This is a note to let you know that I've just added the patch titled
mm: enable maple tree RCU mode by default.
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
mm-enable-maple-tree-rcu-mode-by-default.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From stable-owner@xxxxxxxxxxxxxxx Tue Apr 11 17:14:26 2023
From: "Liam R. Howlett" <Liam.Howlett@xxxxxxxxxx>
Date: Tue, 11 Apr 2023 11:10:55 -0400
Subject: mm: enable maple tree RCU mode by default.
To: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, stable@xxxxxxxxxxxxxxx
Cc: maple-tree@xxxxxxxxxxxxxxxxxxx, linux-mm@xxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, "Liam R. Howlett" <Liam.Howlett@xxxxxxxxxx>, "Liam R . Howlett" <Liam.Howlett@xxxxxxxxxx>, syzbot+8d95422d3537159ca390@xxxxxxxxxxxxxxxxxxxxxxxxx
Message-ID: <20230411151055.2910579-15-Liam.Howlett@xxxxxxxxxx>
From: "Liam R. Howlett" <Liam.Howlett@xxxxxxxxxx>
commit 3dd4432549415f3c65dd52d5c687629efbf4ece1 upstream.
Use the maple tree in RCU mode for VMA tracking.
The maple tree tracks the stack and is able to update the pivot
(lower/upper boundary) in-place to allow the page fault handler to write
to the tree while holding just the mmap read lock. This is safe as the
writes to the stack have a guard VMA which ensures there will always be
a NULL in the direction of the growth and thus will only update a pivot.
It is possible, but not recommended, to have VMAs that grow up/down
without guard VMAs. syzbot has constructed a testcase which sets up a
VMA to grow and consume the empty space. Overwriting the entire NULL
entry causes the tree to be altered in a way that is not safe for
concurrent readers; the readers may see a node being rewritten or one
that does not match the maple state they are using.
Enabling RCU mode allows the concurrent readers to see a stable node and
will return the expected result.
Link: https://lkml.kernel.org/r/20230227173632.3292573-9-surenb@xxxxxxxxxx
Cc: stable@xxxxxxxxxxxxxxx
Fixes: d4af56c5c7c6 ("mm: start tracking VMAs with maple tree")
Signed-off-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx>
Reported-by: syzbot+8d95422d3537159ca390@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
include/linux/mm_types.h | 3 ++-
kernel/fork.c | 3 +++
mm/mmap.c | 3 ++-
3 files changed, 7 insertions(+), 2 deletions(-)
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -725,7 +725,8 @@ struct mm_struct {
unsigned long cpu_bitmap[];
};
-#define MM_MT_FLAGS (MT_FLAGS_ALLOC_RANGE | MT_FLAGS_LOCK_EXTERN)
+#define MM_MT_FLAGS (MT_FLAGS_ALLOC_RANGE | MT_FLAGS_LOCK_EXTERN | \
+ MT_FLAGS_USE_RCU)
extern struct mm_struct init_mm;
/* Pointer magic because the dynamic array size confuses some compilers. */
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -617,6 +617,7 @@ static __latent_entropy int dup_mmap(str
if (retval)
goto out;
+ mt_clear_in_rcu(mas.tree);
mas_for_each(&old_mas, mpnt, ULONG_MAX) {
struct file *file;
@@ -703,6 +704,8 @@ static __latent_entropy int dup_mmap(str
retval = arch_dup_mmap(oldmm, mm);
loop_out:
mas_destroy(&mas);
+ if (!retval)
+ mt_set_in_rcu(mas.tree);
out:
mmap_write_unlock(mm);
flush_tlb_mm(oldmm);
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2308,7 +2308,7 @@ do_mas_align_munmap(struct ma_state *mas
int count = 0;
int error = -ENOMEM;
MA_STATE(mas_detach, &mt_detach, 0, 0);
- mt_init_flags(&mt_detach, MT_FLAGS_LOCK_EXTERN);
+ mt_init_flags(&mt_detach, mas->tree->ma_flags & MT_FLAGS_LOCK_MASK);
mt_set_external_lock(&mt_detach, &mm->mmap_lock);
if (mas_preallocate(mas, vma, GFP_KERNEL))
@@ -3095,6 +3095,7 @@ void exit_mmap(struct mm_struct *mm)
*/
set_bit(MMF_OOM_SKIP, &mm->flags);
mmap_write_lock(mm);
+ mt_clear_in_rcu(&mm->mm_mt);
free_pgtables(&tlb, &mm->mm_mt, vma, FIRST_USER_ADDRESS,
USER_PGTABLES_CEILING);
tlb_finish_mmu(&tlb);
Patches currently in stable-queue which might be from stable-owner@xxxxxxxxxxxxxxx are
queue-6.1/maple_tree-fix-potential-rcu-issue.patch
queue-6.1/maple_tree-add-smp_rmb-to-dead-node-detection.patch
queue-6.1/maple_tree-add-rcu-lock-checking-to-rcu-callback-functions.patch
queue-6.1/maple_tree-fix-handle-of-invalidated-state-in-mas_wr_store_setup.patch
queue-6.1/maple_tree-reduce-user-error-potential.patch
queue-6.1/maple_tree-fix-mas_prev-and-mas_find-state-handling.patch
queue-6.1/maple_tree-remove-gfp_zero-from-kmem_cache_alloc-and-kmem_cache_alloc_bulk.patch
queue-6.1/maple_tree-be-more-cautious-about-dead-nodes.patch
queue-6.1/mm-enable-maple-tree-rcu-mode-by-default.patch
queue-6.1/maple_tree-detect-dead-nodes-in-mas_start.patch
queue-6.1/maple_tree-fix-freeing-of-nodes-in-rcu-mode.patch
queue-6.1/maple_tree-remove-extra-smp_wmb-from-mas_dead_leaves.patch
queue-6.1/maple_tree-refine-ma_state-init-from-mas_start.patch
