Syzbot reported a BUG_ON in mm/mmap.c which was found to be caused by an inconsistency between threads walking the VMA maple tree. The inconsistency is caused by the page fault handler modifying the maple tree while holding the mmap_lock for read. This only happens for stack VMAs. We had thought this was safe as it only modifies a single pivot in the tree. Unfortunately, syzbot constructed a test case where the stack had no guard page and grew the stack to abut the next VMA. This causes us to delete the NULL entry between the two VMAs and rewrite the node. We considered several options for fixing this, including dropping the mmap_lock, then reacquiring it for write; and relaxing the definition of the tree to permit a zero-length NULL entry in the node. We decided the best option was to backport some of the RCU patches from -next, which solve the problem by allocating a new node and RCU-freeing the old node. Since the problem exists in 6.1, we preferred a solution which is similar to the one we intended to merge next merge window. These patches have been in -next since next-20230301, and have received intensive testing in Android as part of the RCU page fault patchset. They were also sent as part of the "Per-VMA locks" v4 patch series. Patches 1 to 7 are bug fixes for RCU mode of the tree and patch 8 enables RCU mode for the tree. Performance v6.3-rc3 vs patched v6.3-rc3: Running these changes through mmtests showed there was a 15-20% performance decrease in will-it-scale/brk1-processes. This tests creating and inserting a single VMA repeatedly through the brk interface and isn't representative of any real world applications. Liam R. Howlett (8): maple_tree: be more cautious about dead nodes maple_tree: detect dead nodes in mas_start() maple_tree: fix freeing of nodes in rcu mode maple_tree: remove extra smp_wmb() from mas_dead_leaves() maple_tree: fix write memory barrier of nodes once dead for RCU mode maple_tree: add smp_rmb() to dead node detection maple_tree: add RCU lock checking to rcu callback functions mm: enable maple tree RCU mode by default. include/linux/mm_types.h | 3 +- kernel/fork.c | 3 + lib/maple_tree.c | 269 +++++++++++++++++++++---------- mm/mmap.c | 3 +- tools/testing/radix-tree/maple.c | 16 ++ 5 files changed, 207 insertions(+), 87 deletions(-) -- 2.39.2
