From: Yu Zhao <yuzhao@google.com>
To: Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: "Peter Zijlstra" <peterz@infradead.org>,
"Ingo Molnar" <mingo@redhat.com>,
"Arnaldo Carvalho de Melo" <acme@kernel.org>,
"Alexander Shishkin" <alexander.shishkin@linux.intel.com>,
"Jiri Olsa" <jolsa@redhat.com>,
"Namhyung Kim" <namhyung@kernel.org>,
"Vlastimil Babka" <vbabka@suse.cz>,
"Hugh Dickins" <hughd@google.com>,
"Jérôme Glisse" <jglisse@redhat.com>,
"Andrea Arcangeli" <aarcange@redhat.com>,
"Aneesh Kumar K . V" <aneesh.kumar@linux.ibm.com>,
"David Rientjes" <rientjes@google.com>,
"Matthew Wilcox" <willy@infradead.org>,
"Lance Roy" <ldr709@gmail.com>,
"Ralph Campbell" <rcampbell@nvidia.com>,
"Jason Gunthorpe" <jgg@ziepe.ca>,
"Dave Airlie" <airlied@redhat.com>,
"Thomas Hellstrom" <thellstrom@vmware.com>,
"Souptick Joarder" <jrdr.linux@gmail.com>,
"Mel Gorman" <mgorman@suse.de>, "Jan Kara" <jack@suse.cz>,
"Mike Kravetz" <mike.kravetz@oracle.com>,
"Huang Ying" <ying.huang@intel.com>,
"Aaron Lu" <ziqian.lzq@antfin.com>,
"Omar Sandoval" <osandov@fb.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Vineeth Remanan Pillai" <vpillai@digitalocean.com>,
"Daniel Jordan" <daniel.m.jordan@oracle.com>,
"Mike Rapoport" <rppt@linux.ibm.com>,
"Joel Fernandes" <joel@joelfernandes.org>,
"Mark Rutland" <mark.rutland@arm.com>,
"Alexander Duyck" <alexander.h.duyck@linux.intel.com>,
"Pavel Tatashin" <pavel.tatashin@microsoft.com>,
"David Hildenbrand" <david@redhat.com>,
"Juergen Gross" <jgross@suse.com>,
"Anthony Yznaga" <anthony.yznaga@oracle.com>,
"Johannes Weiner" <hannes@cmpxchg.org>,
"Darrick J . Wong" <darrick.wong@oracle.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
"Yu Zhao" <yuzhao@google.com>
Subject: [PATCH v3 3/4] mm: don't expose non-hugetlb page to fast gup prematurely
Date: Tue, 24 Sep 2019 17:24:58 -0600 [thread overview]
Message-ID: <20190924232459.214097-3-yuzhao@google.com> (raw)
In-Reply-To: <20190924232459.214097-1-yuzhao@google.com>
We don't want to expose a non-hugetlb page to the fast gup running
on a remote CPU before all local non-atomic ops on the page flags
are visible first.
For an anon page that isn't in swap cache, we need to make sure all
prior non-atomic ops, especially __SetPageSwapBacked() in
page_add_new_anon_rmap(), are ordered before set_pte_at() to prevent
the following race:
CPU 1 CPU1
set_pte_at() get_user_pages_fast()
page_add_new_anon_rmap() gup_pte_range()
__SetPageSwapBacked() SetPageReferenced()
This demonstrates a non-fatal scenario. Though haven't been directly
observed, the fatal ones can exist, e.g., PG_lock set by fast gup
caller and then overwritten by __SetPageSwapBacked().
For an anon page that is already in swap cache or a file page, we
don't need smp_wmb() before set_pte_at() because adding to swap or
file cach serves as a valid write barrier. Using non-atomic ops
thereafter is a bug, obviously.
smp_wmb() is added following 11 of total 12 page_add_new_anon_rmap()
call sites, with the only exception being
do_huge_pmd_wp_page_fallback() because of an existing smp_wmb().
