Message ID | 20221129193526.3588187-4-peterx@redhat.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp535291wrr; Tue, 29 Nov 2022 11:48:16 -0800 (PST) X-Google-Smtp-Source: AA0mqf5JgmvCBD3qPxHBAdUpUa3OxEu5sBrRzwUqZnpSV5/hrugn+h5MgpbOS8fHRzS5ysGeQd2q X-Received: by 2002:a62:ea18:0:b0:56c:2d:1e56 with SMTP id t24-20020a62ea18000000b0056c002d1e56mr39436409pfh.41.1669751296313; Tue, 29 Nov 2022 11:48:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669751296; cv=none; d=google.com; s=arc-20160816; b=F3kPRsyCuOjr6C7jJ2zY3gw+0sQ8VzrLR+VDtfj81ArlrryRkrQ7jHM5J+JjKac5Op FSBBcPQqTnVGWDBv84jPKWPuN8l0nnoEbDfQZ+ZsXFX6tWvvRy+9afQb3+mfXgXJQBF/ +Vajw8TdOaQoj1ShUFEgVHX8K4hQW9Sso8wS22sE1jR/TG2NGhnr6l37TnhRZDovct2Y eiiRa8aSPXW6iEaQ8jLu16TheJFBbIAQXtBQuIckab+XLnBQ9hwrRjqEWI4i+3bH6vgj /It8ZsZfaYYD6GzWnO6T5hzSKQTFa2RTMpDAvSk3tnQ6pg8LaRGWSflot1EtCpUJNRpW hy/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=1A7zSSAdH3Q+Nn9HaLXwUXJ3cHWzn45QfpKMkITSm0w=; b=0gs4qjh8lIaZNR/PCUS1aoX1c8fiKaYRQRt50HGsbUGCSPKlAJ9GNm7ghQgw/30iuQ k1GfZN+s9MdyC/6HyjobxjR1Q7hC9DaF65MTzCokscdF0q2PEJaiHqMXDQnA+JzUi+35 V+Ofb+FkgJ9FY0Rm4hpQZEQlQvZ3mWIvpqACMqVhBVyfw34MfvwCZnEdt2VAnsAJSIdX 6KPSMUtySnVPVg1Hb6+F7VzfFJRTJXYGULBrs7O1KffSoeuIjcLlvYSbKl5qW/K4jnDw VKFw9IRt7Vr+rn7SQM8NDhIQVJhHafsFT8sw5XizqvdhsbWOQbVvDNGfzw9devgF+YrS eFxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=b6gVKCGZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k16-20020a635a50000000b0047757685d7esi16164524pgm.772.2022.11.29.11.48.02; Tue, 29 Nov 2022 11:48:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=b6gVKCGZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237073AbiK2TiO (ORCPT <rfc822;rbbytesnap@gmail.com> + 99 others); Tue, 29 Nov 2022 14:38:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49228 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237122AbiK2ThL (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 29 Nov 2022 14:37:11 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF7242F657 for <linux-kernel@vger.kernel.org>; Tue, 29 Nov 2022 11:35:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1669750537; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1A7zSSAdH3Q+Nn9HaLXwUXJ3cHWzn45QfpKMkITSm0w=; b=b6gVKCGZCvbnoU5aOoZzsIibfF+bR1hZQIon/dYwWZEkyI+xD/keZLKldUD6ds9Nb+7zT6 s39XNLh8ldeMS5hzTnsCGCtrmvEt+Bpm9X1cziLyx6nl29hk80lcOQpM5LB0XXz4QNwTeG mgcqWaT1+GJIr78wiEGaF+W847PoFXA= Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-526-sxDb94_hNwmBDLCYUvi_LA-1; Tue, 29 Nov 2022 14:35:35 -0500 X-MC-Unique: sxDb94_hNwmBDLCYUvi_LA-1 Received: by mail-qt1-f200.google.com with SMTP id u31-20020a05622a199f00b003a51fa90654so23116707qtc.19 for <linux-kernel@vger.kernel.org>; Tue, 29 Nov 2022 11:35:35 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1A7zSSAdH3Q+Nn9HaLXwUXJ3cHWzn45QfpKMkITSm0w=; b=cmz5NIYTerrTD0Qr0NAw/VIW3XftWYzQA8kND8qUY2TZQPyg76spF+1GW04xM4ZpA/ f15lAQv2cVrJanJi4xqBLCGbyXWCsuQPmJm2/ZFdgIoBmkVanC0/9bw++3ZRS4y8T9le Q6kSaH8bhG8rGAfy08+Gb75pB6hLYueglORu/yw/ZHSiD/iZT5oGP1ejAXHqXGrDhl8+ sJKbpaPofxwKQJ4Jpbr4t6zdA4Kws4DEm1bmQITEPS6xG3uSKLuRFKmsoEC82Dl6oFey wTxoP7X2hk6Hp12pd3akL7YFMuzu+b4xkNjxhoQbEijlqbCylsFjzrGgXaEI1vqq8/Ml I4VA== X-Gm-Message-State: ANoB5pnh8McmTcEBukyfjPiALCPApXk5M7kPpFCWqtZzIz6JYHxxSMlc qtpzL4mv2sG1+Ud9BbgWTKk547GtVE/8ZZbp1TMOVORm3Ig2cQIptmzyGJGIeoShL68MfQiQm1d sEhk9TtYySRy5ZDFUh90FUOXC X-Received: by 2002:a05:620a:573:b0:6fc:1ddf:deec with SMTP id p19-20020a05620a057300b006fc1ddfdeecmr31840269qkp.595.1669750535316; Tue, 29 Nov 2022 11:35:35 -0800 (PST) X-Received: by 2002:a05:620a:573:b0:6fc:1ddf:deec with SMTP id p19-20020a05620a057300b006fc1ddfdeecmr31840242qkp.595.1669750535029; Tue, 29 Nov 2022 11:35:35 -0800 (PST) Received: from x1n.redhat.com (bras-base-aurron9127w-grc-46-70-31-27-79.dsl.bell.ca. [70.31.27.79]) by smtp.gmail.com with ESMTPSA id n1-20020a05620a294100b006fa16fe93bbsm11313013qkp.15.2022.11.29.11.35.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Nov 2022 11:35:34 -0800 (PST) From: Peter Xu <peterx@redhat.com> To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: James Houghton <jthoughton@google.com>, Jann Horn <jannh@google.com>, peterx@redhat.com, Andrew Morton <akpm@linux-foundation.org>, Andrea Arcangeli <aarcange@redhat.com>, Rik van Riel <riel@surriel.com>, Nadav Amit <nadav.amit@gmail.com>, Miaohe Lin <linmiaohe@huawei.com>, Muchun Song <songmuchun@bytedance.com>, Mike Kravetz <mike.kravetz@oracle.com>, David Hildenbrand <david@redhat.com> Subject: [PATCH 03/10] mm/hugetlb: Document huge_pte_offset usage Date: Tue, 29 Nov 2022 14:35:19 -0500 Message-Id: <20221129193526.3588187-4-peterx@redhat.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221129193526.3588187-1-peterx@redhat.com> References: <20221129193526.3588187-1-peterx@redhat.com> MIME-Version: 1.0 Content-type: text/plain Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750861135152547356?= X-GMAIL-MSGID: =?utf-8?q?1750861135152547356?= |
Series |
[01/10] mm/hugetlb: Let vma_offset_start() to return start
|
|
Commit Message
Peter Xu
Nov. 29, 2022, 7:35 p.m. UTC
huge_pte_offset() is potentially a pgtable walker, looking up pte_t* for a
hugetlb address.
Normally, it's always safe to walk a generic pgtable as long as we're with
the mmap lock held for either read or write, because that guarantees the
pgtable pages will always be valid during the process.
But it's not true for hugetlbfs, especially shared: hugetlbfs can have its
pgtable freed by pmd unsharing, it means that even with mmap lock held for
current mm, the PMD pgtable page can still go away from under us if pmd
unsharing is possible during the walk.
So we have two ways to make it safe even for a shared mapping:
(1) If we're with the hugetlb vma lock held for either read/write, it's
okay because pmd unshare cannot happen at all.
(2) If we're with the i_mmap_rwsem lock held for either read/write, it's
okay because even if pmd unshare can happen, the pgtable page cannot
be freed from under us.
Document it.
Signed-off-by: Peter Xu <peterx@redhat.com>
---
include/linux/hugetlb.h | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
Comments
On 11/29/22 14:35, Peter Xu wrote: > huge_pte_offset() is potentially a pgtable walker, looking up pte_t* for a > hugetlb address. > > Normally, it's always safe to walk a generic pgtable as long as we're with > the mmap lock held for either read or write, because that guarantees the > pgtable pages will always be valid during the process. > > But it's not true for hugetlbfs, especially shared: hugetlbfs can have its > pgtable freed by pmd unsharing, it means that even with mmap lock held for > current mm, the PMD pgtable page can still go away from under us if pmd > unsharing is possible during the walk. > > So we have two ways to make it safe even for a shared mapping: > > (1) If we're with the hugetlb vma lock held for either read/write, it's > okay because pmd unshare cannot happen at all. > > (2) If we're with the i_mmap_rwsem lock held for either read/write, it's > okay because even if pmd unshare can happen, the pgtable page cannot > be freed from under us. > > Document it. > > Signed-off-by: Peter Xu <peterx@redhat.com> > --- > include/linux/hugetlb.h | 32 ++++++++++++++++++++++++++++++++ > 1 file changed, 32 insertions(+) > > diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h > index 551834cd5299..81efd9b9baa2 100644 > --- a/include/linux/hugetlb.h > +++ b/include/linux/hugetlb.h > @@ -192,6 +192,38 @@ extern struct list_head huge_boot_pages; > > pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma, > unsigned long addr, unsigned long sz); > +/* > + * huge_pte_offset(): Walk the hugetlb pgtable until the last level PTE. > + * Returns the pte_t* if found, or NULL if the address is not mapped. > + * > + * Since this function will walk all the pgtable pages (including not only > + * high-level pgtable page, but also PUD entry that can be unshared > + * concurrently for VM_SHARED), the caller of this function should be > + * responsible of its thread safety. One can follow this rule: > + * > + * (1) For private mappings: pmd unsharing is not possible, so it'll > + * always be safe if we're with the mmap sem for either read or write. > + * This is normally always the case, IOW we don't need to do anything > + * special. > + * > + * (2) For shared mappings: pmd unsharing is possible (so the PUD-ranged > + * pgtable page can go away from under us! It can be done by a pmd > + * unshare with a follow up munmap() on the other process), then we > + * need either: > + * > + * (2.1) hugetlb vma lock read or write held, to make sure pmd unshare > + * won't happen upon the range (it also makes sure the pte_t we > + * read is the right and stable one), or, > + * > + * (2.2) hugetlb mapping i_mmap_rwsem lock held read or write, to make > + * sure even if unshare happened the racy unmap() will wait until > + * i_mmap_rwsem is released. Is that 100% correct? IIUC, the page tables will be released via the call to tlb_finish_mmu(). In most cases, the tlb_finish_mmu() call is performed when holding i_mmap_rwsem. However, in the final teardown of a hugetlb vma via __unmap_hugepage_range_final, the tlb_finish_mmu call is done outside the i_mmap_rwsem lock. In this case, I think we are still safe because nobody else should be walking the page table. I really like the documentation. However, if i_mmap_rwsem is not 100% safe I would prefer not to document it here. I don't think anyone relies on this do they?
On 29.11.22 20:35, Peter Xu wrote: > huge_pte_offset() is potentially a pgtable walker, looking up pte_t* for a > hugetlb address. > > Normally, it's always safe to walk a generic pgtable as long as we're with > the mmap lock held for either read or write, because that guarantees the > pgtable pages will always be valid during the process. With the addition, that it's only safe to walk within VMA ranges while holding the mmap lock in read mode. It's not safe to walk outside VMA ranges. But the point is that we're walking within a known hugetlbfs VMA, I assume, just adding it for completeness :) > > But it's not true for hugetlbfs, especially shared: hugetlbfs can have its > pgtable freed by pmd unsharing, it means that even with mmap lock held for > current mm, the PMD pgtable page can still go away from under us if pmd > unsharing is possible during the walk. > > So we have two ways to make it safe even for a shared mapping: > > (1) If we're with the hugetlb vma lock held for either read/write, it's > okay because pmd unshare cannot happen at all. > > (2) If we're with the i_mmap_rwsem lock held for either read/write, it's > okay because even if pmd unshare can happen, the pgtable page cannot > be freed from under us. > > Document it. > > Signed-off-by: Peter Xu <peterx@redhat.com> In general, I like that documentation. Let's see if we can figure out what to do with the i_mmap_rwsem.
