From patchwork Fri Jul  7 03:38:59 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Muchun Song <songmuchun@bytedance.com>
X-Patchwork-Id: 116921
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:9f45:0:b0:3ea:f831:8777 with SMTP id v5csp3002440vqx;
        Thu, 6 Jul 2023 21:00:16 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlEaBaMdXtRcG6iKNB9kjPk3y1G4K9/ob/cC9rNZK59BzoXgGzUA6XFKMZr23bCpKc5GTJdv
X-Received: by 2002:a05:6a20:1591:b0:122:a808:dbbe with SMTP id
 h17-20020a056a20159100b00122a808dbbemr4092167pzj.29.1688702416092;
        Thu, 06 Jul 2023 21:00:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688702416; cv=none;
        d=google.com; s=arc-20160816;
        b=kIeyHKJl7Kgf5bPUH/TFfRCahRTbZb6tDpnuzpna9fIu+xNjcHwjk0/D+6UA6cRajL
         GzJ5IJSJ+Q1gTBs3xCVdyswetvRBGNI4P2eGolpXoBXHEtOrSzM05MmmnQ4KBUJA2sDq
         7l2bX9N2sD8Qbm96Gg0z0Ghv4b9nQ3HaRszBOkus9PHpB/Bk7ZYlTp0Gl82PYTTouppx
         EC2mtYenkQ9rF2gKXqhvhChNqByzSGfyusWqIajLAu88Yg895hN6kDn/qxEtWzg3qvJk
         r2aphUYfbMihb4H7UiL26tRTaCPYxoAEnESF457pKGfL1nS4VbmPNW/QvYDp/zsNW5a7
         xl1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=4dGEjrKfb91ScuG2fHCuxeZvT3NdSjT3lpyNvE2ruts=;
        fh=POVbWz/BajoIRZRjiuNj6FQUVg18jJ3k7EBM1Fxwj5g=;
        b=mHOPnPJ+PdGEtPYx9w4qYV6Iu6DjZ2Ur+iunzgaN9G773BeGxr9yDy7FDC6nKe7ZHY
         dfqbE+orwR3k5zxwCpCTSBpQ4nW14Tk7RqOgrChdPV3mSxduuSpGeFb0J14yZQLJU/rS
         WSjNTwDV7hT8OjlTMHUWP4F1zoknEeJa2IUcDm4grJb2ZQHsJXXYdz7BjUDJtmI1pqIN
         cpxkiAr/XdyYp3JesewMKLZe0TbOVwqLjH+GeBaLTpG6aXMf6WnihOoLi1v8/Fu20rnx
         SXQT/AUiYDh/9zCJEvzXtK2i88g2moYkziAt3rKHx8AXlSfHJ7caoOcXGJoebeoycfU4
         Yvzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@bytedance.com header.s=google header.b="H/q39WmX";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)
 header.from=bytedance.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 j7-20020a170902da8700b001b8690d7181si2074680plx.550.2023.07.06.21.00.01;
        Thu, 06 Jul 2023 21:00:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@bytedance.com header.s=google header.b="H/q39WmX";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)
 header.from=bytedance.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231334AbjGGDmt (ORCPT <rfc822;hadasmailinglist@gmail.com>
        + 99 others); Thu, 6 Jul 2023 23:42:49 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44482 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229470AbjGGDmr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 6 Jul 2023 23:42:47 -0400
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com
 [IPv6:2607:f8b0:4864:20::52e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25D371FD8
        for <linux-kernel@vger.kernel.org>;
 Thu,  6 Jul 2023 20:42:22 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id
 41be03b00d2f7-557790487feso1060813a12.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 06 Jul 2023 20:42:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance.com; s=google; t=1688701341; x=1691293341;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=4dGEjrKfb91ScuG2fHCuxeZvT3NdSjT3lpyNvE2ruts=;
        b=H/q39WmXRkCBvEDAvejs6WAFVt8g0mtum2v9xkdNxHcXvgXuXkcj/Kb0eClS6NWUPl
         LskgSNmTLZdZIDiJvTj0wYEONNaOXTNxc8cl9ql4ANzcoqLQB1LZ+aNW3Msf6S/gl205
         lJfSCkLLHCEVcQCVotujdDswgZ+5h4Dppbt+mc0mREHR1L9v2WVPw6HGEElbds5VgODt
         KuqCZq06OFBt0jn8fuYNnYXPi99SjlF3LIv0ieItmgNeucvYas/tCqhUndTDmjCW8Hac
         BC3zx7Sj1rIUsX9is8/XkDwyyWws9d9jiCLhubDV95cQvyy/61arM57+5VSXeQEZKBz3
         MYKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1688701341; x=1691293341;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=4dGEjrKfb91ScuG2fHCuxeZvT3NdSjT3lpyNvE2ruts=;
        b=WA42xNpQ8D0Epl3nUR/1KGHQMyLoJnHAAp2ZUDdqLi88Xy4gAFawU++1/pGW0Z5KKt
         W/fmTQNoycbZyzDCUs1CjDnRQhAVTyVpt62wa/e+F9b0Yd/dhXNvmGYPhq/J0H5tUwVx
         5Dsu04HrUGwVPav7CCR9imqNUrRz6QfdIGMSc3P6hh62ef64Zl4eX9bv6SMyMrF67X75
         VElP1O3ao1gfaVDREL9wfiUIBzg48gRyH5YdqQYdTN/THgFlDTDdU+aq7kdJU4aKPRGt
         dA1TigTk56/0nSo+ELg3HJEjbb70YtY9EEAJiZIIVwtzlNzrpyl38VeERaUBkWSlKatG
         l0VA==
X-Gm-Message-State: ABy/qLYCHZJhNtFYBiQvWY+SJRsVFEp1zXXavzs7Oi6natWTxCxo7zGe
        gXueYlC+5yXA5UatgEEk80DjsA==
X-Received: by 2002:a05:6a20:8408:b0:12d:39c6:9f94 with SMTP id
 c8-20020a056a20840800b0012d39c69f94mr4285144pzd.47.1688701341570;
        Thu, 06 Jul 2023 20:42:21 -0700 (PDT)
Received: from PXLDJ45XCM.bytedance.net ([139.177.225.251])
        by smtp.gmail.com with ESMTPSA id
 x1-20020a62fb01000000b00663b712bfbdsm1927743pfm.57.2023.07.06.20.42.17
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Thu, 06 Jul 2023 20:42:20 -0700 (PDT)
From: Muchun Song <songmuchun@bytedance.com>
To: mike.kravetz@oracle.com, muchun.song@linux.dev,
        akpm@linux-foundation.org
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        Muchun Song <songmuchun@bytedance.com>
Subject: [PATCH] mm: hugetlb_vmemmap: fix a race between vmemmap pmd split
Date: Fri,  7 Jul 2023 11:38:59 +0800
Message-Id: <20230707033859.16148-1-songmuchun@bytedance.com>
X-Mailer: git-send-email 2.39.2 (Apple Git-143)
MIME-Version: 1.0
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1770732824906631012?=
X-GMAIL-MSGID: =?utf-8?q?1770732824906631012?=

