B8F36B04C0 for ; Tue, 11 Jul 2017 02:41:52 -0400 (EDT) Received: by mail-wr0-f198.google.com with SMTP id g46so29356922wrd.3 for ; Mon, 10 Jul 2017 23:41:52 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id a21si8448641wme.115.2017.07.10.23.41.51 for (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 10 Jul 2017 23:41:51 -0700 (PDT) Date: Tue, 11 Jul 2017 07:41:49 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170711064149.bg63nvi54ycynxw4@suse.de> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> Sender: owner-linux-mm@kvack.org List-ID: To: Nadav Amit Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" On Mon, Jul 10, 2017 at 05:52:25PM -0700, Nadav Amit wrote: > Something bothers me about the TLB flushes batching mechanism that Linux > uses on x86 and I would appreciate your opinion regarding it. > > As you know, try_to_unmap_one() can batch TLB invalidations. While doing so, > however, the page-table lock(s) are not held, and I see no indication of the > pending flush saved (and regarded) in the relevant mm-structs. > > So, my question: what prevents, at least in theory, the following scenario: > > CPU0 CPU1 > ---- ---- > user accesses memory using RW PTE > [PTE now cached in TLB] > try_to_unmap_one() > ==> ptep_get_and_clear() > ==> set_tlb_ubc_flush_pending() > mprotect(addr, PROT_READ) > ==> change_pte_range() > ==> [ PTE non-present - no flush ] > > user writes using cached RW PTE > ... > > try_to_unmap_flush() > > > As you see CPU1 write should have failed, but may succeed. > > Now I don???t have a PoC since in practice it seems hard to create such a > scenario: try_to_unmap_one() is likely to find the PTE accessed and the PTE > would not be reclaimed. > That is the same to a race whereby there is no batching mechanism and the racing operation happens between a pte clear and a flush as ptep_clear_flush is not atomic. All that differs is that the race window is a different size. The application on CPU1 is buggy in that it may or may not succeed the write but it is buggy regardless of whether a batching mechanism is used or not. The user accessed the PTE before the mprotect so, at the time of mprotect, the PTE is either clean or dirty. If it is clean then any subsequent write would transition the PTE from clean to dirty and an architecture enabling the batching mechanism must trap a clean->dirty transition for unmapped entries as commented upon in try_to_unmap_one (and was checked that this is true for x86 at least). This avoids data corruption due to a lost update. If the previous access was a write then the batching flushes the page if any IO is required to avoid any writes after the IO has been initiated using try_to_unmap_flush_dirty so again there is no data corruption. There is a window where the TLB entry exists after the unmapping but this exists regardless of whether we batch or not. In either case, before a page is freed and potentially allocated to another process, the TLB is flushed. > Yet, isn???t it a problem? Am I missing something? > It's not a problem as such as it's basically a buggy application that can only hurt itself. I cannot see a path whereby the cached PTE can be used to corrupt data by either accessing it after IO has been initiated (lost data update) or access a physical page that has been allocated to another process (arbitrary corruption). -- Mel Gorman SUSE Labs -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id 502E6440846 for ; Tue, 11 Jul 2017 03:30:31 -0400 (EDT) Received: by mail-pf0-f199.google.com with SMTP id c23so137288979pfe.11 for ; Tue, 11 Jul 2017 00:30:31 -0700 (PDT) Received: from mail-pg0-x244.google.com (mail-pg0-x244.google.com. [2607:f8b0:400e:c05::244]) by mx.google.com with ESMTPS id f2si2955920pgr.380.2017.07.11.00.30.30 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 00:30:30 -0700 (PDT) Received: by mail-pg0-x244.google.com with SMTP id d193so15723025pgc.2 for ; Tue, 11 Jul 2017 00:30:30 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Potential race in TLB flush batching? From: Nadav Amit In-Reply-To: <20170711064149.bg63nvi54ycynxw4@suse.de> Date: Tue, 11 Jul 2017 00:30:28 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" Mel Gorman wrote: > On Mon, Jul 10, 2017 at 05:52:25PM -0700, Nadav Amit wrote: >> Something bothers me about the TLB flushes batching mechanism that = Linux >> uses on x86 and I would appreciate your opinion regarding it. >>=20 >> As you know, try_to_unmap_one() can batch TLB invalidations. While = doing so, >> however, the page-table lock(s) are not held, and I see no indication = of the >> pending flush saved (and regarded) in the relevant mm-structs. >>=20 >> So, my question: what prevents, at least in theory, the following = scenario: >>=20 >> CPU0 CPU1 >> ---- ---- >> user accesses memory using RW = PTE=20 >> [PTE now cached in TLB] >> try_to_unmap_one() >> =3D=3D> ptep_get_and_clear() >> =3D=3D> set_tlb_ubc_flush_pending() >> mprotect(addr, PROT_READ) >> =3D=3D> change_pte_range() >> =3D=3D> [ PTE non-present - no = flush ] >>=20 >> user writes using cached RW PTE >> ... >>=20 >> try_to_unmap_flush() >>=20 >>=20 >> As you see CPU1 write should have failed, but may succeed.=20 >>=20 >> Now I don???t have a PoC since in practice it seems hard to create = such a >> scenario: try_to_unmap_one() is likely to find the PTE accessed and = the PTE >> would not be reclaimed. >=20 > That is the same to a race whereby there is no batching mechanism and = the > racing operation happens between a pte clear and a flush as = ptep_clear_flush > is not atomic. All that differs is that the race window is a different = size. > The application on CPU1 is buggy in that it may or may not succeed the = write > but it is buggy regardless of whether a batching mechanism is used or = not. Thanks for your quick and detailed response, but I fail to see how it = can happen without batching. Indeed, the PTE clear and flush are not = =E2=80=9Catomic=E2=80=9D, but without batching they are both performed under the page table lock (which is acquired in page_vma_mapped_walk and released in page_vma_mapped_walk_done). Since the lock is taken, other cores should = not be able to inspect/modify the PTE. Relevant functions, e.g., = zap_pte_range and change_pte_range, acquire the lock before accessing the PTEs. Can you please explain why you consider the application to be buggy? = AFAIU an application can wish to trap certain memory accesses using = userfaultfd or SIGSEGV. For example, it may do it for garbage collection or sandboxing. = To do so, it can use mprotect with PROT_NONE and expect to be able to trap future accesses to that memory. This use-case is described in usefaultfd documentation. > The user accessed the PTE before the mprotect so, at the time of = mprotect, > the PTE is either clean or dirty. If it is clean then any subsequent = write > would transition the PTE from clean to dirty and an architecture = enabling > the batching mechanism must trap a clean->dirty transition for = unmapped > entries as commented upon in try_to_unmap_one (and was checked that = this > is true for x86 at least). This avoids data corruption due to a lost = update. >=20 > If the previous access was a write then the batching flushes the page = if > any IO is required to avoid any writes after the IO has been initiated > using try_to_unmap_flush_dirty so again there is no data corruption. = There > is a window where the TLB entry exists after the unmapping but this = exists > regardless of whether we batch or not. >=20 > In either case, before a page is freed and potentially allocated to = another > process, the TLB is flushed. To clarify my concern again - I am not regarding a memory corruption as = you do, but situations in which the application wishes to trap certain = memory accesses but fails to do so. Having said that, I would add, that even if = an application has a bug, it may expect this bug not to affect memory that = was previously unmapped (and may be written to permanent storage). Thanks (again), Nadav -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f199.google.com (mail-wr0-f199.google.com [209.85.128.199]) by kanga.kvack.org (Postfix) with ESMTP id 9E8AB6B04D7 for ; Tue, 11 Jul 2017 05:29:38 -0400 (EDT) Received: by mail-wr0-f199.google.com with SMTP id g46so30346987wrd.3 for ; Tue, 11 Jul 2017 02:29:38 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id h82si8780781wmh.91.2017.07.11.02.29.37 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 11 Jul 2017 02:29:37 -0700 (PDT) Date: Tue, 11 Jul 2017 10:29:35 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170711092935.bogdb4oja6v7kilq@suse.de> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Nadav Amit Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 12:30:28AM -0700, Nadav Amit wrote: > Mel Gorman wrote: > > > On Mon, Jul 10, 2017 at 05:52:25PM -0700, Nadav Amit wrote: > >> Something bothers me about the TLB flushes batching mechanism that Linux > >> uses on x86 and I would appreciate your opinion regarding it. > >> > >> As you know, try_to_unmap_one() can batch TLB invalidations. While doing so, > >> however, the page-table lock(s) are not held, and I see no indication of the > >> pending flush saved (and regarded) in the relevant mm-structs. > >> > >> So, my question: what prevents, at least in theory, the following scenario: > >> > >> CPU0 CPU1 > >> ---- ---- > >> user accesses memory using RW PTE > >> [PTE now cached in TLB] > >> try_to_unmap_one() > >> ==> ptep_get_and_clear() > >> ==> set_tlb_ubc_flush_pending() > >> mprotect(addr, PROT_READ) > >> ==> change_pte_range() > >> ==> [ PTE non-present - no flush ] > >> > >> user writes using cached RW PTE > >> ... > >> > >> try_to_unmap_flush() > >> > >> > >> As you see CPU1 write should have failed, but may succeed. > >> > >> Now I don???t have a PoC since in practice it seems hard to create such a > >> scenario: try_to_unmap_one() is likely to find the PTE accessed and the PTE > >> would not be reclaimed. > > > > That is the same to a race whereby there is no batching mechanism and the > > racing operation happens between a pte clear and a flush as ptep_clear_flush > > is not atomic. All that differs is that the race window is a different size. > > The application on CPU1 is buggy in that it may or may not succeed the write > > but it is buggy regardless of whether a batching mechanism is used or not. > > Thanks for your quick and detailed response, but I fail to see how it can > happen without batching. Indeed, the PTE clear and flush are not ???atomic???, > but without batching they are both performed under the page table lock > (which is acquired in page_vma_mapped_walk and released in > page_vma_mapped_walk_done). Since the lock is taken, other cores should not > be able to inspect/modify the PTE. Relevant functions, e.g., zap_pte_range > and change_pte_range, acquire the lock before accessing the PTEs. > I was primarily thinking in terms of memory corruption or data loss. However, we are still protected although it's not particularly obvious why. On the reclaim side, we are either reclaiming clean pages (which ignore the accessed bit) or normal reclaim. If it's clean pages then any parallel write must update the dirty bit at minimum. If it's normal reclaim then the accessed bit is checked and if cleared in try_to_unmap_one, it uses a ptep_clear_flush_young_notify so the TLB gets flushed. We don't reclaim the page in either as part of page_referenced or try_to_unmap_one but clearing the accessed bit flushes the TLB. On the mprotect side then, as the page was first accessed, clearing the accessed bit incurs a TLB flush on the reclaim side before the second write. That means any TLB entry that exists cannot have the accessed bit set so a second write needs to update it. While it's not clearly documented, I checked with hardware engineers at the time that an update of the accessed or dirty bit even with a TLB entry will check the underlying page tables and trap if it's not present and the subsequent fault will then fail on sigsegv if the VMA protections no longer allow the write. So, on one side if ignoring the accessed bit during reclaim, the pages are clean so any access will set the dirty bit and trap if unmapped in parallel. On the other side, the accessed bit if set cleared the TLB and if not set, then the hardware needs to update and again will trap if unmapped in parallel. If this guarantee from hardware was every shown to be wrong or another architecture wanted to add batching without the same guarantee then mprotect would need to do a local_flush_tlb if no pages were updated by the mprotect but right now, this should not be necessary. > Can you please explain why you consider the application to be buggy? I considered it a bit dumb to mprotect for READ/NONE and then try writing the same mapping. However, it will behave as expected. > AFAIU > an application can wish to trap certain memory accesses using userfaultfd or > SIGSEGV. For example, it may do it for garbage collection or sandboxing. To > do so, it can use mprotect with PROT_NONE and expect to be able to trap > future accesses to that memory. This use-case is described in usefaultfd > documentation. > Such applications are safe due to how the accessed bit is handled by the software (flushes TLB if clearing young) and hardware (traps if updating the accessed or dirty bit and the underlying PTE was unmapped even if there is a TLB entry). -- Mel Gorman SUSE Labs -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f71.google.com (mail-pg0-f71.google.com [74.125.83.71]) by kanga.kvack.org (Postfix) with ESMTP id B3EF76B04DE for ; Tue, 11 Jul 2017 06:40:06 -0400 (EDT) Received: by mail-pg0-f71.google.com with SMTP id u5so144324752pgq.14 for ; Tue, 11 Jul 2017 03:40:06 -0700 (PDT) Received: from mail-pg0-x243.google.com (mail-pg0-x243.google.com. [2607:f8b0:400e:c05::243]) by mx.google.com with ESMTPS id r21si9982142pgo.321.2017.07.11.03.40.05 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 03:40:05 -0700 (PDT) Received: by mail-pg0-x243.google.com with SMTP id d193so16349546pgc.2 for ; Tue, 11 Jul 2017 03:40:05 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Potential race in TLB flush batching? From: Nadav Amit In-Reply-To: <20170711092935.bogdb4oja6v7kilq@suse.de> Date: Tue, 11 Jul 2017 03:40:02 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" Mel Gorman wrote: > On Tue, Jul 11, 2017 at 12:30:28AM -0700, Nadav Amit wrote: >> Mel Gorman wrote: >>=20 >>> On Mon, Jul 10, 2017 at 05:52:25PM -0700, Nadav Amit wrote: >>>> Something bothers me about the TLB flushes batching mechanism that = Linux >>>> uses on x86 and I would appreciate your opinion regarding it. >>>>=20 >>>> As you know, try_to_unmap_one() can batch TLB invalidations. While = doing so, >>>> however, the page-table lock(s) are not held, and I see no = indication of the >>>> pending flush saved (and regarded) in the relevant mm-structs. >>>>=20 >>>> So, my question: what prevents, at least in theory, the following = scenario: >>>>=20 >>>> CPU0 CPU1 >>>> ---- ---- >>>> user accesses memory using RW = PTE=20 >>>> [PTE now cached in TLB] >>>> try_to_unmap_one() >>>> =3D=3D> ptep_get_and_clear() >>>> =3D=3D> set_tlb_ubc_flush_pending() >>>> mprotect(addr, PROT_READ) >>>> =3D=3D> change_pte_range() >>>> =3D=3D> [ PTE non-present - no = flush ] >>>>=20 >>>> user writes using cached RW PTE >>>> ... >>>>=20 >>>> try_to_unmap_flush() >>>>=20 >>>>=20 >>>> As you see CPU1 write should have failed, but may succeed.