On 29.11.22 20:35, Peter Xu wrote: > huge_pte_offset() is potentially a pgtable walker, looking up pte_t* for a > hugetlb address. > > Normally, it's always safe to walk a generic pgtable as long as we're with > the mmap lock held for either read or write, because that guarantees the > pgtable pages will always be valid during the process. > > But it's not true for hugetlbfs, especially shared: hugetlbfs can have its > pgtable freed by pmd unsharing, it means that even with mmap lock held for > current mm, the PMD pgtable page can still go away from under us if pmd > unsharing is possible during the walk. > > So we have two ways to make it safe even for a shared mapping: > > (1) If we're with the hugetlb vma lock held for either read/write, it's > okay because pmd unshare cannot happen at all. > > (2) If we're with the i_mmap_rwsem lock held for either read/write, it's > okay because even if pmd unshare can happen, the pgtable page cannot > be freed from under us. > > Document it. > > Signed-off-by: Peter Xu <peterx@redhat.com> > --- > include/linux/hugetlb.h | 32 ++++++++++++++++++++++++++++++++ > 1 file changed, 32 insertions(+) > > diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h > index 551834cd5299..81efd9b9baa2 100644 > --- a/include/linux/hugetlb.h > +++ b/include/linux/hugetlb.h > @@ -192,6 +192,38 @@ extern struct list_head huge_boot_pages; > > pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma, > unsigned long addr, unsigned long sz); > +/* > + * huge_pte_offset(): Walk the hugetlb pgtable until the last level PTE. > + * Returns the pte_t* if found, or NULL if the address is not mapped. > + * > + * Since this function will walk all the pgtable pages (including not only > + * high-level pgtable page, but also PUD entry that can be unshared > + * concurrently for VM_SHARED), the caller of this function should be > + * responsible of its thread safety. One can follow this rule: > + * > + * (1) For private mappings: pmd unsharing is not possible, so it'll > + * always be safe if we're with the mmap sem for either read or write. > + * This is normally always the case, IOW we don't need to do anything > + * special. Maybe worth mentioning that hugetlb_vma_lock_read() and friends already optimize for private mappings, to not take the VMA lock if not required. Was happy to spot that optimization in there already :)
Hi, Mike, On Tue, Nov 29, 2022 at 08:55:21PM -0800, Mike Kravetz wrote: > > + * (2) For shared mappings: pmd unsharing is possible (so the PUD-ranged > > + * pgtable page can go away from under us! It can be done by a pmd > > + * unshare with a follow up munmap() on the other process), then we > > + * need either: > > + * > > + * (2.1) hugetlb vma lock read or write held, to make sure pmd unshare > > + * won't happen upon the range (it also makes sure the pte_t we > > + * read is the right and stable one), or, > > + * > > + * (2.2) hugetlb mapping i_mmap_rwsem lock held read or write, to make > > + * sure even if unshare happened the racy unmap() will wait until > > + * i_mmap_rwsem is released. > > Is that 100% correct? IIUC, the page tables will be released via the > call to tlb_finish_mmu(). In most cases, the tlb_finish_mmu() call is > performed when holding i_mmap_rwsem. However, in the final teardown of > a hugetlb vma via __unmap_hugepage_range_final, the tlb_finish_mmu call > is done outside the i_mmap_rwsem lock. In this case, I think we are > still safe because nobody else should be walking the page table. > > I really like the documentation. However, if i_mmap_rwsem is not 100% > safe I would prefer not to document it here. I don't think anyone > relies on this do they? I think i_mmap_rwsem is 100% safe. It's not in tlb_finish_mmu(), but when freeing the pgtables we need to unlink current vma from the vma list first: free_pgtables unlink_file_vma i_mmap_lock_write tlb_finish_mmu So it's not the same logic as how the RCU lock worked, but it's actually better (even though with higher overhead) because vma unlink happens before free_pgd_range(), so the pgtable locks are not freed yet (unlike RCU). Thanks,
