Re: [PATCH 1/2] userfaultfd: Fix pmd_trans_huge() recheck race

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 13, 2024 at 8:19 AM Qi Zheng <zhengqi.arch@xxxxxxxxxxxxx> wrote:
>
> Hi Jann,
>
> On 2024/8/13 00:42, Jann Horn wrote:
> > The following race can occur:
> >
> >    mfill_atomic                other thread
> >    ============                ============
> >                                <zap PMD>
> >    pmdp_get_lockless() [reads none pmd]
> >    <bail if trans_huge>
> >    <if none:>
> >                                <pagefault creates transhuge zeropage>
> >      __pte_alloc [no-op]
> >                                <zap PMD>
> >    <bail if pmd_trans_huge(*dst_pmd)>
> >    BUG_ON(pmd_none(*dst_pmd))
> >
> > I have experimentally verified this in a kernel with extra mdelay() calls;
> > the BUG_ON(pmd_none(*dst_pmd)) triggers.
> >
> > On kernels newer than commit 0d940a9b270b ("mm/pgtable: allow
> > pte_offset_map[_lock]() to fail"), this can't lead to anything worse than
> > a BUG_ON(), since the page table access helpers are actually designed to
> > deal with page tables concurrently disappearing; but on older kernels
> > (<=6.4), I think we could probably theoretically race past the two BUG_ON()
> > checks and end up treating a hugepage as a page table.
> >
> > Cc: stable@xxxxxxxxxxxxxxx
> > Fixes: c1a4de99fada ("userfaultfd: mcopy_atomic|mfill_zeropage: UFFDIO_COPY|UFFDIO_ZEROPAGE preparation")
> > Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
> > ---
> >   mm/userfaultfd.c | 3 ++-
> >   1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > index e54e5c8907fa..ec3750467aa5 100644
> > --- a/mm/userfaultfd.c
> > +++ b/mm/userfaultfd.c
> > @@ -801,7 +801,8 @@ static __always_inline ssize_t mfill_atomic(struct userfaultfd_ctx *ctx,
> >                       break;
> >               }
> >               /* If an huge pmd materialized from under us fail */
> > -             if (unlikely(pmd_trans_huge(*dst_pmd))) {
> > +             dst_pmdval = pmdp_get_lockless(dst_pmd);
> > +             if (unlikely(pmd_none(dst_pmdval) || pmd_trans_huge(dst_pmdval))) {
>
> Before commit 0d940a9b270b, should we also check for
> is_pmd_migration_entry(), pmd_devmap() and pmd_bad() here?

Oooh. I think you're right that this check is insufficient, thanks for
spotting that.

I think I should probably change the check to something like this?

if (unlikely(!pmd_present(dst_pmdval) || pmd_trans_huge(dst_pmdval) ||
pmd_devmap(dst_pmdval) || pmd_bad(dst_pmdval))) {

!pmd_present() implies !is_pmd_migration_entry(). And the pmd_bad() at
the end shouldn't be necessary if everything is working right, I'm
just tacking it on to be safe.

I'll send a v2 with this change soon.

(Alternatively, pmd_leaf() might be useful here, but then we'd have to
figure an alternate way of doing this for the backport.)





[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux