From: Mel Gorman <mgorman@suse.de>
To: Rik van Riel <riel@redhat.com>
Cc: Linux-MM <linux-mm@kvack.org>, Michal Hocko <mhocko@suse.cz>,
Hugh Dickins <hughd@google.com>,
David Gibson <david@gibson.dropbear.id.au>,
Ken Chen <kenchen@google.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
Larry Woodman <lwoodman@redhat.com>
Subject: Re: [PATCH] mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables v2
Date: Fri, 27 Jul 2012 09:52:50 +0100 [thread overview]
Message-ID: <20120727085250.GC612@suse.de> (raw)
In-Reply-To: <5011AFEC.2040609@redhat.com>
On Thu, Jul 26, 2012 at 05:00:28PM -0400, Rik van Riel wrote:
> On 07/20/2012 09:49 AM, Mel Gorman wrote:
> >This V2 is still the mmap_sem approach that fixes a potential deadlock
> >problem pointed out by Michal.
>
> Larry and I were looking around the hugetlb code some
> more, and found what looks like yet another race.
>
> In hugetlb_no_page, we have the following code:
>
>
> spin_lock(&mm->page_table_lock);
> size = i_size_read(mapping->host) >> huge_page_shift(h);
> if (idx >= size)
> goto backout;
>
> ret = 0;
> if (!huge_pte_none(huge_ptep_get(ptep)))
> goto backout;
>
> if (anon_rmap)
> hugepage_add_new_anon_rmap(page, vma, address);
> else
> page_dup_rmap(page);
> new_pte = make_huge_pte(vma, page, ((vma->vm_flags & VM_WRITE)
> && (vma->vm_flags & VM_SHARED)));
> set_huge_pte_at(mm, address, ptep, new_pte);
> ...
> spin_unlock(&mm->page_table_lock);
>
> Notice how we check !huge_pte_none with our own
> mm->page_table_lock held.
>
> This offers no protection at all against other
> processes, that also hold their own page_table_lock.
>
Yes, the page_table_lock is close to useless once shared page tables are
involved. It's why if we ever wanted to make shared page tables a core MM
thing we'd have to revisit how PTE locking at any level that can share
page tables works.
> In short, it looks like it is possible for multiple
> processes to go through the above code simultaneously,
> potentially resulting in:
>
> 1) one process overwriting the pte just created by
> another process
>
> 2) data corruption, as one partially written page
> gets superceded by an newly zeroed page, but no
> TLB invalidates get sent to other CPUs
>
> 3) a memory leak of a huge page
>
> Is there anything that would make this race impossible,
> or is this a real bug?
>
In this case it all happens under the hugetlb instantiation mutex in
hugetlb_fault(). It's yet another reason why removing that mutex would
be a serious undertaking and the gain for doing so is marginal.
--
Mel Gorman
SUSE Labs
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Mel Gorman <mgorman@suse.de>
To: Rik van Riel <riel@redhat.com>
Cc: Linux-MM <linux-mm@kvack.org>, Michal Hocko <mhocko@suse.cz>,
Hugh Dickins <hughd@google.com>,
David Gibson <david@gibson.dropbear.id.au>,
Ken Chen <kenchen@google.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
Larry Woodman <lwoodman@redhat.com>
Subject: Re: [PATCH] mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables v2
Date: Fri, 27 Jul 2012 09:52:50 +0100 [thread overview]
Message-ID: <20120727085250.GC612@suse.de> (raw)
In-Reply-To: <5011AFEC.2040609@redhat.com>
On Thu, Jul 26, 2012 at 05:00:28PM -0400, Rik van Riel wrote:
> On 07/20/2012 09:49 AM, Mel Gorman wrote:
> >This V2 is still the mmap_sem approach that fixes a potential deadlock
> >problem pointed out by Michal.
>
> Larry and I were looking around the hugetlb code some
> more, and found what looks like yet another race.
>
> In hugetlb_no_page, we have the following code:
>
>
> spin_lock(&mm->page_table_lock);
> size = i_size_read(mapping->host) >> huge_page_shift(h);
> if (idx >= size)
> goto backout;
>
> ret = 0;
> if (!huge_pte_none(huge_ptep_get(ptep)))
> goto backout;
>
> if (anon_rmap)
> hugepage_add_new_anon_rmap(page, vma, address);
> else
> page_dup_rmap(page);
> new_pte = make_huge_pte(vma, page, ((vma->vm_flags & VM_WRITE)
> && (vma->vm_flags & VM_SHARED)));
> set_huge_pte_at(mm, address, ptep, new_pte);
> ...
> spin_unlock(&mm->page_table_lock);
>
> Notice how we check !huge_pte_none with our own
> mm->page_table_lock held.
>
> This offers no protection at all against other
> processes, that also hold their own page_table_lock.
>
Yes, the page_table_lock is close to useless once shared page tables are
involved. It's why if we ever wanted to make shared page tables a core MM
thing we'd have to revisit how PTE locking at any level that can share
page tables works.
> In short, it looks like it is possible for multiple
> processes to go through the above code simultaneously,
> potentially resulting in:
>
> 1) one process overwriting the pte just created by
> another process
>
> 2) data corruption, as one partially written page
> gets superceded by an newly zeroed page, but no
> TLB invalidates get sent to other CPUs
>
> 3) a memory leak of a huge page
>
> Is there anything that would make this race impossible,
> or is this a real bug?
>
In this case it all happens under the hugetlb instantiation mutex in
hugetlb_fault(). It's yet another reason why removing that mutex would
be a serious undertaking and the gain for doing so is marginal.
