[PATCH v3] mm: Fix race between __split_huge_pmd_locked() and GUP-fast
Ryan Roberts
ryan.roberts at arm.com
Thu May 2 06:47:05 PDT 2024
On 02/05/2024 14:08, David Hildenbrand wrote:
> On 01.05.24 16:33, Ryan Roberts wrote:
>> __split_huge_pmd_locked() can be called for a present THP, devmap or
>> (non-present) migration entry. It calls pmdp_invalidate()
>> unconditionally on the pmdp and only determines if it is present or not
>> based on the returned old pmd. This is a problem for the migration entry
>> case because pmd_mkinvalid(), called by pmdp_invalidate() must only be
>> called for a present pmd.
>>
>> On arm64 at least, pmd_mkinvalid() will mark the pmd such that any
>> future call to pmd_present() will return true. And therefore any
>> lockless pgtable walker could see the migration entry pmd in this state
>> and start interpretting the fields as if it were present, leading to
>> BadThings (TM). GUP-fast appears to be one such lockless pgtable walker.
>>
>> x86 does not suffer the above problem, but instead pmd_mkinvalid() will
>> corrupt the offset field of the swap entry within the swap pte. See link
>> below for discussion of that problem.
>
> Could that explain:
>
> https://lore.kernel.org/all/YjoGbhreg8lGCGIJ@linutronix.de/
>
> Where the PFN of a migration entry might have been corrupted?
Ahh interesting! Yes, it seems to fit...
>
> Ccing Felix
Are you able to reliably reproduce the bug, Felix? If so, would you mind trying
with this patch to see if it goes away?
>
>
> Patch itself looks good to me
>
> Acked-by: David Hildenbrand <david at redhat.com>
Thanks!
More information about the linux-arm-kernel
mailing list