=20 >>>>=20 >>>> Now I don???t have a PoC since in practice it seems hard to create = such a >>>> scenario: try_to_unmap_one() is likely to find the PTE accessed and = the PTE >>>> would not be reclaimed. >>>=20 >>> That is the same to a race whereby there is no batching mechanism = and the >>> racing operation happens between a pte clear and a flush as = ptep_clear_flush >>> is not atomic. All that differs is that the race window is a = different size. >>> The application on CPU1 is buggy in that it may or may not succeed = the write >>> but it is buggy regardless of whether a batching mechanism is used = or not. >>=20 >> Thanks for your quick and detailed response, but I fail to see how it = can >> happen without batching. Indeed, the PTE clear and flush are not = ???atomic???, >> but without batching they are both performed under the page table = lock >> (which is acquired in page_vma_mapped_walk and released in >> page_vma_mapped_walk_done). Since the lock is taken, other cores = should not >> be able to inspect/modify the PTE. Relevant functions, e.g., = zap_pte_range >> and change_pte_range, acquire the lock before accessing the PTEs. >=20 > I was primarily thinking in terms of memory corruption or data loss. > However, we are still protected although it's not particularly obvious = why. >=20 > On the reclaim side, we are either reclaiming clean pages (which = ignore > the accessed bit) or normal reclaim. If it's clean pages then any = parallel > write must update the dirty bit at minimum. If it's normal reclaim = then > the accessed bit is checked and if cleared in try_to_unmap_one, it = uses a > ptep_clear_flush_young_notify so the TLB gets flushed. We don't = reclaim > the page in either as part of page_referenced or try_to_unmap_one but > clearing the accessed bit flushes the TLB. Wait. Are you looking at the x86 arch function? The TLB is not flushed = when the access bit is cleared: int ptep_clear_flush_young(struct vm_area_struct *vma, unsigned long address, pte_t *ptep) { /* * On x86 CPUs, clearing the accessed bit without a TLB flush * doesn't cause data corruption. [ It could cause incorrect * page aging and the (mistaken) reclaim of hot pages, but the * chance of that should be relatively low. ] * =20 * So as a performance optimization don't flush the TLB when * clearing the accessed bit, it will eventually be flushed by * a context switch or a VM operation anyway. [ In the rare * event of it not getting flushed for a long time the delay * shouldn't really matter because there's no real memory * pressure for swapout to react to. ] */ return ptep_test_and_clear_young(vma, address, ptep); } >=20 > On the mprotect side then, as the page was first accessed, clearing = the > accessed bit incurs a TLB flush on the reclaim side before the second = write. > That means any TLB entry that exists cannot have the accessed bit set = so > a second write needs to update it. >=20 > While it's not clearly documented, I checked with hardware engineers > at the time that an update of the accessed or dirty bit even with a = TLB > entry will check the underlying page tables and trap if it's not = present > and the subsequent fault will then fail on sigsegv if the VMA = protections > no longer allow the write. >=20 > So, on one side if ignoring the accessed bit during reclaim, the pages > are clean so any access will set the dirty bit and trap if unmapped in > parallel. On the other side, the accessed bit if set cleared the TLB = and > if not set, then the hardware needs to update and again will trap if > unmapped in parallel. Yet, even regardless to the TLB flush it seems there is still a possible race: CPU0 CPU1 ---- ---- ptep_clear_flush_young_notify =3D=3D> PTE.A=3D=3D0 access PTE =3D=3D> PTE.A=3D1 prep_get_and_clear change mapping (and PTE) Use stale TLB entry > If this guarantee from hardware was every shown to be wrong or another > architecture wanted to add batching without the same guarantee then = mprotect > would need to do a local_flush_tlb if no pages were updated by the = mprotect > but right now, this should not be necessary. >=20 >> Can you please explain why you consider the application to be buggy? >=20 > I considered it a bit dumb to mprotect for READ/NONE and then try = writing > the same mapping. However, it will behave as expected. I don=E2=80=99t think that this is the only scenario. For example, the = application may create a new memory mapping of a different file using mmap at the = same memory address that was used before, just as that memory is reclaimed. = The application can (inadvertently) cause such a scenario by using = MAP_FIXED. But even without MAP_FIXED, running mmap->munmap->mmap can reuse the = same virtual address. >> AFAIU >> an application can wish to trap certain memory accesses using = userfaultfd or >> SIGSEGV. For example, it may do it for garbage collection or = sandboxing. To >> do so, it can use mprotect with PROT_NONE and expect to be able to = trap >> future accesses to that memory. This use-case is described in = usefaultfd >> documentation. >=20 > Such applications are safe due to how the accessed bit is handled by = the > software (flushes TLB if clearing young) and hardware (traps if = updating > the accessed or dirty bit and the underlying PTE was unmapped even if > there is a TLB entry). I don=E2=80=99t think it is so. And I also think there are many = additional potentially problematic scenarios. Thanks for your patience, Nadav= -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f200.google.com (mail-wr0-f200.google.com [209.85.128.200]) by kanga.kvack.org (Postfix) with ESMTP id D34846B0500 for ; Tue, 11 Jul 2017 09:20:26 -0400 (EDT) Received: by mail-wr0-f200.google.com with SMTP id x23so31789193wrb.6 for ; Tue, 11 Jul 2017 06:20:26 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id k12si10080439wrc.386.2017.07.11.06.20.25 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 11 Jul 2017 06:20:25 -0700 (PDT) Date: Tue, 11 Jul 2017 14:20:23 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170711132023.wdfpjxwtbqpi3wp2@suse.de> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Nadav Amit Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 03:40:02AM -0700, Nadav Amit wrote: > Mel Gorman wrote: > > >>> That is the same to a race whereby there is no batching mechanism and the > >>> racing operation happens between a pte clear and a flush as ptep_clear_flush > >>> is not atomic. All that differs is that the race window is a different size. > >>> The application on CPU1 is buggy in that it may or may not succeed the write > >>> but it is buggy regardless of whether a batching mechanism is used or not. > >> > >> Thanks for your quick and detailed response, but I fail to see how it can > >> happen without batching. Indeed, the PTE clear and flush are not ???atomic???, > >> but without batching they are both performed under the page table lock > >> (which is acquired in page_vma_mapped_walk and released in > >> page_vma_mapped_walk_done). Since the lock is taken, other cores should not > >> be able to inspect/modify the PTE. Relevant functions, e.g., zap_pte_range > >> and change_pte_range, acquire the lock before accessing the PTEs. > > > > I was primarily thinking in terms of memory corruption or data loss. > > However, we are still protected although it's not particularly obvious why. > > > > On the reclaim side, we are either reclaiming clean pages (which ignore > > the accessed bit) or normal reclaim. If it's clean pages then any parallel > > write must update the dirty bit at minimum. If it's normal reclaim then > > the accessed bit is checked and if cleared in try_to_unmap_one, it uses a > > ptep_clear_flush_young_notify so the TLB gets flushed. We don't reclaim > > the page in either as part of page_referenced or try_to_unmap_one but > > clearing the accessed bit flushes the TLB. > > Wait. Are you looking at the x86 arch function? The TLB is not flushed when > the access bit is cleared: > > int ptep_clear_flush_young(struct vm_area_struct *vma, > unsigned long address, pte_t *ptep) > { > /* > * On x86 CPUs, clearing the accessed bit without a TLB flush > * doesn't cause data corruption. [ It could cause incorrect > * page aging and the (mistaken) reclaim of hot pages, but the > * chance of that should be relatively low. ] > * > * So as a performance optimization don't flush the TLB when > * clearing the accessed bit, it will eventually be flushed by > * a context switch or a VM operation anyway. [ In the rare > * event of it not getting flushed for a long time the delay > * shouldn't really matter because there's no real memory > * pressure for swapout to react to. ] > */ > return ptep_test_and_clear_young(vma, address, ptep); > } > I forgot this detail, thanks for correcting me. > > > > On the mprotect side then, as the page was first accessed, clearing the > > accessed bit incurs a TLB flush on the reclaim side before the second write. > > That means any TLB entry that exists cannot have the accessed bit set so > > a second write needs to update it. > > > > While it's not clearly documented, I checked with hardware engineers > > at the time that an update of the accessed or dirty bit even with a TLB > > entry will check the underlying page tables and trap if it's not present > > and the subsequent fault will then fail on sigsegv if the VMA protections > > no longer allow the write. > > > > So, on one side if ignoring the accessed bit during reclaim, the pages > > are clean so any access will set the dirty bit and trap if unmapped in > > parallel. On the other side, the accessed bit if set cleared the TLB and > > if not set, then the hardware needs to update and again will trap if > > unmapped in parallel. > > > Yet, even regardless to the TLB flush it seems there is still a possible > race: > > CPU0 CPU1 > ---- ---- > ptep_clear_flush_young_notify > ==> PTE.A==0 > access PTE > ==> PTE.A=1 > prep_get_and_clear > change mapping (and PTE) > Use stale TLB entry So I think you're right and this is a potential race. The first access can be a read or a write as it's a problem if the mprotect call restricts access. > > If this guarantee from hardware was every shown to be wrong or another > > architecture wanted to add batching without the same guarantee then mprotect > > would need to do a local_flush_tlb if no pages were updated by the mprotect > > but right now, this should not be necessary. > > > >> Can you please explain why you consider the application to be buggy? > > > > I considered it a bit dumb to mprotect for READ/NONE and then try writing > > the same mapping. However, it will behave as expected. > > I don???t think that this is the only scenario. For example, the application > may create a new memory mapping of a different file using mmap at the same > memory address that was used before, just as that memory is reclaimed. That requires the existing mapping to be unmapped which will flush the TLB and parallel mmap/munmap serialises on mmap_sem. The race appears to be specific to mprotect which avoids the TLB flush if no pages were updated. > The > application can (inadvertently) cause such a scenario by using MAP_FIXED. > But even without MAP_FIXED, running mmap->munmap->mmap can reuse the same > virtual address. > With flushes in between. > > Such applications are safe due to how the accessed bit is handled by the > > software (flushes TLB if clearing young) and hardware (traps if updating > > the accessed or dirty bit and the underlying PTE was unmapped even if > > there is a TLB entry). > > I don???t think it is so. And I also think there are many additional > potentially problematic scenarios. > I believe it's specific to mprotect but can be handled by flushing the local TLB when mprotect updates no pages. Something like this; ---8<--- mm, mprotect: Flush the local TLB if mprotect potentially raced with a parallel reclaim Nadav Amit identified a theoritical race between page reclaim and mprotect due to TLB flushes being batched outside of the PTL being held. He described the race as follows CPU0 CPU1 ---- ---- user accesses memory using RW PTE [PTE now cached in TLB] try_to_unmap_one() ==> ptep_get_and_clear() ==> set_tlb_ubc_flush_pending() mprotect(addr, PROT_READ) ==> change_pte_range() ==> [ PTE non-present - no flush ] user writes using cached RW PTE ... try_to_unmap_flush() The same type of race exists for reads when protecting for PROT_NONE. This is not a data integrity issue as the TLB is always flushed before any IO is queued or a page is freed but it is a correctness issue as a process restricting access with mprotect() may still be able to access the data after the syscall returns due to a stale TLB entry. Handle this issue by flushing the local TLB if reclaim is potentially batching TLB flushes and mprotect altered no pages. Signed-off-by: Mel Gorman Cc: stable@vger.kernel.org # v4.4+ --- mm/internal.h | 5 ++++- mm/mprotect.c | 12 ++++++++++-- mm/rmap.c | 20 ++++++++++++++++++++ 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/mm/internal.h b/mm/internal.h index 0e4f558412fb..9b7d1a597816 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -498,6 +498,7 @@ extern struct workqueue_struct *mm_percpu_wq; #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH void try_to_unmap_flush(void); void try_to_unmap_flush_dirty(void); +void batched_unmap_protection_update(void); #else static inline void try_to_unmap_flush(void) { @@ -505,7 +506,9 @@ static inline void try_to_unmap_flush(void) static inline void try_to_unmap_flush_dirty(void) { } - +static inline void batched_unmap_protection_update() +{ +} #endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */ extern const struct trace_print_flags pageflag_names[]; diff --git a/mm/mprotect.c b/mm/mprotect.c index 8edd0d576254..3de353d4b5fb 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -254,9 +254,17 @@ static unsigned long change_protection_range(struct vm_area_struct *vma, dirty_accountable, prot_numa); } while (pgd++, addr = next, addr != end); - /* Only flush the TLB if we actually modified any entries: */ - if (pages) + /* + * Only flush all TLBs if we actually modified any entries. If no + * pages are modified, then call batched_unmap_protection_update + * if the context is a mprotect() syscall. + */ + if (pages) { flush_tlb_range(vma, start, end); + } else { + if (!prot_numa) + batched_unmap_protection_update(); + } clear_tlb_flush_pending(mm); return pages; diff --git a/mm/rmap.c b/mm/rmap.c index d405f0e0ee96..02cb035e4ce6 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -643,6 +643,26 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags) return should_defer; } + +/* + * This is called after an mprotect update that altered no pages. Batched + * unmap releases the PTL before a flush occurs leaving a window where + * an mprotect that reduces access rights can still access the page after + * mprotect returns via a stale TLB entry. Avoid this possibility by flushing + * the local TLB if mprotect updates no pages so that the the caller of + * mprotect always gets expected behaviour. It's overkill and unnecessary to + * flush all TLBs as a separate thread accessing the data that raced with + * both reclaim and mprotect as there is no risk of data corruption and + * the exact timing of a parallel thread seeing a protection update without + * any serialisation on the application side is always uncertain. + */ +void batched_unmap_protection_update(void) +{ + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); + local_flush_tlb(); + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); +} + #else static void set_tlb_ubc_flush_pending(struct mm_struct *mm, bool writable) { -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f69.google.com (mail-oi0-f69.google.com [209.85.218.69]) by kanga.kvack.org (Postfix) with ESMTP id 00E826B050F for ; Tue, 11 Jul 2017 10:58:28 -0400 (EDT) Received: by mail-oi0-f69.google.com with SMTP id t188so119801oih.15 for ; Tue, 11 Jul 2017 07:58:27 -0700 (PDT) Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id g7si109879oif.371.2017.07.11.07.58.27 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 07:58:27 -0700 (PDT) Received: from mail-ua0-f173.google.com (mail-ua0-f173.google.com [209.85.217.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 600DE22C99 for ; Tue, 11 Jul 2017 14:58:26 +0000 (UTC) Received: by mail-ua0-f173.google.com with SMTP id g40so1530481uaa.3 for ; Tue, 11 Jul 2017 07:58:26 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20170711132023.wdfpjxwtbqpi3wp2@suse.de> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> From: Andy Lutomirski Date: Tue, 11 Jul 2017 07:58:04 -0700 Message-ID: Subject: Re: Potential race in TLB flush batching? Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Nadav Amit , Andy Lutomirski , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 6:20 AM, Mel Gorman wrote: > + > +/* > + * This is called after an mprotect update that altered no pages. Batched > + * unmap releases the PTL before a flush occurs leaving a window where > + * an mprotect that reduces access rights can still access the page after > + * mprotect returns via a stale TLB entry. Avoid this possibility by flushing > + * the local TLB if mprotect updates no pages so that the the caller of > + * mprotect always gets expected behaviour. It's overkill and unnecessary to > + * flush all TLBs as a separate thread accessing the data that raced with > + * both reclaim and mprotect as there is no risk of data corruption and > + * the exact timing of a parallel thread seeing a protection update without > + * any serialisation on the application side is always uncertain. > + */ > +void batched_unmap_protection_update(void) > +{ > + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); > + local_flush_tlb(); > + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); > +} > + What about remote CPUs? You could get migrated right after mprotect() or the inconsistency could be observed on another CPU. I also really don't like bypassing arch code like this. The implementation of flush_tlb_mm_range() in tip:x86/mm (and slated for this merge window!) is *very* different from what's there now, and it is not written in the expectation that some generic code might call local_tlb_flush() and expect any kind of coherency at all. I'm also still nervous about situations in which, while a batched flush is active, a user calls mprotect() and then does something else that gets confused by the fact that there's an RO PTE and doesn't flush out the RW TLB entry. COWing a page, perhaps? Would a better fix perhaps be to find a way to figure out whether a batched flush is pending on the mm in question and flush it out if you do any optimizations based on assuming that the TLB is in any respect consistent with the page tables? With the changes in -tip, x86 could, in principle, supply a function to sync up its TLB state. That would require cross-CPU poking at state or an inconditional IPI (that might end up not flushing anything), but either is doable. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f198.google.com (mail-wr0-f198.google.com [209.85.128.198]) by kanga.kvack.org (Postfix) with ESMTP id 725126B0528 for ; Tue, 11 Jul 2017 11:53:15 -0400 (EDT) Received: by mail-wr0-f198.google.com with SMTP id z45so951210wrb.13 for ; Tue, 11 Jul 2017 08:53:15 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id r30si195700wra.315.2017.07.11.08.53.14 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 11 Jul 2017 08:53:14 -0700 (PDT) Date: Tue, 11 Jul 2017 16:53:12 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170711155312.637eyzpqeghcgqzp@suse.de> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Andy Lutomirski Cc: Nadav Amit , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 07:58:04AM -0700, Andrew Lutomirski wrote: > On Tue, Jul 11, 2017 at 6:20 AM, Mel Gorman wrote: > > + > > +/* > > + * This is called after an mprotect update that altered no pages. Batched > > + * unmap releases the PTL before a flush occurs leaving a window where > > + * an mprotect that reduces access rights can still access the page after > > + * mprotect returns via a stale TLB entry. Avoid this possibility by flushing > > + * the local TLB if mprotect updates no pages so that the the caller of > > + * mprotect always gets expected behaviour. It's overkill and unnecessary to > > + * flush all TLBs as a separate thread accessing the data that raced with > > + * both reclaim and mprotect as there is no risk of data corruption and > > + * the exact timing of a parallel thread seeing a protection update without > > + * any serialisation on the application side is always uncertain. > > + */ > > +void batched_unmap_protection_update(void) > > +{ > > + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); > > + local_flush_tlb(); > > + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); > > +} > > + > > What about remote CPUs? You could get migrated right after mprotect() > or the inconsistency could be observed on another CPU. If it's migrated then it has also context switched so the TLB entry will be read for the first time. If the entry is inconsistent for another CPU accessing the data then it'll potentially successfully access a page that was just mprotected but this is similar to simply racing with the call to mprotect itself. The timing isn't exact, nor does it need to be. One thread accessing data racing with another thread doing mprotect without any synchronisation in the application is always going to be unreliable. I'm less certain once PCID tracking is in place and whether it's possible for a process to be context switching fast enough to allow an access. If it's possible then batching would require an unconditional flush on mprotect even if no pages are updated if access is being limited by the mprotect which would be unfortunate. > I also really > don't like bypassing arch code like this. The implementation of > flush_tlb_mm_range() in tip:x86/mm (and slated for this merge window!) > is *very* different from what's there now, and it is not written in > the expectation that some generic code might call local_tlb_flush() > and expect any kind of coherency at all. > Assuming that gets merged first then the most straight-forward approach would be to setup a arch_tlbflush_unmap_batch with just the local CPU set in the mask or something similar. > I'm also still nervous about situations in which, while a batched > flush is active, a user calls mprotect() and then does something else > that gets confused by the fact that there's an RO PTE and doesn't > flush out the RW TLB entry. COWing a page, perhaps? > The race in question only applies if mprotect had no PTEs to update. If any page was updated then the TLB is flushed before mprotect returns. With the patch (or a variant on top of your work), at least the local TLB will be flushed even if no PTEs were updated. This might be more expensive than it has to be but I expect that mprotects on range with no PTEs to update are fairly rare. > Would a better fix perhaps be to find a way to figure out whether a > batched flush is pending on the mm in question and flush it out if you > do any optimizations based on assuming that the TLB is in any respect > consistent with the page tables? With the changes in -tip, x86 could, > in principle, supply a function to sync up its TLB state. That would > require cross-CPU poking at state or an inconditional IPI (that might > end up not flushing anything), but either is doable. It's potentially doable if a field like tlb_flush_pending was added to mm_struct that is set when batching starts. I don't think there is a logical place where it can be cleared as when the TLB gets flushed by reclaim, it can't rmap again to clear the flag. What would happen is that the first mprotect after any batching happened at any point in the past would have to unconditionally flush the TLB and then clear the flag. That would be a relatively minor hit and cover all the possibilities and should work unmodified with or without your series applied. Would that be preferable to you? -- Mel Gorman SUSE Labs -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f71.google.com (mail-pg0-f71.google.com [74.125.83.71]) by kanga.kvack.org (Postfix) with ESMTP id 517B66B052F for ; Tue, 11 Jul 2017 12:22:53 -0400 (EDT) Received: by mail-pg0-f71.google.com with SMTP id 13so4388186pgg.8 for ; Tue, 11 Jul 2017 09:22:53 -0700 (PDT) Received: from mail-pg0-x243.google.com (mail-pg0-x243.google.com. [2607:f8b0:400e:c05::243]) by mx.google.com with ESMTPS id j193si257220pge.239.2017.07.11.09.22.51 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 09:22:52 -0700 (PDT) Received: by mail-pg0-x243.google.com with SMTP id d193so475111pgc.2 for ; Tue, 11 Jul 2017 09:22:51 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Potential race in TLB flush batching? From: Nadav Amit In-Reply-To: <20170711132023.wdfpjxwtbqpi3wp2@suse.de> Date: Tue, 11 Jul 2017 09:22:47 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" Mel Gorman wrote: > On Tue, Jul 11, 2017 at 03:40:02AM -0700, Nadav Amit wrote: >> Mel Gorman wrote: >>=20 >>>>> That is the same to a race whereby there is no batching mechanism = and the >>>>> racing operation happens between a pte clear and a flush as = ptep_clear_flush >>>>> is not atomic. All that differs is that the race window is a = different size. >>>>> The application on CPU1 is buggy in that it may or may not succeed = the write >>>>> but it is buggy regardless of whether a batching mechanism is used = or not. >>>>=20 >>>> Thanks for your quick and detailed response, but I fail to see how = it can >>>> happen without batching. Indeed, the PTE clear and flush are not = ???atomic???, >>>> but without batching they are both performed under the page table = lock >>>> (which is acquired in page_vma_mapped_walk and released in >>>> page_vma_mapped_walk_done). Since the lock is taken, other cores = should not >>>> be able to inspect/modify the PTE. Relevant functions, e.g., = zap_pte_range >>>> and change_pte_range, acquire the lock before accessing the PTEs. >>>=20 >>> I was primarily thinking in terms of memory corruption or data loss. >>> However, we are still protected although it's not particularly = obvious why. >>>=20 >>> On the reclaim side, we are either reclaiming clean pages (which = ignore >>> the accessed bit) or normal reclaim. If it's clean pages then any = parallel >>> write must update the dirty bit at minimum. If it's normal reclaim = then >>> the accessed bit is checked and if cleared in try_to_unmap_one, it = uses a >>> ptep_clear_flush_young_notify so the TLB gets flushed. We don't = reclaim >>> the page in either as part of page_referenced or try_to_unmap_one = but >>> clearing the accessed bit flushes the TLB. >>=20 >> Wait. Are you looking at the x86 arch function? The TLB is not = flushed when >> the access bit is cleared: >>=20 >> int ptep_clear_flush_young(struct vm_area_struct *vma, >> unsigned long address, pte_t *ptep) >> { >> /* >> * On x86 CPUs, clearing the accessed bit without a TLB flush >> * doesn't cause data corruption. [ It could cause incorrect >> * page aging and the (mistaken) reclaim of hot pages, but the >> * chance of that should be relatively low. ] >> * =20 >> * So as a performance optimization don't flush the TLB when >> * clearing the accessed bit, it will eventually be flushed by >> * a context switch or a VM operation anyway. [ In the rare >> * event of it not getting flushed for a long time the delay >> * shouldn't really matter because there's no real memory >> * pressure for swapout to react to. ] >> */ >> return ptep_test_and_clear_young(vma, address, ptep); >> } >=20 > I forgot this detail, thanks for correcting me. >=20 >>> On the mprotect side then, as the page was first accessed, clearing = the >>> accessed bit incurs a TLB flush on the reclaim side before the = second write. >>> That means any TLB entry that exists cannot have the accessed bit = set so >>> a second write needs to update it. >>>=20 >>> While it's not clearly documented, I checked with hardware engineers >>> at the time that an update of the accessed or dirty bit even with a = TLB >>> entry will check the underlying page tables and trap if it's not = present >>> and the subsequent fault will then fail on sigsegv if the VMA = protections >>> no longer allow the write. >>>=20 >>> So, on one side if ignoring the accessed bit during reclaim, the = pages >>> are clean so any access will set the dirty bit and trap if unmapped = in >>> parallel. On the other side, the accessed bit if set cleared the TLB = and >>> if not set, then the hardware needs to update and again will trap if >>> unmapped in parallel. >>=20 >>=20 >> Yet, even regardless to the TLB flush it seems there is still a = possible >> race: >>=20 >> CPU0 CPU1 >> ---- ---- >> ptep_clear_flush_young_notify >> =3D=3D> PTE.A=3D=3D0 >> access PTE >> =3D=3D> PTE.A=3D1 >> prep_get_and_clear >> change mapping (and PTE) >> Use stale TLB entry >=20 > So I think you're right and this is a potential race. The first access = can > be a read or a write as it's a problem if the mprotect call restricts > access. >=20 >>> If this guarantee from hardware was every shown to be wrong or = another >>> architecture wanted to add batching without the same guarantee then = mprotect >>> would need to do a local_flush_tlb if no pages were updated by the = mprotect >>> but right now, this should not be necessary. >>>=20 >>>> Can you please explain why you consider the application to be = buggy? >>>=20 >>> I considered it a bit dumb to mprotect for READ/NONE and then try = writing >>> the same mapping. However, it will behave as expected. >>=20 >> I don???t think that this is the only scenario. For example, the = application >> may create a new memory mapping of a different file using mmap at the = same >> memory address that was used before, just as that memory is = reclaimed. >=20 > That requires the existing mapping to be unmapped which will flush the > TLB and parallel mmap/munmap serialises on mmap_sem. The race appears = to > be specific to mprotect which avoids the TLB flush if no pages were = updated. Why? As far as I see the chain of calls during munmap is somewhat like: do_munmap =3D>unmap_region =3D=3D>tlb_gather_mmu =3D=3D=3D>unmap_vmas =3D=3D=3D=3D>unmap_page_range ... =3D=3D=3D=3D=3D>zap_pte_range - this one batches only present PTEs =3D=3D=3D>free_pgtables - this one is only if page-tables are removed =3D=3D=3D>pte_free_tlb =3D=3D>tlb_finish_mmu =3D=3D=3D>tlb_flush_mmu =3D=3D=3D=3D>tlb_flush_mmu_tlbonly zap_pte_range will check if pte_none and can find it is - if a = concurrent try_to_unmap_one already cleared the PTE. In this case it will not = update the range of the mmu_gather and would not indicate that a flush of the = PTE is needed. Then, tlb_flush_mmu_tlbonly will find that no PTE was cleared (tlb->end =3D=3D 0) and avoid flush, or may just flush fewer PTEs than = actually needed. Due to this behavior, it raises a concern that in other cases as well, = when mmu_gather is used, a PTE flush may be missed. >> The >> application can (inadvertently) cause such a scenario by using = MAP_FIXED. >> But even without MAP_FIXED, running mmap->munmap->mmap can reuse the = same >> virtual address. >=20 > With flushes in between. >=20 >>> Such applications are safe due to how the accessed bit is handled by = the >>> software (flushes TLB if clearing young) and hardware (traps if = updating >>> the accessed or dirty bit and the underlying PTE was unmapped even = if >>> there is a TLB entry). >>=20 >> I don???t think it is so. And I also think there are many additional >> potentially problematic scenarios. >=20 > I believe it's specific to mprotect but can be handled by flushing the > local TLB when mprotect updates no pages. Something like this; >=20 > ---8<--- > mm, mprotect: Flush the local TLB if mprotect potentially raced with a = parallel reclaim >=20 > Nadav Amit identified a theoritical race between page reclaim and = mprotect > due to TLB flushes being batched outside of the PTL being held. He = described > the race as follows >=20 > CPU0 CPU1 > ---- ---- > user accesses memory using RW = PTE > [PTE now cached in TLB] > try_to_unmap_one() > =3D=3D> ptep_get_and_clear() > =3D=3D> set_tlb_ubc_flush_pending() > mprotect(addr, PROT_READ) > =3D=3D> change_pte_range() > =3D=3D> [ PTE non-present - no = flush ] >=20 > user writes using cached RW PTE > ... >=20 > try_to_unmap_flush() >=20 > The same type of race exists for reads when protecting for PROT_NONE. > This is not a data integrity issue as the TLB is always flushed before = any > IO is queued or a page is freed but it is a correctness issue as a = process > restricting access with mprotect() may still be able to access the = data > after the syscall returns due to a stale TLB entry. Handle this issue = by > flushing the local TLB if reclaim is potentially batching TLB flushes = and > mprotect altered no pages. >=20 > Signed-off-by: Mel Gorman > Cc: stable@vger.kernel.org # v4.4+ > --- > mm/internal.h | 5 ++++- > mm/mprotect.c | 12 ++++++++++-- > mm/rmap.c | 20 ++++++++++++++++++++ > 3 files changed, 34 insertions(+), 3 deletions(-) >=20 > diff --git a/mm/internal.h b/mm/internal.h > index 0e4f558412fb..9b7d1a597816 100644 > --- a/mm/internal.h > +++ b/mm/internal.h > @@ -498,6 +498,7 @@ extern struct workqueue_struct *mm_percpu_wq; > #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH > void try_to_unmap_flush(void); > void try_to_unmap_flush_dirty(void); > +void batched_unmap_protection_update(void); > #else > static inline void try_to_unmap_flush(void) > { > @@ -505,7 +506,9 @@ static inline void try_to_unmap_flush(void) > static inline void try_to_unmap_flush_dirty(void) > { > } > - > +static inline void batched_unmap_protection_update() > +{ > +} > #endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */ >=20 > extern const struct trace_print_flags pageflag_names[]; > diff --git a/mm/mprotect.c b/mm/mprotect.c > index 8edd0d576254..3de353d4b5fb 100644 > --- a/mm/mprotect.c > +++ b/mm/mprotect.c > @@ -254,9 +254,17 @@ static unsigned long = change_protection_range(struct vm_area_struct *vma, > dirty_accountable, prot_numa); > } while (pgd++, addr =3D next, addr !=3D end); >=20 > - /* Only flush the TLB if we actually modified any entries: */ > - if (pages) > + /* > + * Only flush all TLBs if we actually modified any entries. If = no > + * pages are modified, then call batched_unmap_protection_update > + * if the context is a mprotect() syscall. > + */ > + if (pages) { > flush_tlb_range(vma, start, end); > + } else { > + if (!prot_numa) > + batched_unmap_protection_update(); > + } > clear_tlb_flush_pending(mm); >=20 > return pages; > diff --git a/mm/rmap.c b/mm/rmap.c > index d405f0e0ee96..02cb035e4ce6 100644 > --- a/mm/rmap.c > +++ b/mm/rmap.c > @@ -643,6 +643,26 @@ static bool should_defer_flush(struct mm_struct = *mm, enum ttu_flags flags) >=20 > return should_defer; > } > + > +/* > + * This is called after an mprotect update that altered no pages. = Batched > + * unmap releases the PTL before a flush occurs leaving a window = where > + * an mprotect that reduces access rights can still access the page = after > + * mprotect returns via a stale TLB entry. Avoid this possibility by = flushing > + * the local TLB if mprotect updates no pages so that the the caller = of > + * mprotect always gets expected behaviour. It's overkill and = unnecessary to > + * flush all TLBs as a separate thread accessing the data that raced = with > + * both reclaim and mprotect as there is no risk of data corruption = and > + * the exact timing of a parallel thread seeing a protection update = without > + * any serialisation on the application side is always uncertain. > + */ > +void batched_unmap_protection_update(void) > +{ > + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); > + local_flush_tlb(); > + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); > +} > + > #else > static void set_tlb_ubc_flush_pending(struct mm_struct *mm, bool = writable) > { I don=E2=80=99t think this solution is enough. I am sorry for not = providing a solution, but I don=E2=80=99t see an easy one. Thanks, Nadav -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f71.google.com (mail-oi0-f71.google.com [209.85.218.71]) by kanga.kvack.org (Postfix) with ESMTP id 15E3B6B0538 for ; Tue, 11 Jul 2017 13:24:15 -0400 (EDT) Received: by mail-oi0-f71.google.com with SMTP id d77so407765oig.7 for ; Tue, 11 Jul 2017 10:24:15 -0700 (PDT) Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id c141si391009oig.176.2017.07.11.10.24.12 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 10:24:12 -0700 (PDT) Received: from mail-vk0-f47.google.com (mail-vk0-f47.google.com [209.85.213.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ECF3A22C97 for ; Tue, 11 Jul 2017 17:24:11 +0000 (UTC) Received: by mail-vk0-f47.google.com with SMTP id 191so3800055vko.2 for ; Tue, 11 Jul 2017 10:24:11 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20170711155312.637eyzpqeghcgqzp@suse.de> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> From: Andy Lutomirski Date: Tue, 11 Jul 2017 10:23:50 -0700 Message-ID: Subject: Re: Potential race in TLB flush batching? Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Andy Lutomirski , Nadav Amit , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 8:53 AM, Mel Gorman wrote: > On Tue, Jul 11, 2017 at 07:58:04AM -0700, Andrew Lutomirski wrote: >> On Tue, Jul 11, 2017 at 6:20 AM, Mel Gorman wrote: >> > + >> > +/* >> > + * This is called after an mprotect update that altered no pages. Batched >> > + * unmap releases the PTL before a flush occurs leaving a window where >> > + * an mprotect that reduces access rights can still access the page after >> > + * mprotect returns via a stale TLB entry. Avoid this possibility by flushing >> > + * the local TLB if mprotect updates no pages so that the the caller of >> > + * mprotect always gets expected behaviour. It's overkill and unnecessary to >> > + * flush all TLBs as a separate thread accessing the data that raced with >> > + * both reclaim and mprotect as there is no risk of data corruption and >> > + * the exact timing of a parallel thread seeing a protection update without >> > + * any serialisation on the application side is always uncertain. >> > + */ >> > +void batched_unmap_protection_update(void) >> > +{ >> > + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); >> > + local_flush_tlb(); >> > + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); >> > +} >> > + >> >> What about remote CPUs? You could get migrated right after mprotect() >> or the inconsistency could be observed on another CPU. > > If it's migrated then it has also context switched so the TLB entry will > be read for the first time. I don't think this is true. On current kernels, if the other CPU is running a thread in the same process, then there won't be a flush if we migrate there. In -tip, slated for 4.13, if the other CPU is lazy and is using the current process's page tables, it won't flush if we migrate there and it's not stale (as determined by the real flush APIs, not local_tlb_flush()). With PCID, the kernel will aggressively try to avoid the flush no matter what. > If the entry is inconsistent for another CPU > accessing the data then it'll potentially successfully access a page that > was just mprotected but this is similar to simply racing with the call > to mprotect itself. The timing isn't exact, nor does it need to be. Thread A: mprotect(..., PROT_READ); pthread_mutex_unlock(); Thread B: pthread_mutex_lock(); write to the mprotected address; I think it's unlikely that this exact scenario will affect a conventional C program, but I can see various GC systems and sandboxes being very surprised. > One > thread accessing data racing with another thread doing mprotect without > any synchronisation in the application is always going to be unreliable. As above, there can be synchronization that's entirely invisible to the kernel. >> I also really >> don't like bypassing arch code like this. The implementation of >> flush_tlb_mm_range() in tip:x86/mm (and slated for this merge window!) >> is *very* different from what's there now, and it is not written in >> the expectation that some generic code might call local_tlb_flush() >> and expect any kind of coherency at all. >> > > Assuming that gets merged first then the most straight-forward approach > would be to setup a arch_tlbflush_unmap_batch with just the local CPU set > in the mask or something similar. With what semantics? >> Would a better fix perhaps be to find a way to figure out whether a >> batched flush is pending on the mm in question and flush it out if you >> do any optimizations based on assuming that the TLB is in any respect >> consistent with the page tables? With the changes in -tip, x86 could, >> in principle, supply a function to sync up its TLB state. That would >> require cross-CPU poking at state or an inconditional IPI (that might >> end up not flushing anything), but either is doable. > > It's potentially doable if a field like tlb_flush_pending was added > to mm_struct that is set when batching starts. I don't think there is > a logical place where it can be cleared as when the TLB gets flushed by > reclaim, it can't rmap again to clear the flag. What would happen is that > the first mprotect after any batching happened at any point in the past > would have to unconditionally flush the TLB and then clear the flag. That > would be a relatively minor hit and cover all the possibilities and should > work unmodified with or without your series applied. > > Would that be preferable to you? I'm not sure I understand it well enough to know whether I like it. I'm imagining an API that says "I'm about to rely on TLBs being coherent for this mm -- make it so". On x86, this would be roughly equivalent to a flush on the mm minus the mandatory flush part, at least with my patches applied. It would be considerably messier without my patches. But I'd like to make sure that the full extent of the problem is understood before getting too excited about solving it. --Andy -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f200.google.com (mail-wr0-f200.google.com [209.85.128.200]) by kanga.kvack.org (Postfix) with ESMTP id A70306810BE for ; Tue, 11 Jul 2017 15:18:27 -0400 (EDT) Received: by mail-wr0-f200.google.com with SMTP id u110so358256wrb.14 for ; Tue, 11 Jul 2017 12:18:27 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id v143si124226wmd.52.2017.07.11.12.18.25 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 11 Jul 2017 12:18:25 -0700 (PDT) Date: Tue, 11 Jul 2017 20:18:23 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170711191823.qthrmdgqcd3rygjk@suse.de> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Andy Lutomirski Cc: Nadav Amit , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 10:23:50AM -0700, Andrew Lutomirski wrote: > On Tue, Jul 11, 2017 at 8:53 AM, Mel Gorman wrote: > > On Tue, Jul 11, 2017 at 07:58:04AM -0700, Andrew Lutomirski wrote: > >> On Tue, Jul 11, 2017 at 6:20 AM, Mel Gorman wrote: > >> > + > >> > +/* > >> > + * This is called after an mprotect update that altered no pages. Batched > >> > + * unmap releases the PTL before a flush occurs leaving a window where > >> > + * an mprotect that reduces access rights can still access the page after > >> > + * mprotect returns via a stale TLB entry. Avoid this possibility by flushing > >> > + * the local TLB if mprotect updates no pages so that the the caller of > >> > + * mprotect always gets expected behaviour. It's overkill and unnecessary to > >> > + * flush all TLBs as a separate thread accessing the data that raced with > >> > + * both reclaim and mprotect as there is no risk of data corruption and > >> > + * the exact timing of a parallel thread seeing a protection update without > >> > + * any serialisation on the application side is always uncertain. > >> > + */ > >> > +void batched_unmap_protection_update(void) > >> > +{ > >> > + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); > >> > + local_flush_tlb(); > >> > + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); > >> > +} > >> > + > >> > >> What about remote CPUs? You could get migrated right after mprotect() > >> or the inconsistency could be observed on another CPU. > > > > If it's migrated then it has also context switched so the TLB entry will > > be read for the first time. > > I don't think this is true. On current kernels, if the other CPU is > running a thread in the same process, then there won't be a flush if > we migrate there. True although that would also be covered if a flush happening unconditionally on mprotect (and arguably munmap) if a batched TLB flush took place in the past. It's heavier than it needs to be but it would be trivial to track and only incur a cost if reclaim touched any pages belonging to the process in the past so a relatively rare operation in the normal case. It could be forced by continually keeping a system under memory pressure while looping around mprotect but the worst-case would be similar costs to never batching the flushing at all. > In -tip, slated for 4.13, if the other CPU is lazy > and is using the current process's page tables, it won't flush if we > migrate there and it's not stale (as determined by the real flush > APIs, not local_tlb_flush()). With PCID, the kernel will aggressively > try to avoid the flush no matter what. > I agree that PCID means that flushing needs to be more agressive and there is not much point working on two solutions and assume PCID is merged. > > If the entry is inconsistent for another CPU > > accessing the data then it'll potentially successfully access a page that > > was just mprotected but this is similar to simply racing with the call > > to mprotect itself. The timing isn't exact, nor does it need to be. > > Thread A: > mprotect(..., PROT_READ); > pthread_mutex_unlock(); > > Thread B: > pthread_mutex_lock(); > write to the mprotected address; > > I think it's unlikely that this exact scenario will affect a > conventional C program, but I can see various GC systems and sandboxes > being very surprised. > Maybe. The window is massively wide as the mprotect, unlock, remote wakeup and write all need to complete between the unmap releasing the PTL and the flush taking place. Still, it is theoritically possible. > > >> I also really > >> don't like bypassing arch code like this. The implementation of > >> flush_tlb_mm_range() in tip:x86/mm (and slated for this merge window!) > >> is *very* different from what's there now, and it is not written in > >> the expectation that some generic code might call local_tlb_flush() > >> and expect any kind of coherency at all. > >> > > > > Assuming that gets merged first then the most straight-forward approach > > would be to setup a arch_tlbflush_unmap_batch with just the local CPU set > > in the mask or something similar. > > With what semantics? > I'm dropping this idea because the more I think about it, the more I think that a more general flush is needed if TLB batching was used in the past. We could keep active track of mm's with flushes pending but it would be fairly complex, cost in terms of keeping track of mm's needing flushing and ultimately might be more expensive than just flushing immediately. If it's actually unfixable then, even though it's theoritical given the massive amount of activity that has to happen in a very short window, there would be no choice but to remove the TLB batching entirely which would be very unfortunate given that IPIs during reclaim will be very high once again. > >> Would a better fix perhaps be to find a way to figure out whether a > >> batched flush is pending on the mm in question and flush it out if you > >> do any optimizations based on assuming that the TLB is in any respect > >> consistent with the page tables? With the changes in -tip, x86 could, > >> in principle, supply a function to sync up its TLB state. That would > >> require cross-CPU poking at state or an inconditional IPI (that might > >> end up not flushing anything), but either is doable. > > > > It's potentially doable if a field like tlb_flush_pending was added > > to mm_struct that is set when batching starts. I don't think there is > > a logical place where it can be cleared as when the TLB gets flushed by > > reclaim, it can't rmap again to clear the flag. What would happen is that > > the first mprotect after any batching happened at any point in the past > > would have to unconditionally flush the TLB and then clear the flag. That > > would be a relatively minor hit and cover all the possibilities and should > > work unmodified with or without your series applied. > > > > Would that be preferable to you? > > I'm not sure I understand it well enough to know whether I like it. > I'm imagining an API that says "I'm about to rely on TLBs being > coherent for this mm -- make it so". I don't think we should be particularly clever about this and instead just flush the full mm if there is a risk of a parallel batching of flushing is in progress resulting in a stale TLB entry being used. I think tracking mms that are currently batching would end up being costly in terms of memory, fairly complex, or both. Something like this? diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 45cdb27791a3..ab8f7e11c160 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -495,6 +495,10 @@ struct mm_struct { */ bool tlb_flush_pending; #endif +#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH + /* See flush_tlb_batched_pending() */ + bool tlb_flush_batched; +#endif struct uprobes_state uprobes_state; #ifdef CONFIG_HUGETLB_PAGE atomic_long_t hugetlb_usage; diff --git a/mm/internal.h b/mm/internal.h index 0e4f558412fb..bf835a5a9854 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -498,6 +498,7 @@ extern struct workqueue_struct *mm_percpu_wq; #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH void try_to_unmap_flush(void); void try_to_unmap_flush_dirty(void); +void flush_tlb_batched_pending(struct mm_struct *mm); #else static inline void try_to_unmap_flush(void) { @@ -505,7 +506,9 @@ static inline void try_to_unmap_flush(void) static inline void try_to_unmap_flush_dirty(void) { } - +static inline void mm_tlb_flush_batched(struct mm_struct *mm) +{ +} #endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */ extern const struct trace_print_flags pageflag_names[]; diff --git a/mm/memory.c b/mm/memory.c index bb11c474857e..b0c3d1556a94 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1197,6 +1197,7 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, init_rss_vec(rss); start_pte = pte_offset_map_lock(mm, pmd, addr, &ptl); pte = start_pte; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); do { pte_t ptent = *pte; diff --git a/mm/mprotect.c b/mm/mprotect.c index 8edd0d576254..27135b91a4b4 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -61,6 +61,9 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, if (!pte) return 0; + /* Guard against parallel reclaim batching a TLB flush without PTL */ + flush_tlb_batched_pending(vma->vm_mm); + /* Get target node for single threaded private VMAs */ if (prot_numa && !(vma->vm_flags & VM_SHARED) && atomic_read(&vma->vm_mm->mm_users) == 1) diff --git a/mm/rmap.c b/mm/rmap.c index d405f0e0ee96..52633a124a4e 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -637,12 +637,34 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags) return false; /* If remote CPUs need to be flushed then defer batch the flush */ - if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) + if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) { should_defer = true; + mm->tlb_flush_batched = true; + } put_cpu(); return should_defer; } + +/* + * Reclaim batches unmaps pages under the PTL but does not flush the TLB + * TLB prior to releasing the PTL. It's possible a parallel mprotect or + * munmap can race between reclaim unmapping the page and flushing the + * page. If this race occurs, it potentially allows access to data via + * a stale TLB entry. Tracking all mm's that have TLB batching pending + * would be expensive during reclaim so instead track whether TLB batching + * occured in the past and if so then do a full mm flush here. This will + * cost one additional flush per reclaim cycle paid by the first munmap or + * mprotect. This assumes it's called under the PTL to synchronise access + * to mm->tlb_flush_batched. + */ +void flush_tlb_batched_pending(struct mm_struct *mm) +{ + if (mm->tlb_flush_batched) { + flush_tlb_mm(mm); + mm->tlb_flush_batched = false; + } +} #else static void set_tlb_ubc_flush_pending(struct mm_struct *mm, bool writable) { -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id AAD546810BE for ; Tue, 11 Jul 2017 16:06:52 -0400 (EDT) Received: by mail-pf0-f199.google.com with SMTP id d18so2618898pfe.8 for ; Tue, 11 Jul 2017 13:06:52 -0700 (PDT) Received: from mail-pf0-x244.google.com (mail-pf0-x244.google.com. [2607:f8b0:400e:c00::244]) by mx.google.com with ESMTPS id o89si176843pfk.208.2017.07.11.13.06.51 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 13:06:51 -0700 (PDT) Received: by mail-pf0-x244.google.com with SMTP id c24so314662pfe.1 for ; Tue, 11 Jul 2017 13:06:51 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Potential race in TLB flush batching? From: Nadav Amit In-Reply-To: <20170711191823.qthrmdgqcd3rygjk@suse.de> Date: Tue, 11 Jul 2017 13:06:48 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <3373F577-F289-4028-B6F6-777D029A7B07@gmail.com> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" Mel Gorman wrote: > On Tue, Jul 11, 2017 at 10:23:50AM -0700, Andrew Lutomirski wrote: >> On Tue, Jul 11, 2017 at 8:53 AM, Mel Gorman wrote: >>> On Tue, Jul 11, 2017 at 07:58:04AM -0700, Andrew Lutomirski wrote: >>>> On Tue, Jul 11, 2017 at 6:20 AM, Mel Gorman = wrote: >>>>> + >>>>> +/* >>>>> + * This is called after an mprotect update that altered no pages. = Batched >>>>> + * unmap releases the PTL before a flush occurs leaving a window = where >>>>> + * an mprotect that reduces access rights can still access the = page after >>>>> + * mprotect returns via a stale TLB entry. Avoid this possibility = by flushing >>>>> + * the local TLB if mprotect updates no pages so that the the = caller of >>>>> + * mprotect always gets expected behaviour. It's overkill and = unnecessary to >>>>> + * flush all TLBs as a separate thread accessing the data that = raced with >>>>> + * both reclaim and mprotect as there is no risk of data = corruption and >>>>> + * the exact timing of a parallel thread seeing a protection = update without >>>>> + * any serialisation on the application side is always uncertain. >>>>> + */ >>>>> +void batched_unmap_protection_update(void) >>>>> +{ >>>>> + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); >>>>> + local_flush_tlb(); >>>>> + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); >>>>> +} >>>>> + >>>>=20 >>>> What about remote CPUs? You could get migrated right after = mprotect() >>>> or the inconsistency could be observed on another CPU. >>>=20 >>> If it's migrated then it has also context switched so the TLB entry = will >>> be read for the first time. >>=20 >> I don't think this is true. On current kernels, if the other CPU is >> running a thread in the same process, then there won't be a flush if >> we migrate there. >=20 > True although that would also be covered if a flush happening = unconditionally > on mprotect (and arguably munmap) if a batched TLB flush took place in = the > past. It's heavier than it needs to be but it would be trivial to = track > and only incur a cost if reclaim touched any pages belonging to the = process > in the past so a relatively rare operation in the normal case. It = could be > forced by continually keeping a system under memory pressure while = looping > around mprotect but the worst-case would be similar costs to never = batching > the flushing at all. >=20 >> In -tip, slated for 4.13, if the other CPU is lazy >> and is using the current process's page tables, it won't flush if we >> migrate there and it's not stale (as determined by the real flush >> APIs, not local_tlb_flush()). With PCID, the kernel will = aggressively >> try to avoid the flush no matter what. >=20 > I agree that PCID means that flushing needs to be more agressive and = there > is not much point working on two solutions and assume PCID is merged. >=20 >>> If the entry is inconsistent for another CPU >>> accessing the data then it'll potentially successfully access a page = that >>> was just mprotected but this is similar to simply racing with the = call >>> to mprotect itself. The timing isn't exact, nor does it need to be. >>=20 >> Thread A: >> mprotect(..., PROT_READ); >> pthread_mutex_unlock(); >>=20 >> Thread B: >> pthread_mutex_lock(); >> write to the mprotected address; >>=20 >> I think it's unlikely that this exact scenario will affect a >> conventional C program, but I can see various GC systems and = sandboxes >> being very surprised. >=20 > Maybe. The window is massively wide as the mprotect, unlock, remote = wakeup > and write all need to complete between the unmap releasing the PTL and > the flush taking place. Still, it is theoritically possible. Consider also virtual machines. A VCPU may be preempted by the = hypervisor right after a PTE change and before the flush - so the time between the = two can be rather large. >>>> I also really >>>> don't like bypassing arch code like this. The implementation of >>>> flush_tlb_mm_range() in tip:x86/mm (and slated for this merge = window!) >>>> is *very* different from what's there now, and it is not written in >>>> the expectation that some generic code might call local_tlb_flush() >>>> and expect any kind of coherency at all. >>>=20 >>> Assuming that gets merged first then the most straight-forward = approach >>> would be to setup a arch_tlbflush_unmap_batch with just the local = CPU set >>> in the mask or something similar. >>=20 >> With what semantics? >=20 > I'm dropping this idea because the more I think about it, the more I = think > that a more general flush is needed if TLB batching was used in the = past. > We could keep active track of mm's with flushes pending but it would = be > fairly complex, cost in terms of keeping track of mm's needing = flushing > and ultimately might be more expensive than just flushing immediately. >=20 > If it's actually unfixable then, even though it's theoritical given = the > massive amount of activity that has to happen in a very short window, = there > would be no choice but to remove the TLB batching entirely which would = be > very unfortunate given that IPIs during reclaim will be very high once = again. >=20 >>>> Would a better fix perhaps be to find a way to figure out whether a >>>> batched flush is pending on the mm in question and flush it out if = you >>>> do any optimizations based on assuming that the TLB is in any = respect >>>> consistent with the page tables? With the changes in -tip, x86 = could, >>>> in principle, supply a function to sync up its TLB state. That = would >>>> require cross-CPU poking at state or an inconditional IPI (that = might >>>> end up not flushing anything), but either is doable. >>>=20 >>> It's potentially doable if a field like tlb_flush_pending was added >>> to mm_struct that is set when batching starts. I don't think there = is >>> a logical place where it can be cleared as when the TLB gets flushed = by >>> reclaim, it can't rmap again to clear the flag. What would happen is = that >>> the first mprotect after any batching happened at any point in the = past >>> would have to unconditionally flush the TLB and then clear the flag. = That >>> would be a relatively minor hit and cover all the possibilities and = should >>> work unmodified with or without your series applied. >>>=20 >>> Would that be preferable to you? >>=20 >> I'm not sure I understand it well enough to know whether I like it. >> I'm imagining an API that says "I'm about to rely on TLBs being >> coherent for this mm -- make it so". >=20 > I don't think we should be particularly clever about this and instead = just > flush the full mm if there is a risk of a parallel batching of = flushing is > in progress resulting in a stale TLB entry being used. I think = tracking mms > that are currently batching would end up being costly in terms of = memory, > fairly complex, or both. Something like this? >=20 > diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h > index 45cdb27791a3..ab8f7e11c160 100644 > --- a/include/linux/mm_types.h > +++ b/include/linux/mm_types.h > @@ -495,6 +495,10 @@ struct mm_struct { > */ > bool tlb_flush_pending; > #endif > +#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH > + /* See flush_tlb_batched_pending() */ > + bool tlb_flush_batched; > +#endif > struct uprobes_state uprobes_state; > #ifdef CONFIG_HUGETLB_PAGE > atomic_long_t hugetlb_usage; > diff --git a/mm/internal.h b/mm/internal.h > index 0e4f558412fb..bf835a5a9854 100644 > --- a/mm/internal.h > +++ b/mm/internal.h > @@ -498,6 +498,7 @@ extern struct workqueue_struct *mm_percpu_wq; > #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH > void try_to_unmap_flush(void); > void try_to_unmap_flush_dirty(void); > +void flush_tlb_batched_pending(struct mm_struct *mm); > #else > static inline void try_to_unmap_flush(void) > { > @@ -505,7 +506,9 @@ static inline void try_to_unmap_flush(void) > static inline void try_to_unmap_flush_dirty(void) > { > } > - > +static inline void mm_tlb_flush_batched(struct mm_struct *mm) > +{ > +} > #endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */ >=20 > extern const struct trace_print_flags pageflag_names[]; > diff --git a/mm/memory.c b/mm/memory.c > index bb11c474857e..b0c3d1556a94 100644 > --- a/mm/memory.c > +++ b/mm/memory.c > @@ -1197,6 +1197,7 @@ static unsigned long zap_pte_range(struct = mmu_gather *tlb, > init_rss_vec(rss); > start_pte =3D pte_offset_map_lock(mm, pmd, addr, &ptl); > pte =3D start_pte; > + flush_tlb_batched_pending(mm); > arch_enter_lazy_mmu_mode(); > do { > pte_t ptent =3D *pte; > diff --git a/mm/mprotect.c b/mm/mprotect.c > index 8edd0d576254..27135b91a4b4 100644 > --- a/mm/mprotect.c > +++ b/mm/mprotect.c > @@ -61,6 +61,9 @@ static unsigned long change_pte_range(struct = vm_area_struct *vma, pmd_t *pmd, > if (!pte) > return 0; >=20 > + /* Guard against parallel reclaim batching a TLB flush without = PTL */ > + flush_tlb_batched_pending(vma->vm_mm); > + > /* Get target node for single threaded private VMAs */ > if (prot_numa && !(vma->vm_flags & VM_SHARED) && > atomic_read(&vma->vm_mm->mm_users) =3D=3D 1) > diff --git a/mm/rmap.c b/mm/rmap.c > index d405f0e0ee96..52633a124a4e 100644 > --- a/mm/rmap.c > +++ b/mm/rmap.c > @@ -637,12 +637,34 @@ static bool should_defer_flush(struct mm_struct = *mm, enum ttu_flags flags) > return false; >=20 > /* If remote CPUs need to be flushed then defer batch the flush = */ > - if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) > + if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) { > should_defer =3D true; > + mm->tlb_flush_batched =3D true; > + } > put_cpu(); >=20 > return should_defer; > } > + > +/* > + * Reclaim batches unmaps pages under the PTL but does not flush the = TLB > + * TLB prior to releasing the PTL. It's possible a parallel mprotect = or > + * munmap can race between reclaim unmapping the page and flushing = the > + * page. If this race occurs, it potentially allows access to data = via > + * a stale TLB entry. Tracking all mm's that have TLB batching = pending > + * would be expensive during reclaim so instead track whether TLB = batching > + * occured in the past and if so then do a full mm flush here. This = will > + * cost one additional flush per reclaim cycle paid by the first = munmap or > + * mprotect. This assumes it's called under the PTL to synchronise = access > + * to mm->tlb_flush_batched. > + */ > +void flush_tlb_batched_pending(struct mm_struct *mm) > +{ > + if (mm->tlb_flush_batched) { > + flush_tlb_mm(mm); > + mm->tlb_flush_batched =3D false; > + } > +} > #else > static void set_tlb_ubc_flush_pending(struct mm_struct *mm, bool = writable) > { I don=E2=80=99t know what is exactly the invariant that is kept, so it = is hard for me to figure out all sort of questions: Should pte_accessible return true if mm->tlb_flush_batch=3D=3Dtrue ? Does madvise_free_pte_range need to be modified as well? How will future code not break anything? -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f198.google.com (mail-wr0-f198.google.com [209.85.128.198]) by kanga.kvack.org (Postfix) with ESMTP id 534DA6810BE for ; Tue, 11 Jul 2017 16:09:26 -0400 (EDT) Received: by mail-wr0-f198.google.com with SMTP id x23so633320wrb.6 for ; Tue, 11 Jul 2017 13:09:26 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id l9si173573wrb.104.2017.07.11.13.09.24 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 11 Jul 2017 13:09:25 -0700 (PDT) Date: Tue, 11 Jul 2017 21:09:23 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170711200923.gyaxfjzz3tpvreuq@suse.de> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <20170711191823.qthrmdgqcd3rygjk@suse.de> Sender: owner-linux-mm@kvack.org List-ID: To: Andy Lutomirski Cc: Nadav Amit , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 08:18:23PM +0100, Mel Gorman wrote: > I don't think we should be particularly clever about this and instead just > flush the full mm if there is a risk of a parallel batching of flushing is > in progress resulting in a stale TLB entry being used. I think tracking mms > that are currently batching would end up being costly in terms of memory, > fairly complex, or both. Something like this? > mremap and madvise(DONTNEED) would also need to flush. Memory policies are fine as a move_pages call that hits the race will simply fail to migrate a page that is being freed and once migration starts, it'll be flushed so a stale access has no further risk. copy_page_range should also be ok as the old mm is flushed and the new mm cannot have entries yet. -- Mel Gorman SUSE Labs -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f198.google.com (mail-wr0-f198.google.com [209.85.128.198]) by kanga.kvack.org (Postfix) with ESMTP id E661D6B04D3 for ; Tue, 11 Jul 2017 17:09:22 -0400 (EDT) Received: by mail-wr0-f198.google.com with SMTP id u30so982594wrc.9 for ; Tue, 11 Jul 2017 14:09:22 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id p128si352333wmb.40.2017.07.11.14.09.21 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 11 Jul 2017 14:09:21 -0700 (PDT) Date: Tue, 11 Jul 2017 22:09:19 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170711210919.y4odiqtfeb4e3ulz@suse.de> References: <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <3373F577-F289-4028-B6F6-777D029A7B07@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <3373F577-F289-4028-B6F6-777D029A7B07@gmail.com> Sender: owner-linux-mm@kvack.org List-ID: To: Nadav Amit Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 01:06:48PM -0700, Nadav Amit wrote: > > +/* > > + * Reclaim batches unmaps pages under the PTL but does not flush the TLB > > + * TLB prior to releasing the PTL. It's possible a parallel mprotect or > > + * munmap can race between reclaim unmapping the page and flushing the > > + * page. If this race occurs, it potentially allows access to data via > > + * a stale TLB entry. Tracking all mm's that have TLB batching pending > > + * would be expensive during reclaim so instead track whether TLB batching > > + * occured in the past and if so then do a full mm flush here. This will > > + * cost one additional flush per reclaim cycle paid by the first munmap or > > + * mprotect. This assumes it's called under the PTL to synchronise access > > + * to mm->tlb_flush_batched. > > + */ > > +void flush_tlb_batched_pending(struct mm_struct *mm) > > +{ > > + if (mm->tlb_flush_batched) { > > + flush_tlb_mm(mm); > > + mm->tlb_flush_batched = false; > > + } > > +} > > #else > > static void set_tlb_ubc_flush_pending(struct mm_struct *mm, bool writable) > > { > > I don???t know what is exactly the invariant that is kept, so it is hard for > me to figure out all sort of questions: > > Should pte_accessible return true if mm->tlb_flush_batch==true ? > It shouldn't be necessary. The contexts where we hit the path are uprobes: elevated page count so no parallel reclaim dax: PTEs are not mapping that would be reclaimed hugetlbfs: Not reclaimed ksm: holds page lock and elevates count so cannot race with reclaim cow: at the time of the flush, the page count is elevated so cannot race with reclaim page_mkclean: only concerned with marking existing ptes clean but in any case, the batching flushes the TLB before issueing any IO so there isn't space for a stable TLB entry to be used for something bad. > Does madvise_free_pte_range need to be modified as well? > Yes, I noticed that out shortly after sending the first version and commented upon it. > How will future code not break anything? > I can't really answer that without a crystal ball. Code dealing with page table updates would need to take some care if it can race with parallel reclaim. -- Mel Gorman SUSE Labs -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f197.google.com (mail-wr0-f197.google.com [209.85.128.197]) by kanga.kvack.org (Postfix) with ESMTP id 769D16810BE for ; Tue, 11 Jul 2017 17:52:44 -0400 (EDT) Received: by mail-wr0-f197.google.com with SMTP id 23so1171912wry.4 for ; Tue, 11 Jul 2017 14:52:44 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id m63si392447wme.38.2017.07.11.14.52.42 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 11 Jul 2017 14:52:43 -0700 (PDT) Date: Tue, 11 Jul 2017 22:52:41 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170711215240.tdpmwmgwcuerjj3o@suse.de> References: <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <20170711200923.gyaxfjzz3tpvreuq@suse.de> Sender: owner-linux-mm@kvack.org List-ID: To: Andy Lutomirski Cc: Nadav Amit , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 09:09:23PM +0100, Mel Gorman wrote: > On Tue, Jul 11, 2017 at 08:18:23PM +0100, Mel Gorman wrote: > > I don't think we should be particularly clever about this and instead just > > flush the full mm if there is a risk of a parallel batching of flushing is > > in progress resulting in a stale TLB entry being used. I think tracking mms > > that are currently batching would end up being costly in terms of memory, > > fairly complex, or both. Something like this? > > > > mremap and madvise(DONTNEED) would also need to flush. Memory policies are > fine as a move_pages call that hits the race will simply fail to migrate > a page that is being freed and once migration starts, it'll be flushed so > a stale access has no further risk. copy_page_range should also be ok as > the old mm is flushed and the new mm cannot have entries yet. > Adding those results in ---8<--- mm, mprotect: Flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries Nadav Amit identified a theoritical race between page reclaim and mprotect due to TLB flushes being batched outside of the PTL being held. He described the race as follows CPU0 CPU1 ---- ---- user accesses memory using RW PTE [PTE now cached in TLB] try_to_unmap_one() ==> ptep_get_and_clear() ==> set_tlb_ubc_flush_pending() mprotect(addr, PROT_READ) ==> change_pte_range() ==> [ PTE non-present - no flush ] user writes using cached RW PTE ... try_to_unmap_flush() The same type of race exists for reads when protecting for PROT_NONE and also exists for operations that can leave an old TLB entry behind such as munmap, mremap and madvise. For some operations like mprotect, it's not a data integrity issue but it is a correctness issue. For munmap, it's potentially a data integrity issue although the race is massive as an munmap, mmap and return to userspace must all complete between the window when reclaim drops the PTL and flushes the TLB. However, it's theoritically possible so handle this issue by flushing the mm if reclaim is potentially currently batching TLB flushes. Other instances where a flush is required for a present pte should be ok as either page reference counts are elevated preventing parallel reclaim or in the case of page_mkclean there isn't an obvious path that userspace