* Re: [PATCH] mm/mmu_notifier: mm/rmap.c: Fix a mmu_notifier range bug in try_to_unmap_one
2019-01-10 0:51 [PATCH] mm/mmu_notifier: mm/rmap.c: Fix a mmu_notifier range bug in try_to_unmap_one Sean Christopherson
@ 2019-01-10 1:42 ` Jerome Glisse
2019-01-10 5:52 ` Pankaj Gupta
2019-01-10 9:14 ` Adam Borowski
2 siblings, 0 replies; 4+ messages in thread
From: Jerome Glisse @ 2019-01-10 1:42 UTC (permalink / raw)
To: Sean Christopherson
Cc: linux-kernel, linux-mm, leozinho29_eu, Mike Galbraith,
Adam Borowski, Christian König, Jan Kara, Matthew Wilcox,
Ross Zwisler, Dan Williams, Paolo Bonzini,
Radim Krčmář,
Michal Hocko, Felix Kuehling, Ralph Campbell, John Hubbard,
Andrew Morton, Linus Torvalds
On Wed, Jan 09, 2019 at 04:51:17PM -0800, Sean Christopherson wrote:
> The conversion to use a structure for mmu_notifier_invalidate_range_*()
> unintentionally changed the usage in try_to_unmap_one() to init the
> 'struct mmu_notifier_range' with vma->vm_start instead of @address,
> i.e. it invalidates the wrong address range. Revert to the correct
> address range.
>
> Manifests as KVM use-after-free WARNINGs and subsequent "BUG: Bad page
> state in process X" errors when reclaiming from a KVM guest due to KVM
> removing the wrong pages from its own mappings.
>
> Reported-by: leozinho29_eu@hotmail.com
> Reported-by: Mike Galbraith <efault@gmx.de>
> Reported-by: Adam Borowski <kilobyte@angband.pl>
Reviewed-by: Jérôme Glisse <jglisse@redhat.com>
> Cc: Christian König <christian.koenig@amd.com>
> Cc: Jan Kara <jack@suse.cz>
> Cc: Matthew Wilcox <mawilcox@microsoft.com>
> Cc: Ross Zwisler <zwisler@kernel.org>
> Cc: Dan Williams <dan.j.williams@intel.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Radim Krčmář <rkrcmar@redhat.com>
> Cc: Michal Hocko <mhocko@kernel.org>
> Cc: Felix Kuehling <felix.kuehling@amd.com>
> Cc: Ralph Campbell <rcampbell@nvidia.com>
> Cc: John Hubbard <jhubbard@nvidia.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Fixes: ac46d4f3c432 ("mm/mmu_notifier: use structure for invalidate_range_start/end calls v2")
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> ---
>
> FWIW, I looked through all other calls to mmu_notifier_range_init() in
> the patch and didn't spot any other unintentional functional changes.
>
> mm/rmap.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mm/rmap.c b/mm/rmap.c
> index 68a1a5b869a5..0454ecc29537 100644
> --- a/mm/rmap.c
> +++ b/mm/rmap.c
> @@ -1371,8 +1371,8 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
> * Note that the page can not be free in this function as call of
> * try_to_unmap() must hold a reference on the page.
> */
> - mmu_notifier_range_init(&range, vma->vm_mm, vma->vm_start,
> - min(vma->vm_end, vma->vm_start +
> + mmu_notifier_range_init(&range, vma->vm_mm, address,
> + min(vma->vm_end, address +
> (PAGE_SIZE << compound_order(page))));
> if (PageHuge(page)) {
> /*
> --
> 2.19.2
>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] mm/mmu_notifier: mm/rmap.c: Fix a mmu_notifier range bug in try_to_unmap_one
2019-01-10 0:51 [PATCH] mm/mmu_notifier: mm/rmap.c: Fix a mmu_notifier range bug in try_to_unmap_one Sean Christopherson
2019-01-10 1:42 ` Jerome Glisse
@ 2019-01-10 5:52 ` Pankaj Gupta
2019-01-10 9:14 ` Adam Borowski
2 siblings, 0 replies; 4+ messages in thread
From: Pankaj Gupta @ 2019-01-10 5:52 UTC (permalink / raw)
To: Sean Christopherson
Cc: linux-kernel, linux-mm, leozinho29 eu, Mike Galbraith,
Adam Borowski, Jérôme Glisse, Christian König,
Jan Kara, Matthew Wilcox, Ross Zwisler, Dan Williams,
Paolo Bonzini, Radim Krčmář,
Michal Hocko, Felix Kuehling, Ralph Campbell, John Hubbard,
Andrew Morton, Linus Torvalds
> The conversion to use a structure for mmu_notifier_invalidate_range_*()
> unintentionally changed the usage in try_to_unmap_one() to init the
> 'struct mmu_notifier_range' with vma->vm_start instead of @address,
> i.e. it invalidates the wrong address range. Revert to the correct
> address range.