Signed-off-by: Yu Zhao <yuzhao@google.com>
---
kernel/events/uprobes.c | 2 ++
mm/huge_memory.c | 6 ++++++
mm/khugepaged.c | 2 ++
mm/memory.c | 10 +++++++++-
mm/migrate.c | 2 ++
mm/swapfile.c | 6 ++++--
mm/userfaultfd.c | 2 ++
7 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 84fa00497c49..7069785e2e52 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -194,6 +194,8 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr,
flush_cache_page(vma, addr, pte_pfn(*pvmw.pte));
ptep_clear_flush_notify(vma, addr, pvmw.pte);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
set_pte_at_notify(mm, addr, pvmw.pte,
mk_pte(new_page, vma->vm_page_prot));
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index de1f15969e27..21d271a29d96 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -616,6 +616,8 @@ static vm_fault_t __do_huge_pmd_anonymous_page(struct vm_fault *vmf,
mem_cgroup_commit_charge(page, memcg, false, true);
lru_cache_add_active_or_unevictable(page, vma);
pgtable_trans_huge_deposit(vma->vm_mm, vmf->pmd, pgtable);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
set_pmd_at(vma->vm_mm, haddr, vmf->pmd, entry);
add_mm_counter(vma->vm_mm, MM_ANONPAGES, HPAGE_PMD_NR);
mm_inc_nr_ptes(vma->vm_mm);
@@ -1276,7 +1278,9 @@ static vm_fault_t do_huge_pmd_wp_page_fallback(struct vm_fault *vmf,
}
kfree(pages);
+ /* commit non-atomic ops before exposing to fast gup */
smp_wmb(); /* make pte visible before pmd */
+
pmd_populate(vma->vm_mm, vmf->pmd, pgtable);
page_remove_rmap(page, true);
spin_unlock(vmf->ptl);
@@ -1423,6 +1427,8 @@ vm_fault_t do_huge_pmd_wp_page(struct vm_fault *vmf, pmd_t orig_pmd)
page_add_new_anon_rmap(new_page, vma, haddr, true);
mem_cgroup_commit_charge(new_page, memcg, false, true);
lru_cache_add_active_or_unevictable(new_page, vma);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
set_pmd_at(vma->vm_mm, haddr, vmf->pmd, entry);
update_mmu_cache_pmd(vma, vmf->address, vmf->pmd);
if (!page) {
diff --git a/mm/khugepaged.c b/mm/khugepaged.c
index 70ff98e1414d..f2901edce6de 100644
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -1074,6 +1074,8 @@ static void collapse_huge_page(struct mm_struct *mm,
count_memcg_events(memcg, THP_COLLAPSE_ALLOC, 1);
lru_cache_add_active_or_unevictable(new_page, vma);
pgtable_trans_huge_deposit(mm, pmd, pgtable);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
set_pmd_at(mm, address, pmd, _pmd);
update_mmu_cache_pmd(vma, address, pmd);
spin_unlock(pmd_ptl);
diff --git a/mm/memory.c b/mm/memory.c
index aa86852d9ec2..6dabbc3cd3b7 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2367,6 +2367,8 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
* mmu page tables (such as kvm shadow page tables), we want the
* new page to be mapped directly into the secondary page table.
*/
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
set_pte_at_notify(mm, vmf->address, vmf->pte, entry);
update_mmu_cache(vma, vmf->address, vmf->pte);
if (old_page) {
@@ -2877,7 +2879,6 @@ vm_fault_t do_swap_page(struct vm_fault *vmf)
flush_icache_page(vma, page);
if (pte_swp_soft_dirty(vmf->orig_pte))
pte = pte_mksoft_dirty(pte);
- set_pte_at(vma->vm_mm, vmf->address, vmf->pte, pte);
arch_do_swap_page(vma->vm_mm, vma, vmf->address, pte, vmf->orig_pte);
vmf->orig_pte = pte;
@@ -2886,12 +2887,15 @@ vm_fault_t do_swap_page(struct vm_fault *vmf)
page_add_new_anon_rmap(page, vma, vmf->address, false);
mem_cgroup_commit_charge(page, memcg, false, false);
lru_cache_add_active_or_unevictable(page, vma);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
} else {
do_page_add_anon_rmap(page, vma, vmf->address, exclusive);
mem_cgroup_commit_charge(page, memcg, true, false);
activate_page(page);
}
+ set_pte_at(vma->vm_mm, vmf->address, vmf->pte, pte);
swap_free(entry);
if (mem_cgroup_swap_full(page) ||
(vma->vm_flags & VM_LOCKED) || PageMlocked(page))
@@ -3034,6 +3038,8 @@ static vm_fault_t do_anonymous_page(struct vm_fault *vmf)
page_add_new_anon_rmap(page, vma, vmf->address, false);
mem_cgroup_commit_charge(page, memcg, false, false);
lru_cache_add_active_or_unevictable(page, vma);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
setpte:
set_pte_at(vma->vm_mm, vmf->address, vmf->pte, entry);
@@ -3297,6 +3303,8 @@ vm_fault_t alloc_set_pte(struct vm_fault *vmf, struct mem_cgroup *memcg,
page_add_new_anon_rmap(page, vma, vmf->address, false);
mem_cgroup_commit_charge(page, memcg, false, false);
lru_cache_add_active_or_unevictable(page, vma);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
} else {
inc_mm_counter_fast(vma->vm_mm, mm_counter_file(page));