could take advantage of without using the operations that are guarded by this patch. Other users such as gup as a race with reclaim looks just at PTEs. huge page variants should be ok as they don't race with reclaim. mincore only looks at PTEs. userfault also should be ok as if a parallel reclaim takes place, it will either fault the page back in or read some of the data before the flush occurs triggering a fault. Signed-off-by: Mel Gorman Cc: stable@vger.kernel.org # v4.4+ --- include/linux/mm_types.h | 4 ++++ mm/internal.h | 5 ++++- mm/madvise.c | 1 + mm/memory.c | 1 + mm/mprotect.c | 3 +++ mm/mremap.c | 1 + mm/rmap.c | 24 +++++++++++++++++++++++- 7 files changed, 37 insertions(+), 2 deletions(-) diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 45cdb27791a3..ab8f7e11c160 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -495,6 +495,10 @@ struct mm_struct { */ bool tlb_flush_pending; #endif +#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH + /* See flush_tlb_batched_pending() */ + bool tlb_flush_batched; +#endif struct uprobes_state uprobes_state; #ifdef CONFIG_HUGETLB_PAGE atomic_long_t hugetlb_usage; diff --git a/mm/internal.h b/mm/internal.h index 0e4f558412fb..bf835a5a9854 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -498,6 +498,7 @@ extern struct workqueue_struct *mm_percpu_wq; #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH void try_to_unmap_flush(void); void try_to_unmap_flush_dirty(void); +void flush_tlb_batched_pending(struct mm_struct *mm); #else static inline void try_to_unmap_flush(void) { @@ -505,7 +506,9 @@ static inline void try_to_unmap_flush(void) static inline void try_to_unmap_flush_dirty(void) { } - +static inline void mm_tlb_flush_batched(struct mm_struct *mm) +{ +} #endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */ extern const struct trace_print_flags pageflag_names[]; diff --git a/mm/madvise.c b/mm/madvise.c index 25b78ee4fc2c..75d2cffbe61d 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -320,6 +320,7 @@ static int madvise_free_pte_range(pmd_t *pmd, unsigned long addr, tlb_remove_check_page_size_change(tlb, PAGE_SIZE); orig_pte = pte = pte_offset_map_lock(mm, pmd, addr, &ptl); + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); for (; addr != end; pte++, addr += PAGE_SIZE) { ptent = *pte; diff --git a/mm/memory.c b/mm/memory.c index bb11c474857e..b0c3d1556a94 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1197,6 +1197,7 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, init_rss_vec(rss); start_pte = pte_offset_map_lock(mm, pmd, addr, &ptl); pte = start_pte; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); do { pte_t ptent = *pte; diff --git a/mm/mprotect.c b/mm/mprotect.c index 8edd0d576254..27135b91a4b4 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -61,6 +61,9 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, if (!pte) return 0; + /* Guard against parallel reclaim batching a TLB flush without PTL */ + flush_tlb_batched_pending(vma->vm_mm); + /* Get target node for single threaded private VMAs */ if (prot_numa && !(vma->vm_flags & VM_SHARED) && atomic_read(&vma->vm_mm->mm_users) == 1) diff --git a/mm/mremap.c b/mm/mremap.c index cd8a1b199ef9..6e3d857458de 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -152,6 +152,7 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, new_ptl = pte_lockptr(mm, new_pmd); if (new_ptl != old_ptl) spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING); + flush_tlb_batched_pending(vma->vm_mm); arch_enter_lazy_mmu_mode(); for (; old_addr < old_end; old_pte++, old_addr += PAGE_SIZE, diff --git a/mm/rmap.c b/mm/rmap.c index d405f0e0ee96..5a3e4ff9c4a0 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -637,12 +637,34 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags) return false; /* If remote CPUs need to be flushed then defer batch the flush */ - if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) + if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) { should_defer = true; + mm->tlb_flush_batched = true; + } put_cpu(); return should_defer; } + +/* + * Reclaim unmaps pages under the PTL but does not flush the TLB prior to + * releasing the PTL if TLB flushes are batched. It's possible a parallel + * operation such as mprotect or munmap to race between reclaim unmapping + * the page and flushing the page If this race occurs, it potentially allows + * access to data via a stale TLB entry. Tracking all mm's that have TLB + * batching pending would be expensive during reclaim so instead track + * whether TLB batching occured in the past and if so then do a full mmi + * flush here. This will cost one additional flush per reclaim cycle paid + * by the first operation at risk such as mprotect and mumap. This assumes + * it's called under the PTL to synchronise access to mm->tlb_flush_batched. + */ +void flush_tlb_batched_pending(struct mm_struct *mm) +{ + if (mm->tlb_flush_batched) { + flush_tlb_mm(mm); + mm->tlb_flush_batched = false; + } +} #else static void set_tlb_ubc_flush_pending(struct mm_struct *mm, bool writable) { -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f69.google.com (mail-oi0-f69.google.com [209.85.218.69]) by kanga.kvack.org (Postfix) with ESMTP id 713DB6810BE for ; Tue, 11 Jul 2017 18:08:20 -0400 (EDT) Received: by mail-oi0-f69.google.com with SMTP id t194so407093oif.8 for ; Tue, 11 Jul 2017 15:08:20 -0700 (PDT) Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id k132si356554oia.74.2017.07.11.15.08.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 15:08:19 -0700 (PDT) Received: from mail-vk0-f49.google.com (mail-vk0-f49.google.com [209.85.213.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B8E7122CAC for ; Tue, 11 Jul 2017 22:08:18 +0000 (UTC) Received: by mail-vk0-f49.google.com with SMTP id 191so3204355vko.2 for ; Tue, 11 Jul 2017 15:08:18 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20170711191823.qthrmdgqcd3rygjk@suse.de> References: <69BBEB97-1B10-4229-9AEF-DE19C26D8DFF@gmail.com> <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> From: Andy Lutomirski Date: Tue, 11 Jul 2017 15:07:57 -0700 Message-ID: Subject: Re: Potential race in TLB flush batching? Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Andy Lutomirski , Nadav Amit , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 12:18 PM, Mel Gorman wrote: I would change this slightly: > +void flush_tlb_batched_pending(struct mm_struct *mm) > +{ > + if (mm->tlb_flush_batched) { > + flush_tlb_mm(mm); How about making this a new helper arch_tlbbatch_flush_one_mm(mm); The idea is that this could be implemented as flush_tlb_mm(mm), but the actual semantics needed are weaker. All that's really needed AFAICS is to make sure that any arch_tlbbatch_add_mm() calls on this mm that have already happened become effective by the time that arch_tlbbatch_flush_one_mm() returns. The initial implementation would be this: struct flush_tlb_info info = { .mm = mm, .new_tlb_gen = atomic64_read(&mm->context.tlb_gen); .start = 0, .end = TLB_FLUSH_ALL, }; and the rest is like flush_tlb_mm_range(). flush_tlb_func_common() will already do the right thing, but the comments should probably be updated, too. The benefit would be that, if you just call this on an mm when everything is already flushed, it will still do the IPIs but it won't do the actual flush. A better future implementation could iterate over each cpu in mm_cpumask(), and, using either a new lock or very careful atomics, check whether that CPU really needs flushing. In -tip, all the information needed to figure this out is already there in the percpu state -- it's just not currently set up for remote access. For backports, it would just be flush_tlb_mm(). --Andy -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f70.google.com (mail-pg0-f70.google.com [74.125.83.70]) by kanga.kvack.org (Postfix) with ESMTP id A05A66810BE for ; Tue, 11 Jul 2017 18:27:58 -0400 (EDT) Received: by mail-pg0-f70.google.com with SMTP id u5so6026579pgq.14 for ; Tue, 11 Jul 2017 15:27:58 -0700 (PDT) Received: from mail-pg0-x242.google.com (mail-pg0-x242.google.com. [2607:f8b0:400e:c05::242]) by mx.google.com with ESMTPS id h9si419604pln.160.2017.07.11.15.27.57 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 15:27:57 -0700 (PDT) Received: by mail-pg0-x242.google.com with SMTP id y129so621953pgy.3 for ; Tue, 11 Jul 2017 15:27:57 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Potential race in TLB flush batching? From: Nadav Amit In-Reply-To: <20170711215240.tdpmwmgwcuerjj3o@suse.de> Date: Tue, 11 Jul 2017 15:27:55 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> References: <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" Mel Gorman wrote: > On Tue, Jul 11, 2017 at 09:09:23PM +0100, Mel Gorman wrote: >> On Tue, Jul 11, 2017 at 08:18:23PM +0100, Mel Gorman wrote: >>> I don't think we should be particularly clever about this and = instead just >>> flush the full mm if there is a risk of a parallel batching of = flushing is >>> in progress resulting in a stale TLB entry being used. I think = tracking mms >>> that are currently batching would end up being costly in terms of = memory, >>> fairly complex, or both. Something like this? >>=20 >> mremap and madvise(DONTNEED) would also need to flush. Memory = policies are >> fine as a move_pages call that hits the race will simply fail to = migrate >> a page that is being freed and once migration starts, it'll be = flushed so >> a stale access has no further risk. copy_page_range should also be ok = as >> the old mm is flushed and the new mm cannot have entries yet. >=20 > Adding those results in You are way too fast for me. > --- a/mm/rmap.c > +++ b/mm/rmap.c > @@ -637,12 +637,34 @@ static bool should_defer_flush(struct mm_struct = *mm, enum ttu_flags flags) > return false; >=20 > /* If remote CPUs need to be flushed then defer batch the flush = */ > - if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) > + if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) { > should_defer =3D true; > + mm->tlb_flush_batched =3D true; > + } Since mm->tlb_flush_batched is set before the PTE is actually cleared, = it still seems to leave a short window for a race. CPU0 CPU1 ---- ---- should_defer_flush =3D> mm->tlb_flush_batched=3Dtrue =09 flush_tlb_batched_pending (another PT) =3D> flush TLB =3D> mm->tlb_flush_batched=3Dfalse ptep_get_and_clear ... flush_tlb_batched_pending (batched PT) use the stale PTE ... try_to_unmap_flush IOW it seems that mm->flush_flush_batched should be set after the PTE is cleared (and have some compiler barrier to be on the safe side). Just to clarify - I don=E2=80=99t try to annoy, but I considered = building and submitting a patch based on some artifacts of a study I conducted, and = this issue drove me crazy. One more question, please: how does elevated page count or even locking = the page help (as you mention in regard to uprobes and ksm)? Yes, the page = will not be reclaimed, but IIUC try_to_unmap is called before the reference = count is frozen, and the page lock is dropped on each iteration of the loop in shrink_page_list. In this case, it seems to me that uprobes or ksm may = still not flush the TLB. Thanks, Nadav= -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f197.google.com (mail-wr0-f197.google.com [209.85.128.197]) by kanga.kvack.org (Postfix) with ESMTP id 5D8376810BE for ; Tue, 11 Jul 2017 18:33:15 -0400 (EDT) Received: by mail-wr0-f197.google.com with SMTP id x23so1391748wrb.6 for ; Tue, 11 Jul 2017 15:33:15 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id k129si464331wmf.136.2017.07.11.15.33.14 for (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 11 Jul 2017 15:33:14 -0700 (PDT) Date: Tue, 11 Jul 2017 23:33:11 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170711223311.iu7hxce5swmet6u3@suse.de> References: <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org List-ID: To: Andy Lutomirski Cc: Nadav Amit , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 03:07:57PM -0700, Andrew Lutomirski wrote: > On Tue, Jul 11, 2017 at 12:18 PM, Mel Gorman wrote: > > I would change this slightly: > > > +void flush_tlb_batched_pending(struct mm_struct *mm) > > +{ > > + if (mm->tlb_flush_batched) { > > + flush_tlb_mm(mm); > > How about making this a new helper arch_tlbbatch_flush_one_mm(mm); > The idea is that this could be implemented as flush_tlb_mm(mm), but > the actual semantics needed are weaker. All that's really needed > AFAICS is to make sure that any arch_tlbbatch_add_mm() calls on this > mm that have already happened become effective by the time that > arch_tlbbatch_flush_one_mm() returns. > > The initial implementation would be this: > > struct flush_tlb_info info = { > .mm = mm, > .new_tlb_gen = atomic64_read(&mm->context.tlb_gen); > .start = 0, > .end = TLB_FLUSH_ALL, > }; > > and the rest is like flush_tlb_mm_range(). flush_tlb_func_common() > will already do the right thing, but the comments should probably be > updated, too. Yes, from what I remember from your patches and a quick recheck, that should be fine. I'll be leaving it until the morning to actually do the work. It requires that your stuff be upstream first but last time I checked, they were expected in this merge window. > The benefit would be that, if you just call this on an > mm when everything is already flushed, it will still do the IPIs but > it won't do the actual flush. > The benefit is somewhat marginal given that a process that has been partially reclaimed already has taken a hit on any latency requirements it has. However, it's a much better fit with your work in general. > A better future implementation could iterate over each cpu in > mm_cpumask(), and, using either a new lock or very careful atomics, > check whether that CPU really needs flushing. In -tip, all the > information needed to figure this out is already there in the percpu > state -- it's just not currently set up for remote access. > Potentially yes although I'm somewhat wary of adding too much complexity in that path. It'll either be very rare in which case the maintenance cost isn't worth it or the process is being continually thrashed by reclaim in which case saving a few TLB flushes isn't going to prevent performance falling through the floor. > For backports, it would just be flush_tlb_mm(). > Agreed. -- Mel Gorman SUSE Labs -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f71.google.com (mail-pg0-f71.google.com [74.125.83.71]) by kanga.kvack.org (Postfix) with ESMTP id 729E86810BE for ; Tue, 11 Jul 2017 18:34:47 -0400 (EDT) Received: by mail-pg0-f71.google.com with SMTP id t8so6410585pgs.5 for ; Tue, 11 Jul 2017 15:34:47 -0700 (PDT) Received: from mail-pf0-x243.google.com (mail-pf0-x243.google.com. [2607:f8b0:400e:c00::243]) by mx.google.com with ESMTPS id o5si442944pgk.27.2017.07.11.15.34.46 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 15:34:46 -0700 (PDT) Received: by mail-pf0-x243.google.com with SMTP id z6so670236pfk.3 for ; Tue, 11 Jul 2017 15:34:46 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Potential race in TLB flush batching? From: Nadav Amit In-Reply-To: <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> Date: Tue, 11 Jul 2017 15:34:44 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <54C7B456-17EF-442D-8FAC-C8BE9D160750@gmail.com> References: <20170711064149.bg63nvi54ycynxw4@suse.de> <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" Nadav Amit wrote: > Mel Gorman wrote: >=20 >> On Tue, Jul 11, 2017 at 09:09:23PM +0100, Mel Gorman wrote: >>> On Tue, Jul 11, 2017 at 08:18:23PM +0100, Mel Gorman wrote: >>>> I don't think we should be particularly clever about this and = instead just >>>> flush the full mm if there is a risk of a parallel batching of = flushing is >>>> in progress resulting in a stale TLB entry being used. I think = tracking mms >>>> that are currently batching would end up being costly in terms of = memory, >>>> fairly complex, or both. Something like this? >>>=20 >>> mremap and madvise(DONTNEED) would also need to flush. Memory = policies are >>> fine as a move_pages call that hits the race will simply fail to = migrate >>> a page that is being freed and once migration starts, it'll be = flushed so >>> a stale access has no further risk. copy_page_range should also be = ok as >>> the old mm is flushed and the new mm cannot have entries yet. >>=20 >> Adding those results in >=20 > You are way too fast for me. >=20 >> --- a/mm/rmap.c >> +++ b/mm/rmap.c >> @@ -637,12 +637,34 @@ static bool should_defer_flush(struct mm_struct = *mm, enum ttu_flags flags) >> return false; >>=20 >> /* If remote CPUs need to be flushed then defer batch the flush = */ >> - if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) >> + if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) { >> should_defer =3D true; >> + mm->tlb_flush_batched =3D true; >> + } >=20 > Since mm->tlb_flush_batched is set before the PTE is actually cleared, = it > still seems to leave a short window for a race. >=20 > CPU0 CPU1 > ---- ---- > should_defer_flush > =3D> mm->tlb_flush_batched=3Dtrue =09 > flush_tlb_batched_pending (another PT) > =3D> flush TLB > =3D> mm->tlb_flush_batched=3Dfalse > ptep_get_and_clear > ... >=20 > flush_tlb_batched_pending (batched PT) > use the stale PTE > ... > try_to_unmap_flush >=20 >=20 > IOW it seems that mm->flush_flush_batched should be set after the PTE = is > cleared (and have some compiler barrier to be on the safe side). I=E2=80=99m actually not sure about that. Without a lock that other = order may be racy as well. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f197.google.com (mail-wr0-f197.google.com [209.85.128.197]) by kanga.kvack.org (Postfix) with ESMTP id 9D3A46B053C for ; Wed, 12 Jul 2017 04:27:36 -0400 (EDT) Received: by mail-wr0-f197.google.com with SMTP id p64so3771664wrc.8 for ; Wed, 12 Jul 2017 01:27:36 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id y21si1638056wmh.132.2017.07.12.01.27.34 for (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 12 Jul 2017 01:27:35 -0700 (PDT) Date: Wed, 12 Jul 2017 09:27:33 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170712082733.ouf7yx2bnvwwcfms@suse.de> References: <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> Sender: owner-linux-mm@kvack.org List-ID: To: Nadav Amit Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" On Tue, Jul 11, 2017 at 03:27:55PM -0700, Nadav Amit wrote: > Mel Gorman wrote: > > > On Tue, Jul 11, 2017 at 09:09:23PM +0100, Mel Gorman wrote: > >> On Tue, Jul 11, 2017 at 08:18:23PM +0100, Mel Gorman wrote: > >>> I don't think we should be particularly clever about this and instead just > >>> flush the full mm if there is a risk of a parallel batching of flushing is > >>> in progress resulting in a stale TLB entry being used. I think tracking mms > >>> that are currently batching would end up being costly in terms of memory, > >>> fairly complex, or both. Something like this? > >> > >> mremap and madvise(DONTNEED) would also need to flush. Memory policies are > >> fine as a move_pages call that hits the race will simply fail to migrate > >> a page that is being freed and once migration starts, it'll be flushed so > >> a stale access has no further risk. copy_page_range should also be ok as > >> the old mm is flushed and the new mm cannot have entries yet. > > > > Adding those results in > > You are way too fast for me. > > > --- a/mm/rmap.c > > +++ b/mm/rmap.c > > @@ -637,12 +637,34 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags) > > return false; > > > > /* If remote CPUs need to be flushed then defer batch the flush */ > > - if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) > > + if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) { > > should_defer = true; > > + mm->tlb_flush_batched = true; > > + } > > Since mm->tlb_flush_batched is set before the PTE is actually cleared, it > still seems to leave a short window for a race. > > CPU0 CPU1 > ---- ---- > should_defer_flush > => mm->tlb_flush_batched=true > flush_tlb_batched_pending (another PT) > => flush TLB > => mm->tlb_flush_batched=false > ptep_get_and_clear > ... > > flush_tlb_batched_pending (batched PT) > use the stale PTE > ... > try_to_unmap_flush > > IOW it seems that mm->flush_flush_batched should be set after the PTE is > cleared (and have some compiler barrier to be on the safe side). I'm relying on setting and clearing of tlb_flush_batched is under a PTL that is contended if the race is active. If reclaim is first, it'll take the PTL, set batched while a racing mprotect/munmap/etc spins. On release, the racing mprotect/munmmap immediately calls flush_tlb_batched_pending() before proceeding as normal, finding pte_none with the TLB flushed. If the mprotect/munmap/etc is first, it'll take the PTL, observe that pte_present and handle the flushing itself while reclaim potentially spins. When reclaim acquires the lock, it'll still set set tlb_flush_batched. As it's PTL that is taken for that field, it is possible for the accesses to be re-ordered but only in the case where a race is not occurring. I'll think some more about whether barriers are necessary but concluded they weren't needed in this instance. Doing the setting/clear+flush under the PTL, the protection is similar to normal page table operations that do not batch the flush. > One more question, please: how does elevated page count or even locking the > page help (as you mention in regard to uprobes and ksm)? Yes, the page will > not be reclaimed, but IIUC try_to_unmap is called before the reference count > is frozen, and the page lock is dropped on each iteration of the loop in > shrink_page_list. In this case, it seems to me that uprobes or ksm may still > not flush the TLB. > If page lock is held then reclaim skips the page entirely and uprobe, ksm and cow holds the page lock for pages that potentially be observed by reclaim. That is the primary protection for those paths. The elevated page count is less relevant but I was keeping it in mind trying to think of cases where a stale TLB entry existed and pointed to the wrong page. -- Mel Gorman SUSE Labs -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f198.google.com (mail-pf0-f198.google.com [209.85.192.198]) by kanga.kvack.org (Postfix) with ESMTP id 8E730440874 for ; Wed, 12 Jul 2017 19:27:27 -0400 (EDT) Received: by mail-pf0-f198.google.com with SMTP id q87so37826551pfk.15 for ; Wed, 12 Jul 2017 16:27:27 -0700 (PDT) Received: from mail-pf0-x244.google.com (mail-pf0-x244.google.com. [2607:f8b0:400e:c00::244]) by mx.google.com with ESMTPS id 3si2987329plz.629.2017.07.12.16.27.26 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jul 2017 16:27:26 -0700 (PDT) Received: by mail-pf0-x244.google.com with SMTP id e199so4892257pfh.0 for ; Wed, 12 Jul 2017 16:27:26 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Potential race in TLB flush batching? From: Nadav Amit In-Reply-To: <20170712082733.ouf7yx2bnvwwcfms@suse.de> Date: Wed, 12 Jul 2017 16:27:23 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <591A2865-13B8-4B3A-B094-8B83A7F9814B@gmail.com> References: <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> <20170712082733.ouf7yx2bnvwwcfms@suse.de> Sender: owner-linux-mm@kvack.org List-ID: To: Mel Gorman Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" Mel Gorman wrote: > On Tue, Jul 11, 2017 at 03:27:55PM -0700, Nadav Amit wrote: >> Mel Gorman wrote: >>=20 >>> On Tue, Jul 11, 2017 at 09:09:23PM +0100, Mel Gorman wrote: >>>> On Tue, Jul 11, 2017 at 08:18:23PM +0100, Mel Gorman wrote: >>>>> I don't think we should be particularly clever about this and = instead just >>>>> flush the full mm if there is a risk of a parallel batching of = flushing is >>>>> in progress resulting in a stale TLB entry being used. I think = tracking mms >>>>> that are currently batching would end up being costly in terms of = memory, >>>>> fairly complex, or both. Something like this? >>>>=20 >>>> mremap and madvise(DONTNEED) would also need to flush. Memory = policies are >>>> fine as a move_pages call that hits the race will simply fail to = migrate >>>> a page that is being freed and once migration starts, it'll be = flushed so >>>> a stale access has no further risk. copy_page_range should also be = ok as >>>> the old mm is flushed and the new mm cannot have entries yet. >>>=20 >>> Adding those results in >>=20 >> You are way too fast for me. >>=20 >>> --- a/mm/rmap.c >>> +++ b/mm/rmap.c >>> @@ -637,12 +637,34 @@ static bool should_defer_flush(struct = mm_struct *mm, enum ttu_flags flags) >>> return false; >>>=20 >>> /* If remote CPUs need to be flushed then defer batch the flush = */ >>> - if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) >>> + if (cpumask_any_but(mm_cpumask(mm), get_cpu()) < nr_cpu_ids) { >>> should_defer =3D true; >>> + mm->tlb_flush_batched =3D true; >>> + } >>=20 >> Since mm->tlb_flush_batched is set before the PTE is actually = cleared, it >> still seems to leave a short window for a race. >>=20 >> CPU0 CPU1 >> ---- ---- >> should_defer_flush >> =3D> mm->tlb_flush_batched=3Dtrue =09 >> flush_tlb_batched_pending (another PT) >> =3D> flush TLB >> =3D> mm->tlb_flush_batched=3Dfalse >> ptep_get_and_clear >> ... >>=20 >> flush_tlb_batched_pending (batched PT) >> use the stale PTE >> ... >> try_to_unmap_flush >>=20 >> IOW it seems that mm->flush_flush_batched should be set after the PTE = is >> cleared (and have some compiler barrier to be on the safe side). >=20 > I'm relying on setting and clearing of tlb_flush_batched is under a = PTL > that is contended if the race is active. >=20 > If reclaim is first, it'll take the PTL, set batched while a racing > mprotect/munmap/etc spins. On release, the racing mprotect/munmmap > immediately calls flush_tlb_batched_pending() before proceeding as = normal, > finding pte_none with the TLB flushed. This is the scenario I regarded in my example. Notice that when the = first flush_tlb_batched_pending is called, CPU0 and CPU1 hold different = page-table locks - allowing them to run concurrently. As a result flush_tlb_batched_pending is executed before the PTE was cleared and mm->tlb_flush_batched is cleared. Later, after CPU0 runs = ptep_get_and_clear mm->tlb_flush_batched remains clear, and CPU1 can use the stale PTE. > If the mprotect/munmap/etc is first, it'll take the PTL, observe that > pte_present and handle the flushing itself while reclaim potentially > spins. When reclaim acquires the lock, it'll still set set = tlb_flush_batched. >=20 > As it's PTL that is taken for that field, it is possible for the = accesses > to be re-ordered but only in the case where a race is not occurring. > I'll think some more about whether barriers are necessary but = concluded > they weren't needed in this instance. Doing the setting/clear+flush = under > the PTL, the protection is similar to normal page table operations = that > do not batch the flush. >=20 >> One more question, please: how does elevated page count or even = locking the >> page help (as you mention in regard to uprobes and ksm)? Yes, the = page will >> not be reclaimed, but IIUC try_to_unmap is called before the = reference count >> is frozen, and the page lock is dropped on each iteration of the loop = in >> shrink_page_list. In this case, it seems to me that uprobes or ksm = may still >> not flush the TLB. >=20 > If page lock is held then reclaim skips the page entirely and uprobe, > ksm and cow holds the page lock for pages that potentially be observed > by reclaim. That is the primary protection for those paths. It is really hard, at least for me, to track this synchronization = scheme, as each path is protected in different means. I still don=E2=80=99t = understand why it is true, since the loop in shrink_page_list calls = __ClearPageLocked(page) on each iteration, before the actual flush takes place. Actually, I think that based on Andy=E2=80=99s patches there is a = relatively reasonable solution. For each mm we will hold both a = =E2=80=9Cpending_tlb_gen=E2=80=9D (increased under the PT-lock) and an =E2=80=9Cexecuted_tlb_gen=E2=80=9D. = Once flush_tlb_mm_range finishes flushing it will use cmpxchg to update the executed_tlb_gen to the pending_tlb_gen that was prior the flush (the cmpxchg will ensure the TLB gen only goes forward). Then, whenever pending_tlb_gen is different than executed_tlb_gen - a flush is needed. Nadav=20 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f72.google.com (mail-oi0-f72.google.com [209.85.218.72]) by kanga.kvack.org (Postfix) with ESMTP id 3ACC0440874 for ; Wed, 12 Jul 2017 19:36:36 -0400 (EDT) Received: by mail-oi0-f72.google.com with SMTP id f134so2820054oig.14 for ; Wed, 12 Jul 2017 16:36:36 -0700 (PDT) Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id u187si2718888oie.76.2017.07.12.16.36.35 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jul 2017 16:36:35 -0700 (PDT) Received: from mail-ua0-f174.google.com (mail-ua0-f174.google.com [209.85.217.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C8BED22C9F for ; Wed, 12 Jul 2017 23:36:34 +0000 (UTC) Received: by mail-ua0-f174.google.com with SMTP id g13so5241558uaj.0 for ; Wed, 12 Jul 2017 16:36:34 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <591A2865-13B8-4B3A-B094-8B83A7F9814B@gmail.com> References: <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> <20170712082733.ouf7yx2bnvwwcfms@suse.de> <591A2865-13B8-4B3A-B094-8B83A7F9814B@gmail.com> From: Andy Lutomirski Date: Wed, 12 Jul 2017 16:36:13 -0700 Message-ID: Subject: Re: Potential race in TLB flush batching? Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: owner-linux-mm@kvack.org List-ID: To: Nadav Amit Cc: Mel Gorman , Andy Lutomirski , "open list:MEMORY MANAGEMENT" On Wed, Jul 12, 2017 at 4:27 PM, Nadav Amit wrote: > > Actually, I think that based on Andy=E2=80=99s patches there is a relativ= ely > reasonable solution. For each mm we will hold both a =E2=80=9Cpending_tlb= _gen=E2=80=9D > (increased under the PT-lock) and an =E2=80=9Cexecuted_tlb_gen=E2=80=9D. = Once > flush_tlb_mm_range finishes flushing it will use cmpxchg to update the > executed_tlb_gen to the pending_tlb_gen that was prior the flush (the > cmpxchg will ensure the TLB gen only goes forward). Then, whenever > pending_tlb_gen is different than executed_tlb_gen - a flush is needed. > Why do we need executed_tlb_gen? We already have cpu_tlbstate.ctxs[...].tlb_gen. Or is the idea that executed_tlb_gen guarantees that all cpus in mm_cpumask are at least up to date to executed_tlb_gen? -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f72.google.com (mail-pg0-f72.google.com [74.125.83.72]) by kanga.kvack.org (Postfix) with ESMTP id 022CA440874 for ; Wed, 12 Jul 2017 19:42:34 -0400 (EDT) Received: by mail-pg0-f72.google.com with SMTP id p15so40499554pgs.7 for ; Wed, 12 Jul 2017 16:42:33 -0700 (PDT) Received: from mail-pg0-x230.google.com (mail-pg0-x230.google.com. [2607:f8b0:400e:c05::230]) by mx.google.com with ESMTPS id e13si2969907pgu.2.2017.07.12.16.42.32 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jul 2017 16:42:33 -0700 (PDT) Received: by mail-pg0-x230.google.com with SMTP id t186so20334920pgb.1 for ; Wed, 12 Jul 2017 16:42:32 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Potential race in TLB flush batching? From: Nadav Amit In-Reply-To: Date: Wed, 12 Jul 2017 16:42:30 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <079D9048-0FFD-4A58-90EF-889259EB6ECE@gmail.com> References: <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> <20170712082733.ouf7yx2bnvwwcfms@suse.de> <591A2865-13B8-4B3A-B094-8B83A7F9814B@gmail.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andy Lutomirski Cc: Mel Gorman , "open list:MEMORY MANAGEMENT" Andy Lutomirski wrote: > On Wed, Jul 12, 2017 at 4:27 PM, Nadav Amit = wrote: >> Actually, I think that based on Andy=E2=80=99s patches there is a = relatively >> reasonable solution. For each mm we will hold both a = =E2=80=9Cpending_tlb_gen=E2=80=9D >> (increased under the PT-lock) and an =E2=80=9Cexecuted_tlb_gen=E2=80=9D= . Once >> flush_tlb_mm_range finishes flushing it will use cmpxchg to update = the >> executed_tlb_gen to the pending_tlb_gen that was prior the flush (the >> cmpxchg will ensure the TLB gen only goes forward). Then, whenever >> pending_tlb_gen is different than executed_tlb_gen - a flush is = needed. >=20 > Why do we need executed_tlb_gen? We already have > cpu_tlbstate.ctxs[...].tlb_gen. Or is the idea that executed_tlb_gen > guarantees that all cpus in mm_cpumask are at least up to date to > executed_tlb_gen? Hm... So actually it may be enough, no? Just compare mm->context.tlb_gen with cpu_tlbstate.ctxs[...].tlb_gen and flush if they are different? -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f72.google.com (mail-oi0-f72.google.com [209.85.218.72]) by kanga.kvack.org (Postfix) with ESMTP id 54F68440874 for ; Thu, 13 Jul 2017 01:39:15 -0400 (EDT) Received: by mail-oi0-f72.google.com with SMTP id z82so3512812oiz.6 for ; Wed, 12 Jul 2017 22:39:15 -0700 (PDT) Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id p5si3130759oig.335.2017.07.12.22.39.14 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jul 2017 22:39:14 -0700 (PDT) Received: from mail-vk0-f46.google.com (mail-vk0-f46.google.com [209.85.213.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7B2E322C97 for ; Thu, 13 Jul 2017 05:39:13 +0000 (UTC) Received: by mail-vk0-f46.google.com with SMTP id y70so24010837vky.3 for ; Wed, 12 Jul 2017 22:39:13 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <079D9048-0FFD-4A58-90EF-889259EB6ECE@gmail.com> References: <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> <20170712082733.ouf7yx2bnvwwcfms@suse.de> <591A2865-13B8-4B3A-B094-8B83A7F9814B@gmail.com> <079D9048-0FFD-4A58-90EF-889259EB6ECE@gmail.com> From: Andy Lutomirski Date: Wed, 12 Jul 2017 22:38:51 -0700 Message-ID: Subject: Re: Potential race in TLB flush batching? Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: owner-linux-mm@kvack.org List-ID: To: Nadav Amit Cc: Andy Lutomirski , Mel Gorman , "open list:MEMORY MANAGEMENT" On Wed, Jul 12, 2017 at 4:42 PM, Nadav Amit wrote: > Andy Lutomirski wrote: > >> On Wed, Jul 12, 2017 at 4:27 PM, Nadav Amit wrote= : >>> Actually, I think that based on Andy=E2=80=99s patches there is a relat= ively >>> reasonable solution. For each mm we will hold both a =E2=80=9Cpending_t= lb_gen=E2=80=9D >>> (increased under the PT-lock) and an =E2=80=9Cexecuted_tlb_gen=E2=80=9D= . Once >>> flush_tlb_mm_range finishes flushing it will use cmpxchg to update the >>> executed_tlb_gen to the pending_tlb_gen that was prior the flush (the >>> cmpxchg will ensure the TLB gen only goes forward). Then, whenever >>> pending_tlb_gen is different than executed_tlb_gen - a flush is needed. >> >> Why do we need executed_tlb_gen? We already have >> cpu_tlbstate.ctxs[...].tlb_gen. Or is the idea that executed_tlb_gen >> guarantees that all cpus in mm_cpumask are at least up to date to >> executed_tlb_gen? > > Hm... So actually it may be enough, no? Just compare mm->context.tlb_gen > with cpu_tlbstate.ctxs[...].tlb_gen and flush if they are different? > Wouldn't that still leave the races where the CPU observing the stale TLB entry isn't the CPU that did munmap/mprotect/whatever? I think executed_tlb_gen or similar may really be needed for your approach. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr0-f197.google.com (mail-wr0-f197.google.com [209.85.128.197]) by kanga.kvack.org (Postfix) with ESMTP id 134AF440874 for ; Thu, 13 Jul 2017 02:07:10 -0400 (EDT) Received: by mail-wr0-f197.google.com with SMTP id 77so8043979wrb.11 for ; Wed, 12 Jul 2017 23:07:10 -0700 (PDT) Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id 1si3465597wrq.16.2017.07.12.23.07.08 for (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 12 Jul 2017 23:07:08 -0700 (PDT) Date: Thu, 13 Jul 2017 07:07:06 +0100 From: Mel Gorman Subject: Re: Potential race in TLB flush batching? Message-ID: <20170713060706.o2cuko5y6irxwnww@suse.de> References: <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> <20170712082733.ouf7yx2bnvwwcfms@suse.de> <591A2865-13B8-4B3A-B094-8B83A7F9814B@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <591A2865-13B8-4B3A-B094-8B83A7F9814B@gmail.com> Sender: owner-linux-mm@kvack.org List-ID: To: Nadav Amit Cc: Andy Lutomirski , "open list:MEMORY MANAGEMENT" On Wed, Jul 12, 2017 at 04:27:23PM -0700, Nadav Amit wrote: > > If reclaim is first, it'll take the PTL, set batched while a racing > > mprotect/munmap/etc spins. On release, the racing mprotect/munmmap > > immediately calls flush_tlb_batched_pending() before proceeding as normal, > > finding pte_none with the TLB flushed. > > This is the scenario I regarded in my example. Notice that when the first > flush_tlb_batched_pending is called, CPU0 and CPU1 hold different page-table > locks - allowing them to run concurrently. As a result > flush_tlb_batched_pending is executed before the PTE was cleared and > mm->tlb_flush_batched is cleared. Later, after CPU0 runs ptep_get_and_clear > mm->tlb_flush_batched remains clear, and CPU1 can use the stale PTE. > If they hold different PTL locks, it means that reclaim and and the parallel munmap/mprotect/madvise/mremap operation are operating on different regions of an mm or separate mm's and the race should not apply or at the very least is equivalent to not batching the flushes. For multiple parallel operations, munmap/mprotect/mremap are serialised by mmap_sem so there is only one risky operation at a time. For multiple madvise, there is a small window when a page is accessible after madvise returns but it is an advisory call so it's primarily a data integrity concern and the TLB is flushed before the page is either freed or IO starts on the reclaim side. > > If the mprotect/munmap/etc is first, it'll take the PTL, observe that > > pte_present and handle the flushing itself while reclaim potentially > > spins. When reclaim acquires the lock, it'll still set set tlb_flush_batched. > > > > As it's PTL that is taken for that field, it is possible for the accesses > > to be re-ordered but only in the case where a race is not occurring. > > I'll think some more about whether barriers are necessary but concluded > > they weren't needed in this instance. Doing the setting/clear+flush under > > the PTL, the protection is similar to normal page table operations that > > do not batch the flush. > > > >> One more question, please: how does elevated page count or even locking the > >> page help (as you mention in regard to uprobes and ksm)? Yes, the page will > >> not be reclaimed, but IIUC try_to_unmap is called before the reference count > >> is frozen, and the page lock is dropped on each iteration of the loop in > >> shrink_page_list. In this case, it seems to me that uprobes or ksm may still > >> not flush the TLB. > > > > If page lock is held then reclaim skips the page entirely and uprobe, > > ksm and cow holds the page lock for pages that potentially be observed > > by reclaim. That is the primary protection for those paths. > > It is really hard, at least for me, to track this synchronization scheme, as > each path is protected in different means. I still don???t understand why it > is true, since the loop in shrink_page_list calls __ClearPageLocked(page) on > each iteration, before the actual flush takes place. > At teh point of __ClearPageLocked, reclaim was holding the page lock and reached the point where there cannot be any other references to it and is definitely cleaned. Any hypothetical TLB entry that exists at this point is for read-only which would trap if a write was attempted and the TLB is flushed before the page is freed so there is no possibility the page is reallocated and the TLB entry now points to unrelated data. > Actually, I think that based on Andy???s patches there is a relatively > reasonable solution. On top of Andy's work, the patch currently is below. Andy, is that roughly what you had in mind? I didn't think the comments in flush_tlb_func_common needed updating. I would have test results but the test against the tip tree without the patch failed overnight with what looks like filesystem corruption that happened *after* tests completed and it was untarring and building the next kernel to test with the patch applied. I'm not sure why yet or how reproducible it is. ---8<--- mm, mprotect: Flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries Nadav Amit identified a theoritical race between page reclaim and mprotect due to TLB flushes being batched outside of the PTL being held. He described the race as follows CPU0 CPU1 ---- ---- user accesses memory using RW PTE [PTE now cached in TLB] try_to_unmap_one() ==> ptep_get_and_clear() ==> set_tlb_ubc_flush_pending() mprotect(addr, PROT_READ) ==> change_pte_range() ==> [ PTE non-present - no flush ] user writes using cached RW PTE ... try_to_unmap_flush() The same type of race exists for reads when protecting for PROT_NONE and also exists for operations that can leave an old TLB entry behind such as munmap, mremap and madvise. For some operations like mprotect, it's not a data integrity issue but it is a correctness issue. For munmap, it's potentially a data integrity issue although the race is massive as an munmap, mmap and return to userspace must all complete between the window when reclaim drops the PTL and flushes the TLB. However, it's theoritically possible so handle this issue by flushing the mm if reclaim is potentially currently batching TLB flushes. Other instances where a flush is required for a present pte should be ok as either the page lock is held preventing parallel reclaim or a page reference count is elevated preventing a parallel free leading to corruption. In the case of page_mkclean there isn't an obvious path that userspace could take advantage of without using the operations that are guarded by this patch. Other users such as gup as a race with reclaim looks just at PTEs. huge page variants should be ok as they don't race with reclaim. mincore only looks at PTEs. userfault also should be ok as if a parallel reclaim takes place, it will either fault the page back in or read some of the data before the flush occurs triggering a fault. Signed-off-by: Mel Gorman Cc: stable@vger.kernel.org # v4.4+ diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h index 6397275008db..1ad93cf26826 100644 --- a/arch/x86/include/asm/tlbflush.h +++ b/arch/x86/include/asm/tlbflush.h @@ -325,6 +325,7 @@ static inline void arch_tlbbatch_add_mm(struct arch_tlbflush_unmap_batch *batch, } extern void arch_tlbbatch_flush(struct arch_tlbflush_unmap_batch *batch); +extern void arch_tlbbatch_flush_one_mm(struct mm_struct *mm); #ifndef CONFIG_PARAVIRT #define flush_tlb_others(mask, info) \ diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c index 2c1b8881e9d3..a72975a517a1 100644 --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -455,6 +455,39 @@ void arch_tlbbatch_flush(struct arch_tlbflush_unmap_batch *batch) put_cpu(); } +/* + * Ensure that any arch_tlbbatch_add_mm calls on this mm are up to date when + * this returns. Using the current mm tlb_gen means the TLB will be up to date + * with respect to the tlb_gen set at arch_tlbbatch_add_mm. If a flush has + * happened since then the IPIs will still be sent but the actual flush is + * avoided. Unfortunately the IPIs are necessary as the per-cpu context + * tlb_gens cannot be safely accessed. + */ +void arch_tlbbatch_flush_one_mm(struct mm_struct *mm) +{ + int cpu; + struct flush_tlb_info info = { + .mm = mm, + .new_tlb_gen = atomic64_read(&mm->context.tlb_gen), + .start = 0, + .end = TLB_FLUSH_ALL, + }; + + cpu = get_cpu(); + + if (mm == this_cpu_read(cpu_tlbstate.loaded_mm)) { + VM_WARN_ON(irqs_disabled()); + local_irq_disable(); + flush_tlb_func_local(&info, TLB_LOCAL_MM_SHOOTDOWN); + local_irq_enable(); + } + + if (cpumask_any_but(mm_cpumask(mm), cpu) < nr_cpu_ids) + flush_tlb_others(mm_cpumask(mm), &info); + + put_cpu(); +} + static ssize_t tlbflush_read_file(struct file *file, char __user *user_buf, size_t count, loff_t *ppos) { diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 45cdb27791a3..ab8f7e11c160 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -495,6 +495,10 @@ struct mm_struct { */ bool tlb_flush_pending; #endif +#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH + /* See flush_tlb_batched_pending() */ + bool tlb_flush_batched; +#endif struct uprobes_state uprobes_state; #ifdef CONFIG_HUGETLB_PAGE atomic_long_t hugetlb_usage; diff --git a/mm/internal.h b/mm/internal.h index 0e4f558412fb..9c8a2bfb975c 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -498,6 +498,7 @@ extern struct workqueue_struct *mm_percpu_wq; #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH void try_to_unmap_flush(void); void try_to_unmap_flush_dirty(void); +void flush_tlb_batched_pending(struct mm_struct *mm); #else static inline void try_to_unmap_flush(void) { @@ -505,7 +506,9 @@ static inline void try_to_unmap_flush(void) static inline void try_to_unmap_flush_dirty(void) { } - +static inline void flush_tlb_batched_pending(struct mm_struct *mm) +{ +} #endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */ extern const struct trace_print_flags pageflag_names[]; diff --git a/mm/madvise.c b/mm/madvise.c index 25b78ee4fc2c..75d2cffbe61d 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -320,6 +320,7 @@ static int madvise_free_pte_range(pmd_t *pmd, unsigned long addr, tlb_remove_check_page_size_change(tlb, PAGE_SIZE); orig_pte = pte = pte_offset_map_lock(mm, pmd, addr, &ptl); + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); for (; addr != end; pte++, addr += PAGE_SIZE) { ptent = *pte; diff --git a/mm/memory.c b/mm/memory.c index bb11c474857e..b0c3d1556a94 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1197,6 +1197,7 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, init_rss_vec(rss); start_pte = pte_offset_map_lock(mm, pmd, addr, &ptl); pte = start_pte; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); do { pte_t ptent = *pte; diff --git a/mm/mprotect.c b/mm/mprotect.c index 8edd0d576254..f42749e6bf4e 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -66,6 +66,7 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, atomic_read(&vma->vm_mm->mm_users) == 1) target_node = numa_node_id(); + flush_tlb_batched_pending(vma->vm_mm); arch_enter_lazy_mmu_mode(); do { oldpte = *pte; diff --git a/mm/mremap.c b/mm/mremap.c index cd8a1b199ef9..6e3d857458de 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -152,6 +152,7 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, new_ptl = pte_lockptr(mm, new_pmd); if (new_ptl != old_ptl) spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING); + flush_tlb_batched_pending(vma->vm_mm); arch_enter_lazy_mmu_mode(); for (; old_addr < old_end; old_pte++, old_addr += PAGE_SIZE, diff --git a/mm/rmap.c b/mm/rmap.c index 130c238fe384..7c5c8ef583fa 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -603,6 +603,7 @@ static void set_tlb_ubc_flush_pending(struct mm_struct *mm, bool writable) arch_tlbbatch_add_mm(&tlb_ubc->arch, mm); tlb_ubc->flush_required = true; + mm->tlb_flush_batched = true; /* * If the PTE was dirty then it's best to assume it's writable. The @@ -631,6 +632,29 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags) return should_defer; } + +/* + * Reclaim unmaps pages under the PTL but does not flush the TLB prior to + * releasing the PTL if TLB flushes are batched. It's possible a parallel + * operation such as mprotect or munmap to race between reclaim unmapping + * the page and flushing the page If this race occurs, it potentially allows + * access to data via a stale TLB entry. Tracking all mm's that have TLB + * batching in flight would be expensive during reclaim so instead track + * whether TLB batching occured in the past and if so then do a flush here + * if required. This will cost one additional flush per reclaim cycle paid + * by the first operation at risk such as mprotect and mumap. + * + * This must be called under the PTL so that accesses to tlb_flush_batched + * that is potentially a "reclaim vs mprotect/munmap/etc" race will + * synchronise via the PTL. + */ +void flush_tlb_batched_pending(struct mm_struct *mm) +{ + if (mm->tlb_flush_batched) { + arch_tlbbatch_flush_one_mm(mm); + mm->tlb_flush_batched = false; + } +} #else static void set_tlb_ubc_flush_pending(struct mm_struct *mm, bool writable) { -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pg0-f72.google.com (mail-pg0-f72.google.com [74.125.83.72]) by kanga.kvack.org (Postfix) with ESMTP id 0A5FD440874 for ; Thu, 13 Jul 2017 12:05:05 -0400 (EDT) Received: by mail-pg0-f72.google.com with SMTP id 125so62857334pgi.2 for ; Thu, 13 Jul 2017 09:05:05 -0700 (PDT) Received: from mail-pg0-x244.google.com (mail-pg0-x244.google.com. [2607:f8b0:400e:c05::244]) by mx.google.com with ESMTPS id 1si4630574pgp.88.2017.07.13.09.05.03 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jul 2017 09:05:04 -0700 (PDT) Received: by mail-pg0-x244.google.com with SMTP id j186so7441708pge.1 for ; Thu, 13 Jul 2017 09:05:03 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Potential race in TLB flush batching? From: Nadav Amit In-Reply-To: Date: Thu, 13 Jul 2017 09:05:01 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <5F1E23BA-B0DE-4FF0-AB8F-C22936263EAA@gmail.com> References: <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> <20170712082733.ouf7yx2bnvwwcfms@suse.de> <591A2865-13B8-4B3A-B094-8B83A7F9814B@gmail.com> <079D9048-0FFD-4A58-90EF-889259EB6ECE@gmail.com> Sender: owner-linux-mm@kvack.org List-ID: To: Andy Lutomirski Cc: Mel Gorman , "open list:MEMORY MANAGEMENT" Andy Lutomirski wrote: > On Wed, Jul 12, 2017 at 4:42 PM, Nadav Amit = wrote: >> Andy Lutomirski wrote: >>=20 >>> On Wed, Jul 12, 2017 at 4:27 PM, Nadav Amit = wrote: >>>> Actually, I think that based on Andy=E2=80=99s patches there is a = relatively >>>> reasonable solution. For each mm we will hold both a = =E2=80=9Cpending_tlb_gen=E2=80=9D >>>> (increased under the PT-lock) and an =E2=80=9Cexecuted_tlb_gen=E2=80=9D= . Once >>>> flush_tlb_mm_range finishes flushing it will use cmpxchg to update = the >>>> executed_tlb_gen to the pending_tlb_gen that was prior the flush = (the >>>> cmpxchg will ensure the TLB gen only goes forward). Then, whenever >>>> pending_tlb_gen is different than executed_tlb_gen - a flush is = needed. >>>=20 >>> Why do we need executed_tlb_gen? We already have >>> cpu_tlbstate.ctxs[...].tlb_gen. Or is the idea that = executed_tlb_gen >>> guarantees that all cpus in mm_cpumask are at least up to date to >>> executed_tlb_gen? >>=20 >> Hm... So actually it may be enough, no? Just compare = mm->context.tlb_gen >> with cpu_tlbstate.ctxs[...].tlb_gen and flush if they are different? >=20 > Wouldn't that still leave the races where the CPU observing the stale > TLB entry isn't the CPU that did munmap/mprotect/whatever? I think > executed_tlb_gen or similar may really be needed for your approach. Yes, you are right. This approach requires a counter that is only updated after the flush is completed by all cores. This way you ensure there is no CPU that did not complete the flush. Does it make sense?= -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f72.google.com (mail-oi0-f72.google.com [209.85.218.72]) by kanga.kvack.org (Postfix) with ESMTP id 15378440874 for ; Thu, 13 Jul 2017 12:07:13 -0400 (EDT) Received: by mail-oi0-f72.google.com with SMTP id a142so4500576oii.5 for ; Thu, 13 Jul 2017 09:07:13 -0700 (PDT) Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id w10si4120380oib.92.2017.07.13.09.07.12 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jul 2017 09:07:12 -0700 (PDT) Received: from mail-ua0-f181.google.com (mail-ua0-f181.google.com [209.85.217.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6705C22C98 for ; Thu, 13 Jul 2017 16:07:11 +0000 (UTC) Received: by mail-ua0-f181.google.com with SMTP id z22so36659582uah.1 for ; Thu, 13 Jul 2017 09:07:11 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <5F1E23BA-B0DE-4FF0-AB8F-C22936263EAA@gmail.com> References: <20170711092935.bogdb4oja6v7kilq@suse.de> <20170711132023.wdfpjxwtbqpi3wp2@suse.de> <20170711155312.637eyzpqeghcgqzp@suse.de> <20170711191823.qthrmdgqcd3rygjk@suse.de> <20170711200923.gyaxfjzz3tpvreuq@suse.de> <20170711215240.tdpmwmgwcuerjj3o@suse.de> <9ECCACFE-6006-4C19-8FC0-C387EB5F3BEE@gmail.com> <20170712082733.ouf7yx2bnvwwcfms@suse.de> <591A2865-13B8-4B3A-B094-8B83A7F9814B@gmail.com> <079D9048-0FFD-4A58-90EF-889259EB6ECE@gmail.com> <5F1E23BA-B0DE-4FF0-AB8F-C22936263EAA@gmail.com> From: Andy Lutomirski Date: Thu, 13 Jul 2017 09:06:49 -0700 Message-ID: Subject: Re: Potential race in TLB flush batching? Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: owner-linux-mm@kvack.org List-ID: