On Sat, Feb 28, 2015 at 02:52:35PM -0800, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
>
> The patch below does not apply to the 3.10-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@xxxxxxxxxxxxxxx>.
This patch depends on commit 61f77eda9bbf ("mm/hugetlb: reduce arch dependent
code around follow_huge_*"), but 61f77eda9bbf also conflicts due to the lack
of other patches like commit 3212b535f200 ("mm: hugetlb: Copy huge_pmd_share
from x86 to mm.") and commit 53313b2c9130 ("x86: mm: Remove general hugetlb
code from x86.") and more.
So there seems no easy way to backport this patch.
Considering that the race condition fixed by this patch very rarely occurs
on 3.10, because there's only one user of hugepage migration (soft offline)
before 3.12, so I think that the risk of leaving this race is small enough
and acceptable. So I'm OK to skip this backporting.
Thanks,
Naoya Horiguchi
> thanks,
>
> greg k-h
>
> ------------------ original commit in Linus's tree ------------------
>
> From cbef8478bee55775ac312a574aad48af7bb9cf9f Mon Sep 17 00:00:00 2001
> From: Naoya Horiguchi <n-horiguchi@xxxxxxxxxxxxx>
> Date: Wed, 11 Feb 2015 15:25:19 -0800
> Subject: [PATCH] mm/hugetlb: pmd_huge() returns true for non-present hugepage
>
> Migrating hugepages and hwpoisoned hugepages are considered as non-present
> hugepages, and they are referenced via migration entries and hwpoison
> entries in their page table slots.
>
> This behavior causes race condition because pmd_huge() doesn't tell
> non-huge pages from migrating/hwpoisoned hugepages. follow_page_mask() is
> one example where the kernel would call follow_page_pte() for such
> hugepage while this function is supposed to handle only normal pages.
>
> To avoid this, this patch makes pmd_huge() return true when pmd_none() is
> true *and* pmd_present() is false. We don't have to worry about mixing up
> non-present pmd entry with normal pmd (pointing to leaf level pte entry)
> because pmd_present() is true in normal pmd.
>
> The same race condition could happen in (x86-specific) gup_pmd_range(),
> where this patch simply adds pmd_present() check instead of pmd_huge().
> This is because gup_pmd_range() is fast path. If we have non-present
> hugepage in this function, we will go into gup_huge_pmd(), then return 0
> at flag mask check, and finally fall back to the slow path.
>
> Fixes: 290408d4a2 ("hugetlb: hugepage migration core")
> Signed-off-by: Naoya Horiguchi <n-horiguchi@xxxxxxxxxxxxx>
> Cc: Hugh Dickins <hughd@xxxxxxxxxx>
> Cc: James Hogan <james.hogan@xxxxxxxxxx>
> Cc: David Rientjes <rientjes@xxxxxxxxxx>
> Cc: Mel Gorman <mel@xxxxxxxxx>
> Cc: Johannes Weiner <hannes@xxxxxxxxxxx>
> Cc: Michal Hocko <mhocko@xxxxxxx>
> Cc: Rik van Riel <riel@xxxxxxxxxx>
> Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx>
> Cc: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
> Cc: Nishanth Aravamudan <nacc@xxxxxxxxxxxxxxxxxx>
> Cc: Lee Schermerhorn <lee.schermerhorn@xxxxxx>
> Cc: Steve Capper <steve.capper@xxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> [2.6.36+]
> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
>
> diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
> index d7547824e763..224b14235e96 100644
> --- a/arch/x86/mm/gup.c
> +++ b/arch/x86/mm/gup.c
> @@ -172,7 +172,7 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end,
> */
> if (pmd_none(pmd) || pmd_trans_splitting(pmd))
> return 0;
> - if (unlikely(pmd_large(pmd))) {
> + if (unlikely(pmd_large(pmd) || !pmd_present(pmd))) {
> /*
> * NUMA hinting faults need to be handled in the GUP
> * slowpath for accounting purposes and so that they
> diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
> index f48423f10141..42982b26e32b 100644
> --- a/arch/x86/mm/hugetlbpage.c
> +++ b/arch/x86/mm/hugetlbpage.c
> @@ -54,9 +54,15 @@ int pud_huge(pud_t pud)
>
> #else
>
> +/*
> + * pmd_huge() returns 1 if @pmd is hugetlb related entry, that is normal
> + * hugetlb entry or non-present (migration or hwpoisoned) hugetlb entry.
> + * Otherwise, returns 0.
> + */
> int pmd_huge(pmd_t pmd)
> {
> - return !!(pmd_val(pmd) & _PAGE_PSE);
> + return !pmd_none(pmd) &&
> + (pmd_val(pmd) & (_PAGE_PRESENT|_PAGE_PSE)) != _PAGE_PRESENT;
> }
>
> int pud_huge(pud_t pud)
> diff --git a/mm/hugetlb.c b/mm/hugetlb.c
> index f533d336e569..d96b8bfa748f 100644
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -3679,6 +3679,8 @@ follow_huge_pmd(struct mm_struct *mm, unsigned long address,
> {
> struct page *page;
>
> + if (!pmd_present(*pmd))
> + return NULL;
> page = pte_page(*(pte_t *)pmd);
> if (page)
> page += ((address & ~PMD_MASK) >> PAGE_SHIFT);
> --
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html