page_add_file_rmap(page, false);
diff --git a/mm/migrate.c b/mm/migrate.c
index 9f4ed4e985c1..943d147ecc3e 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -2783,6 +2783,8 @@ static void migrate_vma_insert_page(struct migrate_vma *migrate,
lru_cache_add_active_or_unevictable(page, vma);
get_page(page);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
if (flush) {
flush_cache_page(vma, addr, pte_pfn(*ptep));
ptep_clear_flush_notify(vma, addr, ptep);
diff --git a/mm/swapfile.c b/mm/swapfile.c
index dab43523afdd..5c5547053ee0 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1880,8 +1880,6 @@ static int unuse_pte(struct vm_area_struct *vma, pmd_t *pmd,
dec_mm_counter(vma->vm_mm, MM_SWAPENTS);
inc_mm_counter(vma->vm_mm, MM_ANONPAGES);
get_page(page);
- set_pte_at(vma->vm_mm, addr, pte,
- pte_mkold(mk_pte(page, vma->vm_page_prot)));
if (page == swapcache) {
page_add_anon_rmap(page, vma, addr, false);
mem_cgroup_commit_charge(page, memcg, true, false);
@@ -1889,7 +1887,11 @@ static int unuse_pte(struct vm_area_struct *vma, pmd_t *pmd,
page_add_new_anon_rmap(page, vma, addr, false);
mem_cgroup_commit_charge(page, memcg, false, false);
lru_cache_add_active_or_unevictable(page, vma);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
}
+ set_pte_at(vma->vm_mm, addr, pte,
+ pte_mkold(mk_pte(page, vma->vm_page_prot)));
swap_free(entry);
/*
* Move the page to the active list so it is not
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index c7ae74ce5ff3..4f92913242a1 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -92,6 +92,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
mem_cgroup_commit_charge(page, memcg, false, false);
lru_cache_add_active_or_unevictable(page, dst_vma);
+ /* commit non-atomic ops before exposing to fast gup */
+ smp_wmb();
set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte);
/* No need to invalidate - it was non-present before */
--
2.23.0.351.gc4317032e6-goog
next prev parent reply other threads:[~2019-09-24 23:25 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-08 22:56 [PATCH] mm: don't expose page to fast gup before it's ready Yu Zhao
2018-01-09 8:46 ` Michal Hocko
2018-01-09 10:10 ` Yu Zhao
2018-01-31 23:07 ` Andrew Morton
2019-05-14 21:25 ` Andrew Morton
2019-05-14 23:07 ` Yu Zhao
2019-09-14 7:05 ` [PATCH v2] mm: don't expose page to fast gup prematurely Yu Zhao
2019-09-24 11:23 ` Kirill A. Shutemov
2019-09-24 22:05 ` Yu Zhao
2019-09-25 12:17 ` Kirill A. Shutemov
2019-09-26 3:58 ` Yu Zhao
2019-09-24 23:24 ` [PATCH v3 1/4] mm: remove unnecessary smp_wmb() in collapse_huge_page() Yu Zhao
2019-09-24 23:24 ` [PATCH v3 2/4] mm: don't expose hugetlb page to fast gup prematurely Yu Zhao
2019-09-24 23:24 ` Yu Zhao [this message]
2019-09-25 8:25 ` [PATCH v3 3/4] mm: don't expose non-hugetlb " Peter Zijlstra
2019-09-25 22:26 ` Yu Zhao
2019-09-26 10:20 ` Kirill A. Shutemov
2019-09-27 3:26 ` John Hubbard
2019-09-27 12:33 ` Michal Hocko
[not found] ` <20190927050648.GA92494@google.com>
[not found] ` <712513fe-f064-c965-d165-80d43cfc606f@nvidia.com>
2019-10-02 0:00 ` Yu Zhao
2019-09-24 23:24 ` [PATCH v3 4/4] mm: remove unnecessary smp_wmb() in __SetPageUptodate() Yu Zhao
2019-09-24 23:50 ` Matthew Wilcox
2019-09-25 22:03 ` Yu Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190924232459.214097-3-yuzhao@google.com \
--to=yuzhao@google.com \
--cc=aarcange@redhat.com \
--cc=acme@kernel.org \
--cc=airlied@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.h.duyck@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=aneesh.kumar@linux.ibm.com \
--cc=anthony.yznaga@oracle.com \
--cc=daniel.m.jordan@oracle.com \
--cc=darrick.wong@oracle.com \
--cc=david@redhat.com \
--cc=hannes@cmpxchg.org \
--cc=hughd@google.com \
--cc=jack@suse.cz \
--cc=jgg@ziepe.ca \
--cc=jglisse@redhat.com \
--cc=jgross@suse.com \
--cc=joel@joelfernandes.org \
--cc=jolsa@redhat.com \
--cc=jrdr.linux@gmail.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=ldr709@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mark.rutland@arm.com \
--cc=mgorman@suse.de \
--cc=mhocko@suse.com \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=osandov@fb.com \
--cc=pavel.tatashin@microsoft.com \
--cc=peterz@infradead.org \
--cc=rcampbell@nvidia.com \
--cc=rientjes@google.com \
--cc=rppt@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=thellstrom@vmware.com \
--cc=vbabka@suse.cz \
--cc=vpillai@digitalocean.com \
--cc=willy@infradead.org \
--cc=ying.huang@intel.com \
--cc=ziqian.lzq@antfin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).