The local variable @page in __split_vmemmap_huge_pmd() to obtain a pmd
page without holding page_table_lock may possiblely get the page table
page instead of a huge pmd page.  The effect may be in set_pte_at()
since we may pass an invalid page struct, if set_pte_at() wants to
access the page struct (e.g. CONFIG_PAGE_TABLE_CHECK is enabled), it
may crash the kernel.  So fix it. And inline __split_vmemmap_huge_pmd()
since it only has one user.

Fixes: d8d55f5616cf ("mm: sparsemem: use page table lock to protect kernel pmd operations")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
---
 mm/hugetlb_vmemmap.c | 34 ++++++++++++++--------------------
 1 file changed, 14 insertions(+), 20 deletions(-)

diff --git a/mm/hugetlb_vmemmap.c b/mm/hugetlb_vmemmap.c
index c2007ef5e9b0..4b9734777f69 100644
--- a/mm/hugetlb_vmemmap.c
+++ b/mm/hugetlb_vmemmap.c
@@ -36,14 +36,22 @@ struct vmemmap_remap_walk {
 	struct list_head	*vmemmap_pages;
 };
 
-static int __split_vmemmap_huge_pmd(pmd_t *pmd, unsigned long start)
+static int split_vmemmap_huge_pmd(pmd_t *pmd, unsigned long start)
 {
 	pmd_t __pmd;
 	int i;
 	unsigned long addr = start;
-	struct page *page = pmd_page(*pmd);
-	pte_t *pgtable = pte_alloc_one_kernel(&init_mm);
+	struct page *head;
+	pte_t *pgtable;
+
+	spin_lock(&init_mm.page_table_lock);
+	head = pmd_leaf(*pmd) ? pmd_page(*pmd) : NULL;
+	spin_unlock(&init_mm.page_table_lock);
 
+	if (!head)
+		return 0;
+
+	pgtable = pte_alloc_one_kernel(&init_mm);
 	if (!pgtable)
 		return -ENOMEM;
 
@@ -53,7 +61,7 @@ static int __split_vmemmap_huge_pmd(pmd_t *pmd, unsigned long start)
 		pte_t entry, *pte;
 		pgprot_t pgprot = PAGE_KERNEL;
 
-		entry = mk_pte(page + i, pgprot);
+		entry = mk_pte(head + i, pgprot);
 		pte = pte_offset_kernel(&__pmd, addr);
 		set_pte_at(&init_mm, addr, pte, entry);
 	}
@@ -65,8 +73,8 @@ static int __split_vmemmap_huge_pmd(pmd_t *pmd, unsigned long start)
 		 * be treated as indepdenent small pages (as they can be freed
 		 * individually).
 		 */
-		if (!PageReserved(page))
-			split_page(page, get_order(PMD_SIZE));
+		if (!PageReserved(head))
+			split_page(head, get_order(PMD_SIZE));
 
 		/* Make pte visible before pmd. See comment in pmd_install(). */
 		smp_wmb();
@@ -80,20 +88,6 @@ static int __split_vmemmap_huge_pmd(pmd_t *pmd, unsigned long start)
 	return 0;
 }
 
-static int split_vmemmap_huge_pmd(pmd_t *pmd, unsigned long start)
-{
-	int leaf;
-
-	spin_lock(&init_mm.page_table_lock);
-	leaf = pmd_leaf(*pmd);
-	spin_unlock(&init_mm.page_table_lock);
-
-	if (!leaf)
-		return 0;
-
-	return __split_vmemmap_huge_pmd(pmd, start);
-}
-
 static void vmemmap_pte_range(pmd_t *pmd, unsigned long addr,
 			      unsigned long end,
 			      struct vmemmap_remap_walk *walk)