[PATCH v3] mm: Fix race between __split_huge_pmd_locked() and GUP-fast
David Hildenbrand
david at redhat.com
Thu May 2 06:08:20 PDT 2024
On 01.05.24 16:33, Ryan Roberts wrote:
> __split_huge_pmd_locked() can be called for a present THP, devmap or
> (non-present) migration entry. It calls pmdp_invalidate()
> unconditionally on the pmdp and only determines if it is present or not
> based on the returned old pmd. This is a problem for the migration entry
> case because pmd_mkinvalid(), called by pmdp_invalidate() must only be
> called for a present pmd.
>
> On arm64 at least, pmd_mkinvalid() will mark the pmd such that any
> future call to pmd_present() will return true. And therefore any
> lockless pgtable walker could see the migration entry pmd in this state
> and start interpretting the fields as if it were present, leading to
> BadThings (TM). GUP-fast appears to be one such lockless pgtable walker.
>
> x86 does not suffer the above problem, but instead pmd_mkinvalid() will
> corrupt the offset field of the swap entry within the swap pte. See link
> below for discussion of that problem.
Could that explain:
https://lore.kernel.org/all/YjoGbhreg8lGCGIJ@linutronix.de/
Where the PFN of a migration entry might have been corrupted?
Ccing Felix
Patch itself looks good to me
Acked-by: David Hildenbrand <david at redhat.com>
--
Cheers,
David / dhildenb
More information about the linux-arm-kernel
mailing list