--
Mel Gorman
SUSE Labs
next prev parent reply other threads:[~2012-07-27 8:52 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-20 13:49 [PATCH] mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables v2 Mel Gorman
2012-07-20 13:49 ` Mel Gorman
2012-07-20 14:11 ` [PATCH] mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables V2 (resend) Mel Gorman
2012-07-20 14:11 ` Mel Gorman
2012-07-20 14:29 ` Michal Hocko
2012-07-20 14:29 ` Michal Hocko
2012-07-20 14:37 ` Mel Gorman
2012-07-20 14:37 ` Mel Gorman
2012-07-20 14:40 ` Michal Hocko
2012-07-20 14:40 ` Michal Hocko
2012-07-20 14:36 ` [PATCH -alternative] " Michal Hocko
2012-07-20 14:36 ` Michal Hocko
2012-07-20 14:51 ` Mel Gorman
2012-07-20 14:51 ` Mel Gorman
2012-07-23 4:04 ` Hugh Dickins
2012-07-23 4:04 ` Hugh Dickins
2012-07-23 11:40 ` Mel Gorman
2012-07-23 11:40 ` Mel Gorman
2012-07-24 1:08 ` Hugh Dickins
2012-07-24 1:08 ` Hugh Dickins
2012-07-24 8:32 ` Michal Hocko
2012-07-24 8:32 ` Michal Hocko
2012-07-24 9:34 ` Mel Gorman
2012-07-24 9:34 ` Mel Gorman
2012-07-24 10:04 ` Michal Hocko
2012-07-24 10:04 ` Michal Hocko
2012-07-24 19:23 ` Hugh Dickins
2012-07-24 19:23 ` Hugh Dickins
2012-07-25 8:36 ` Mel Gorman
2012-07-25 8:36 ` Mel Gorman
2012-07-26 17:42 ` Rik van Riel
2012-07-26 17:42 ` Rik van Riel
2012-07-26 18:04 ` Larry Woodman
2012-07-26 18:04 ` Larry Woodman
2012-07-27 8:42 ` Mel Gorman
2012-07-27 8:42 ` Mel Gorman
2012-07-26 18:37 ` Rik van Riel
2012-07-26 18:37 ` Rik van Riel
2012-07-26 21:03 ` Larry Woodman
2012-07-26 21:03 ` Larry Woodman
2012-07-27 3:48 ` Larry Woodman
2012-07-27 3:48 ` Larry Woodman
2012-07-27 10:10 ` Larry Woodman
2012-07-27 10:10 ` Larry Woodman
2012-07-27 10:23 ` Mel Gorman
2012-07-27 10:23 ` Mel Gorman
2012-07-27 10:36 ` Larry Woodman
2012-07-27 10:36 ` Larry Woodman
2012-07-30 19:11 ` Larry Woodman
2012-07-30 19:11 ` Larry Woodman
2012-07-31 12:16 ` Hillf Danton
2012-07-31 12:16 ` Hillf Danton
2012-07-31 12:46 ` Mel Gorman
2012-07-31 12:46 ` Mel Gorman
2012-07-31 13:07 ` Larry Woodman
2012-07-31 13:07 ` Larry Woodman
2012-07-31 13:29 ` Mel Gorman
2012-07-31 13:29 ` Mel Gorman
2012-07-31 13:21 ` Michal Hocko
2012-07-31 13:21 ` Michal Hocko
2012-07-31 17:49 ` Larry Woodman
2012-07-31 17:49 ` Larry Woodman
2012-07-31 20:06 ` Michal Hocko
2012-07-31 20:06 ` Michal Hocko
2012-07-31 20:57 ` Larry Woodman
2012-07-31 20:57 ` Larry Woodman
2012-08-01 2:45 ` Larry Woodman
2012-08-01 2:45 ` Larry Woodman
2012-08-01 8:20 ` Michal Hocko
2012-08-01 8:20 ` Michal Hocko
2012-08-01 12:32 ` Michal Hocko
2012-08-01 12:32 ` Michal Hocko
2012-08-01 15:06 ` Larry Woodman
2012-08-01 15:06 ` Larry Woodman
2012-08-02 7:19 ` Michal Hocko
2012-08-02 7:19 ` Michal Hocko
2012-08-02 7:37 ` Mel Gorman
2012-08-02 7:37 ` Mel Gorman
2012-08-02 12:36 ` Michal Hocko
2012-08-02 12:36 ` Michal Hocko
2012-08-02 13:33 ` Mel Gorman
2012-08-02 13:33 ` Mel Gorman
2012-08-02 13:53 ` Michal Hocko
2012-08-02 13:53 ` Michal Hocko
2012-07-31 18:03 ` Rik van Riel
2012-07-31 18:03 ` Rik van Riel
2012-07-26 18:31 ` Rik van Riel
2012-07-26 18:31 ` Rik van Riel
2012-07-27 9:02 ` Michal Hocko
2012-07-27 9:02 ` Michal Hocko
2012-07-26 16:01 ` [PATCH] mm: hugetlbfs: Close race during teardown of hugetlbfs shared page tables v2 Larry Woodman
2012-07-26 16:01 ` Larry Woodman
2012-07-27 8:47 ` Mel Gorman
2012-07-27 8:47 ` Mel Gorman
2012-07-26 21:00 ` Rik van Riel
2012-07-26 21:00 ` Rik van Riel
2012-07-26 21:54 ` Hugh Dickins
2012-07-26 21:54 ` Hugh Dickins
2012-07-27 8:52 ` Mel Gorman [this message]
2012-07-27 8:52 ` Mel Gorman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120727085250.GC612@suse.de \
--to=mgorman@suse.de \
--cc=david@gibson.dropbear.id.au \
--cc=hughd@google.com \
--cc=kenchen@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lwoodman@redhat.com \
--cc=mhocko@suse.cz \
--cc=riel@redhat.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.