On 3/27/23 19:14, Alistair Popple wrote:
> Device exclusive page table entries are used to prevent CPU access to
> a page whilst it is being accessed from a device. Typically this is
> used to implement atomic operations when the underlying bus does not
> support atomic access. When a CPU thread encounters a device exclusive
> entry it locks the page and restores the original entry after calling
> mmu notifiers to signal drivers that exclusive access is no longer
> available.
>
> The device exclusive entry holds a reference to the page making it
> safe to access the struct page whilst the entry is present. However
> the fault handling code does not hold the PTL when taking the page
> lock. This means if there are multiple threads faulting concurrently
> on the device exclusive entry one will remove the entry whilst others
> will wait on the page lock without holding a reference.
>
> This can lead to threads locking or waiting on a page with a zero
> refcount. Whilst mmap_lock prevents the pages getting freed via
> munmap() they may still be freed by a migration. This leads to
An important point! So I'm glad that you wrote it here clearly.
> warnings such as PAGE_FLAGS_CHECK_AT_FREE due to the page being locked
> when the refcount drops to zero. Note that during removal of the
> device exclusive entry the PTE is currently re-checked under the PTL
> so no futher bad page accesses occur once it is locked.
Maybe change that last sentence to something like this:
"Fix this by taking a page reference before starting to remove a device
exclusive pte. This is done safely in a lock-free way by first getting a
reference via get_page_unless_zero(), and then re-checking after
acquiring the PTL, that the page is the correct one."
?
...well, maybe that's not all that much help. But it does at least
provide the traditional description of what the patch *does*, at
the end of the commit description. But please treat this as just
an optional suggestion.
>
> Signed-off-by: Alistair Popple <apopple@xxxxxxxxxx>
> Fixes: b756a3b5e7ea ("mm: device exclusive memory access")
> Cc: stable@xxxxxxxxxxxxxxx
> ---
> mm/memory.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
On the patch process, I see that this applies to linux-stable's 6.1.y
branch. I'd suggest two things:
1) Normally, what I've seen done is to post against either the current
top of tree linux.git, or else against one of the mm-stable branches.
And then after it's accepted, create a version for -stable.
2) Either indicate in the cover letter (or after the ---) which branch
or commit this applies to, or let git format-patch help by passing in
the base commit via --base. That will save "some people" (people like
me) from having to guess, if they want to apply the patch locally and
poke around at it.
Anyway, all of the above are just little documentation and process
suggestions, but the patch itself looks great, so please feel free to
add:
Reviewed-by: John Hubbard <jhubbard@xxxxxxxxxx>
thanks,
--
John Hubbard
NVIDIA
>
> diff --git a/mm/memory.c b/mm/memory.c
> index 8c8420934d60..b499bd283d8e 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -3623,8 +3623,19 @@ static vm_fault_t remove_device_exclusive_entry(struct vm_fault *vmf)
> struct vm_area_struct *vma = vmf->vma;
> struct mmu_notifier_range range;
>
> - if (!folio_lock_or_retry(folio, vma->vm_mm, vmf->flags))
> + /*
> + * We need a page reference to lock the page because we don't
> + * hold the PTL so a racing thread can remove the
> + * device-exclusive entry and unmap the page. If the page is
> + * free the entry must have been removed already.
> + */
> + if (!get_page_unless_zero(vmf->page))
> + return 0;
> +
> + if (!folio_lock_or_retry(folio, vma->vm_mm, vmf->flags)) {
> + put_page(vmf->page);
> return VM_FAULT_RETRY;
> + }
> mmu_notifier_range_init_owner(&range, MMU_NOTIFY_EXCLUSIVE, 0, vma,
> vma->vm_mm, vmf->address & PAGE_MASK,
> (vmf->address & PAGE_MASK) + PAGE_SIZE, NULL);
> @@ -3637,6 +3648,7 @@ static vm_fault_t remove_device_exclusive_entry(struct vm_fault *vmf)
>
> pte_unmap_unlock(vmf->pte, vmf->ptl);
> folio_unlock(folio);
> + put_page(vmf->page);
>
> mmu_notifier_invalidate_range_end(&range);
> return 0;