>
> Manifests as KVM use-after-free WARNINGs and subsequent "BUG: Bad page
> state in process X" errors when reclaiming from a KVM guest due to KVM
> removing the wrong pages from its own mappings.
>
> Reported-by: leozinho29_eu@hotmail.com
> Reported-by: Mike Galbraith <efault@gmx.de>
> Reported-by: Adam Borowski <kilobyte@angband.pl>
> Cc: Jérôme Glisse <jglisse@redhat.com>
> Cc: Christian König <christian.koenig@amd.com>
> Cc: Jan Kara <jack@suse.cz>
> Cc: Matthew Wilcox <mawilcox@microsoft.com>
> Cc: Ross Zwisler <zwisler@kernel.org>
> Cc: Dan Williams <dan.j.williams@intel.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Radim Krčmář <rkrcmar@redhat.com>
> Cc: Michal Hocko <mhocko@kernel.org>
> Cc: Felix Kuehling <felix.kuehling@amd.com>
> Cc: Ralph Campbell <rcampbell@nvidia.com>
> Cc: John Hubbard <jhubbard@nvidia.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Fixes: ac46d4f3c432 ("mm/mmu_notifier: use structure for
> invalidate_range_start/end calls v2")
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> ---
>
> FWIW, I looked through all other calls to mmu_notifier_range_init() in
> the patch and didn't spot any other unintentional functional changes.
>
> mm/rmap.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mm/rmap.c b/mm/rmap.c
> index 68a1a5b869a5..0454ecc29537 100644
> --- a/mm/rmap.c
> +++ b/mm/rmap.c
> @@ -1371,8 +1371,8 @@ static bool try_to_unmap_one(struct page *page, struct
> vm_area_struct *vma,
> * Note that the page can not be free in this function as call of
> * try_to_unmap() must hold a reference on the page.
> */
> - mmu_notifier_range_init(&range, vma->vm_mm, vma->vm_start,
> - min(vma->vm_end, vma->vm_start +
> + mmu_notifier_range_init(&range, vma->vm_mm, address,
> + min(vma->vm_end, address +
> (PAGE_SIZE << compound_order(page))));
> if (PageHuge(page)) {
> /*
> --
I was suspecting this patch for some other issue. But could not spot this after
in depth analyzing the changed "invalidate_range_start/end calls".
Its indeed a good catch.
Reviewed-by: Pankaj gupta <pagupta@redhat.com>
> 2.19.2
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] mm/mmu_notifier: mm/rmap.c: Fix a mmu_notifier range bug in try_to_unmap_one
2019-01-10 0:51 [PATCH] mm/mmu_notifier: mm/rmap.c: Fix a mmu_notifier range bug in try_to_unmap_one Sean Christopherson
2019-01-10 1:42 ` Jerome Glisse
2019-01-10 5:52 ` Pankaj Gupta
@ 2019-01-10 9:14 ` Adam Borowski
2 siblings, 0 replies; 4+ messages in thread
From: Adam Borowski @ 2019-01-10 9:14 UTC (permalink / raw)
To: Sean Christopherson
Cc: linux-kernel, linux-mm, leozinho29_eu, Mike Galbraith,
Jérôme Glisse, Christian König, Jan Kara,
Matthew Wilcox, Ross Zwisler, Dan Williams, Paolo Bonzini,
Radim Krčmář,
Michal Hocko, Felix Kuehling, Ralph Campbell, John Hubbard,
Andrew Morton, Linus Torvalds
On Wed, Jan 09, 2019 at 04:51:17PM -0800, Sean Christopherson wrote:
> Manifests as KVM use-after-free WARNINGs and subsequent "BUG: Bad page
> state in process X" errors when reclaiming from a KVM guest due to KVM
> removing the wrong pages from its own mappings.
With your patch, no badness happened so far. Thanks!
> Reported-by: Adam Borowski <kilobyte@angband.pl>
> Fixes: ac46d4f3c432 ("mm/mmu_notifier: use structure for invalidate_range_start/end calls v2")
> --- a/mm/rmap.c
> +++ b/mm/rmap.c
> - mmu_notifier_range_init(&range, vma->vm_mm, vma->vm_start,
> - min(vma->vm_end, vma->vm_start +
> + mmu_notifier_range_init(&range, vma->vm_mm, address,
> + min(vma->vm_end, address +
Meow.
--
⢀⣴⠾⠻⢶⣦⠀ Hans 1 was born and raised in Johannesburg, then moved to Boston,
⣾⠁⢠⠒⠀⣿⡁ and has just became a naturalized citizen. Hans 2's grandparents
⢿⡄⠘⠷⠚⠋⠀ came from Melanesia to Düsseldorf, and he hasn't ever been outside
⠈⠳⣄⠀⠀⠀⠀ Germany until yesterday. Which one is an African-American?
^ permalink raw reply [flat|nested] 4+ messages in thread