On Wed, Nov 30, 2022 at 11:24:34AM +0100, David Hildenbrand wrote: > On 29.11.22 20:35, Peter Xu wrote: > > huge_pte_offset() is potentially a pgtable walker, looking up pte_t* for a > > hugetlb address. > > > > Normally, it's always safe to walk a generic pgtable as long as we're with > > the mmap lock held for either read or write, because that guarantees the > > pgtable pages will always be valid during the process. > > > > But it's not true for hugetlbfs, especially shared: hugetlbfs can have its > > pgtable freed by pmd unsharing, it means that even with mmap lock held for > > current mm, the PMD pgtable page can still go away from under us if pmd > > unsharing is possible during the walk. > > > > So we have two ways to make it safe even for a shared mapping: > > > > (1) If we're with the hugetlb vma lock held for either read/write, it's > > okay because pmd unshare cannot happen at all. > > > > (2) If we're with the i_mmap_rwsem lock held for either read/write, it's > > okay because even if pmd unshare can happen, the pgtable page cannot > > be freed from under us. > > > > Document it. > > > > Signed-off-by: Peter Xu <peterx@redhat.com> > > --- > > include/linux/hugetlb.h | 32 ++++++++++++++++++++++++++++++++ > > 1 file changed, 32 insertions(+) > > > > diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h > > index 551834cd5299..81efd9b9baa2 100644 > > --- a/include/linux/hugetlb.h > > +++ b/include/linux/hugetlb.h > > @@ -192,6 +192,38 @@ extern struct list_head huge_boot_pages; > > pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma, > > unsigned long addr, unsigned long sz); > > +/* > > + * huge_pte_offset(): Walk the hugetlb pgtable until the last level PTE. > > + * Returns the pte_t* if found, or NULL if the address is not mapped. > > + * > > + * Since this function will walk all the pgtable pages (including not only > > + * high-level pgtable page, but also PUD entry that can be unshared > > + * concurrently for VM_SHARED), the caller of this function should be > > + * responsible of its thread safety. One can follow this rule: > > + * > > + * (1) For private mappings: pmd unsharing is not possible, so it'll > > + * always be safe if we're with the mmap sem for either read or write. > > + * This is normally always the case, IOW we don't need to do anything > > + * special. > > Maybe worth mentioning that hugetlb_vma_lock_read() and friends already > optimize for private mappings, to not take the VMA lock if not required. Yes we can. I assume this is not super urgent so I'll hold a while to see whether there's anything else that needs amending for the documents. Btw, even with hugetlb_vma_lock_read() checking SHARED for a private only code path it's still better to not take the lock at all, because that still contains a function jump which will be unnecesary. Thanks,
On 30.11.22 17:09, Peter Xu wrote: > On Wed, Nov 30, 2022 at 11:24:34AM +0100, David Hildenbrand wrote: >> On 29.11.22 20:35, Peter Xu wrote: >>> huge_pte_offset() is potentially a pgtable walker, looking up pte_t* for a >>> hugetlb address. >>> >>> Normally, it's always safe to walk a generic pgtable as long as we're with >>> the mmap lock held for either read or write, because that guarantees the >>> pgtable pages will always be valid during the process. >>> >>> But it's not true for hugetlbfs, especially shared: hugetlbfs can have its >>> pgtable freed by pmd unsharing, it means that even with mmap lock held for >>> current mm, the PMD pgtable page can still go away from under us if pmd >>> unsharing is possible during the walk. >>> >>> So we have two ways to make it safe even for a shared mapping: >>> >>> (1) If we're with the hugetlb vma lock held for either read/write, it's >>> okay because pmd unshare cannot happen at all. >>> >>> (2) If we're with the i_mmap_rwsem lock held for either read/write, it's >>> okay because even if pmd unshare can happen, the pgtable page cannot >>> be freed from under us. >>> >>> Document it. >>> >>> Signed-off-by: Peter Xu <peterx@redhat.com> >>> --- >>> include/linux/hugetlb.h | 32 ++++++++++++++++++++++++++++++++ >>> 1 file changed, 32 insertions(+) >>> >>> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h >>> index 551834cd5299..81efd9b9baa2 100644 >>> --- a/include/linux/hugetlb.h >>> +++ b/include/linux/hugetlb.h >>> @@ -192,6 +192,38 @@ extern struct list_head huge_boot_pages; >>> pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma, >>> unsigned long addr, unsigned long sz); >>> +/* >>> + * huge_pte_offset(): Walk the hugetlb pgtable until the last level PTE. >>> + * Returns the pte_t* if found, or NULL if the address is not mapped. >>> + * >>> + * Since this function will walk all the pgtable pages (including not only >>> + * high-level pgtable page, but also PUD entry that can be unshared >>> + * concurrently for VM_SHARED), the caller of this function should be >>> + * responsible of its thread safety. One can follow this rule: >>> + * >>> + * (1) For private mappings: pmd unsharing is not possible, so it'll >>> + * always be safe if we're with the mmap sem for either read or write. >>> + * This is normally always the case, IOW we don't need to do anything >>> + * special. >> >> Maybe worth mentioning that hugetlb_vma_lock_read() and friends already >> optimize for private mappings, to not take the VMA lock if not required. > > Yes we can. I assume this is not super urgent so I'll hold a while to see > whether there's anything else that needs amending for the documents. > > Btw, even with hugetlb_vma_lock_read() checking SHARED for a private only > code path it's still better to not take the lock at all, because that still > contains a function jump which will be unnecesary. IMHO it makes coding a lot more consistent and less error-prone when not care about whether to the the lock or not (as an optimization) and just having this handled "automatically". Optimizing a jump out would rather smell like a micro-optimization.
On Wed, Nov 30, 2022 at 05:11:36PM +0100, David Hildenbrand wrote: > On 30.11.22 17:09, Peter Xu wrote: > > On Wed, Nov 30, 2022 at 11:24:34AM +0100, David Hildenbrand wrote: > > > On 29.11.22 20:35, Peter Xu wrote: > > > > huge_pte_offset() is potentially a pgtable walker, looking up pte_t* for a > > > > hugetlb address. > > > > > > > > Normally, it's always safe to walk a generic pgtable as long as we're with > > > > the mmap lock held for either read or write, because that guarantees the > > > > pgtable pages will always be valid during the process. > > > > > > > > But it's not true for hugetlbfs, especially shared: hugetlbfs can have its > > > > pgtable freed by pmd unsharing, it means that even with mmap lock held for > > > > current mm, the PMD pgtable page can still go away from under us if pmd > > > > unsharing is possible during the walk. > > > > > > > > So we have two ways to make it safe even for a shared mapping: > > > > > > > > (1) If we're with the hugetlb vma lock held for either read/write, it's > > > > okay because pmd unshare cannot happen at all. > > > > > > > > (2) If we're with the i_mmap_rwsem lock held for either read/write, it's > > > > okay because even if pmd unshare can happen, the pgtable page cannot > > > > be freed from under us. > > > > > > > > Document it. > > > > > > > > Signed-off-by: Peter Xu <peterx@redhat.com> > > > > --- > > > > include/linux/hugetlb.h | 32 ++++++++++++++++++++++++++++++++ > > > > 1 file changed, 32 insertions(+) > > > > > > > > diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h > > > > index 551834cd5299..81efd9b9baa2 100644 > > > > --- a/include/linux/hugetlb.h > > > > +++ b/include/linux/hugetlb.h > > > > @@ -192,6 +192,38 @@ extern struct list_head huge_boot_pages; > > > > pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma, > > > > unsigned long addr, unsigned long sz); > > > > +/* > > > > + * huge_pte_offset(): Walk the hugetlb pgtable until the last level PTE. > > > > + * Returns the pte_t* if found, or NULL if the address is not mapped. > > > > + * > > > > + * Since this function will walk all the pgtable pages (including not only > > > > + * high-level pgtable page, but also PUD entry that can be unshared > > > > + * concurrently for VM_SHARED), the caller of this function should be > > > > + * responsible of its thread safety. One can follow this rule: > > > > + * > > > > + * (1) For private mappings: pmd unsharing is not possible, so it'll > > > > + * always be safe if we're with the mmap sem for either read or write. > > > > + * This is normally always the case, IOW we don't need to do anything > > > > + * special. > > > > > > Maybe worth mentioning that hugetlb_vma_lock_read() and friends already > > > optimize for private mappings, to not take the VMA lock if not required. > > > > Yes we can. I assume this is not super urgent so I'll hold a while to see > > whether there's anything else that needs amending for the documents. > > > > Btw, even with hugetlb_vma_lock_read() checking SHARED for a private only > > code path it's still better to not take the lock at all, because that still > > contains a function jump which will be unnecesary. > > IMHO it makes coding a lot more consistent and less error-prone when not > care about whether to the the lock or not (as an optimization) and just > having this handled "automatically". > > Optimizing a jump out would rather smell like a micro-optimization. Or we can move the lock helpers into the headers, too.
On 30.11.22 17:25, Peter Xu wrote: > On Wed, Nov 30, 2022 at 05:11:36PM +0100, David Hildenbrand wrote: >> On 30.11.22 17:09, Peter Xu wrote: >>> On Wed, Nov 30, 2022 at 11:24:34AM +0100, David Hildenbrand wrote: >>>> On 29.11.22 20:35, Peter Xu wrote: >>>>> huge_pte_offset() is potentially a pgtable walker, looking up pte_t* for a >>>>> hugetlb address. >>>>> >>>>> Normally, it's always safe to walk a generic pgtable as long as we're with >>>>> the mmap lock held for either read or write, because that guarantees the >>>>> pgtable pages will always be valid during the process. >>>>> >>>>> But it's not true for hugetlbfs, especially shared: hugetlbfs can have its >>>>> pgtable freed by pmd unsharing, it means that even with mmap lock held for >>>>> current mm, the PMD pgtable page can still go away from under us if pmd >>>>> unsharing is possible during the walk. >>>>> >>>>> So we have two ways to make it safe even for a shared mapping: >>>>> >>>>> (1) If we're with the hugetlb vma lock held for either read/write, it's >>>>> okay because pmd unshare cannot happen at all. >>>>> >>>>> (2) If we're with the i_mmap_rwsem lock held for either read/write, it's >>>>> okay because even if pmd unshare can happen, the pgtable page cannot >>>>> be freed from under us. >>>>> >>>>> Document it. >>>>> >>>>> Signed-off-by: Peter Xu <peterx@redhat.com> >>>>> --- >>>>> include/linux/hugetlb.h | 32 ++++++++++++++++++++++++++++++++ >>>>> 1 file changed, 32 insertions(+) >>>>> >>>>> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h >>>>> index 551834cd5299..81efd9b9baa2 100644 >>>>> --- a/include/linux/hugetlb.h >>>>> +++ b/include/linux/hugetlb.h >>>>> @@ -192,6 +192,38 @@ extern struct list_head huge_boot_pages; >>>>> pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma, >>>>> unsigned long addr, unsigned long sz); >>>>> +/* >>>>> + * huge_pte_offset(): Walk the hugetlb pgtable until the last level PTE. >>>>> + * Returns the pte_t* if found, or NULL if the address is not mapped. >>>>> + * >>>>> + * Since this function will walk all the pgtable pages (including not only >>>>> + * high-level pgtable page, but also PUD entry that can be unshared >>>>> + * concurrently for VM_SHARED), the caller of this function should be >>>>> + * responsible of its thread safety. One can follow this rule: >>>>> + * >>>>> + * (1) For private mappings: pmd unsharing is not possible, so it'll >>>>> + * always be safe if we're with the mmap sem for either read or write. >>>>> + * This is normally always the case, IOW we don't need to do anything >>>>> + * special. >>>> >>>> Maybe worth mentioning that hugetlb_vma_lock_read() and friends already >>>> optimize for private mappings, to not take the VMA lock if not required. >>> >>> Yes we can. I assume this is not super urgent so I'll hold a while to see >>> whether there's anything else that needs amending for the documents. >>> >>> Btw, even with hugetlb_vma_lock_read() checking SHARED for a private only >>> code path it's still better to not take the lock at all, because that still >>> contains a function jump which will be unnecesary. >> >> IMHO it makes coding a lot more consistent and less error-prone when not >> care about whether to the the lock or not (as an optimization) and just >> having this handled "automatically". >> >> Optimizing a jump out would rather smell like a micro-optimization. > > Or we can move the lock helpers into the headers, too. Ah, yes.
