> On Nov 8, 2023, at 6:12 AM, Byungchul Park <byungchul@xxxxxx> wrote:
>
> !! External Email
>
> On Mon, Oct 30, 2023 at 09:51:30PM +0900, Byungchul Park wrote:
>>>> diff --git a/mm/memory.c b/mm/memory.c
>>>> index 6c264d2f969c..75dc48b6e15f 100644
>>>> --- a/mm/memory.c
>>>> +++ b/mm/memory.c
>>>> @@ -3359,6 +3359,19 @@ static vm_fault_t do_wp_page(struct vm_fault *vmf)
>>>> if (vmf->page)
>>>> folio = page_folio(vmf->page);
>>>>
>>>> + /*
>>>> + * This folio has its read copy to prevent inconsistency while
>>>> + * deferring TLB flushes. However, the problem might arise if
>>>> + * it's going to become writable.
>>>> + *
>>>> + * To prevent it, give up the deferring TLB flushes and perform
>>>> + * TLB flush right away.
>>>> + */
>>>> + if (folio && migrc_pending_folio(folio)) {
>>>> + migrc_unpend_folio(folio);
>>>> + migrc_try_flush_free_folios(NULL);
>>>
>>> So many potential function calls… Probably they should have been combined
>>> into one and at least migrc_pending_folio() should have been an inline
>>> function in the header.
>>
>> I will try to change it as you mention.
>>
>>>> + }
>>>> +
>>>
>>> What about mprotect? I thought David has changed it so it can set writable
>>> PTEs.
>>
>> I will check it out.
>
> I found mprotect stuff is already performing TLB flushes needed for it.
> So some redundant TLB flushes might happen by migrc but it's not that
> harmful I think. Thanks.
Let me explain the scenario I am concerned with. Assume page P is RO, and
moves from Psrc to Pdst. Pointer “p” points to P. Initially (*p == 0).
Let’s also assume we also have an atomic variable “a”. Initially (a == 0).
I hope I got the migration function names right, but I hope the problem
itself can be clear regardless.
CPU0 CPU1 CPU2 CPU3
---- ---- ---- ----
(user-mode) (user-mode)
Access *p
[Psrc cached in TLB]
migrate_pages_batch()
-> migrate_folio_unmap()
[ PTE updated,
still no flush ]
mprotect(p,
RW)
[ Psrc is
RW ]
[ flush
deferred]
*p = 1 # Pdst
xchg(&a, 1)
mfence
if (a == 1)
assert(*p == 1);
Now at this point the assertion might fail. CPU2 wrote into Pdst, whereas
CPU1 reads from Psrc. But based on x86 memory model, userspace might not
expect this scenario to be possible, hence leading to bugs.