On 11/30/22 10:58, Peter Xu wrote: > Hi, Mike, > > On Tue, Nov 29, 2022 at 08:55:21PM -0800, Mike Kravetz wrote: > > > + * (2) For shared mappings: pmd unsharing is possible (so the PUD-ranged > > > + * pgtable page can go away from under us! It can be done by a pmd > > > + * unshare with a follow up munmap() on the other process), then we > > > + * need either: > > > + * > > > + * (2.1) hugetlb vma lock read or write held, to make sure pmd unshare > > > + * won't happen upon the range (it also makes sure the pte_t we > > > + * read is the right and stable one), or, > > > + * > > > + * (2.2) hugetlb mapping i_mmap_rwsem lock held read or write, to make > > > + * sure even if unshare happened the racy unmap() will wait until > > > + * i_mmap_rwsem is released. > > > > Is that 100% correct? IIUC, the page tables will be released via the > > call to tlb_finish_mmu(). In most cases, the tlb_finish_mmu() call is > > performed when holding i_mmap_rwsem. However, in the final teardown of > > a hugetlb vma via __unmap_hugepage_range_final, the tlb_finish_mmu call > > is done outside the i_mmap_rwsem lock. In this case, I think we are > > still safe because nobody else should be walking the page table. > > > > I really like the documentation. However, if i_mmap_rwsem is not 100% > > safe I would prefer not to document it here. I don't think anyone > > relies on this do they? > > I think i_mmap_rwsem is 100% safe. > > It's not in tlb_finish_mmu(), but when freeing the pgtables we need to > unlink current vma from the vma list first: > > free_pgtables > unlink_file_vma > i_mmap_lock_write > tlb_finish_mmu Thanks! Sorry, I was thinking about page freeing not page table freeing. Agree that is 100% safe.
diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 551834cd5299..81efd9b9baa2 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -192,6 +192,38 @@ extern struct list_head huge_boot_pages; pte_t *huge_pte_alloc(struct mm_struct *mm, struct vm_area_struct *vma, unsigned long addr, unsigned long sz); +/* + * huge_pte_offset(): Walk the hugetlb pgtable until the last level PTE. + * Returns the pte_t* if found, or NULL if the address is not mapped. + * + * Since this function will walk all the pgtable pages (including not only + * high-level pgtable page, but also PUD entry that can be unshared + * concurrently for VM_SHARED), the caller of this function should be + * responsible of its thread safety. One can follow this rule: + * + * (1) For private mappings: pmd unsharing is not possible, so it'll + * always be safe if we're with the mmap sem for either read or write. + * This is normally always the case, IOW we don't need to do anything + * special. + * + * (2) For shared mappings: pmd unsharing is possible (so the PUD-ranged + * pgtable page can go away from under us! It can be done by a pmd + * unshare with a follow up munmap() on the other process), then we + * need either: + * + * (2.1) hugetlb vma lock read or write held, to make sure pmd unshare + * won't happen upon the range (it also makes sure the pte_t we + * read is the right and stable one), or, + * + * (2.2) hugetlb mapping i_mmap_rwsem lock held read or write, to make + * sure even if unshare happened the racy unmap() will wait until + * i_mmap_rwsem is released. + * + * Option (2.1) is the safest, which guarantees pte stability from pmd + * sharing pov, until the vma lock released. Option (2.2) doesn't protect + * a concurrent pmd unshare, but it makes sure the pgtable page is safe to + * access. + */ pte_t *huge_pte_offset(struct mm_struct *mm, unsigned long addr, unsigned long sz); unsigned long hugetlb_mask_last_page(struct hstate *h);