From: Mel Gorman <mgorman@suse.de>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Dave Jones <davej@redhat.com>, Oleg Nesterov <oleg@redhat.com>,
Darren Hart <dvhart@linux.intel.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>
Subject: Re: process 'stuck' at exit.
Date: Wed, 11 Dec 2013 16:31:25 +0000 [thread overview]
Message-ID: <20131211163125.GC24125@suse.de> (raw)
In-Reply-To: <alpine.DEB.2.02.1312102329201.28330@ionos.tec.linutronix.de>
On Tue, Dec 10, 2013 at 11:42:15PM +0100, Thomas Gleixner wrote:
> On Tue, 10 Dec 2013, Linus Torvalds wrote:
>
> > On Tue, Dec 10, 2013 at 1:57 PM, Linus Torvalds
> > <torvalds@linux-foundation.org> wrote:
> > >
> > > So it looks like __get_user_pages_fast() fails, and keeps failing.
> >
> > Hmm.. Is any of the addresses unchecked, perhaps?
> > __get_user_pages_fast() does an access_ok() check, while
> > get_user_pages_fast() does *not* seem to do one.
> >
> > That looks a bit dangerous. Yeah, users should have checked the
> > address range, but there really is no reason not to do it in
> > get_user_pages_fast().
> >
> > And it looks like the futex code is actually seriously buggered. It
> > only does the access_ok() check for the non-shared case.
> >
> > Why?
>
> The !fshared case is the fast path which does not even reach
> get_user_pages_fast().
>
> We had this discussion some time ago already, where the access_ok()
> check was missing in the !fshared case or the check was buggered for
> some reason. Need to dig up the gory details.
>
> And yes, I remember that we do not do an extra check for the fshared
> case, because get_user_pages_fast() should do it for us already. If
> not we are fubared not only in the futex code.
>
> But there is a subtle detail:
>
> err = get_user_pages_fast(address, 1, 1, &page);
>
> So we ask for write access as the write argument is 1. In case that
> fails we have that fallback path:
>
> /*
> * If write access is not required (eg. FUTEX_WAIT), try
> * and get read-only access.
> */
> if (err == -EFAULT && rw == VERIFY_READ) {
> err = get_user_pages_fast(address, 1, 0, &page);
>
> That's a legitimate use case. And futex_requeue only requests
> VERIFY_READ for the !requeue_pi case.
>
> Now, if that map is RO, i.e. we took the fallback path then the THP
> one will fail as it has write=1 unconditionally.
>
> if (likely(__get_user_pages_fast(address, 1, 1, &page) == 1))
>
Not that it really matters but the naming and comments around that
particular __get_user_pages_fast call are a little misleading. The ifdef
CONFIG_TRANSPARENT_HUGEPAGE in futex.c is there because greater care has
to be taken against THP splits, not because it is dealing exclusively with
THP. The PageTail check applies to either hugetlbfs or THPs and similarly
gup_huge_pmd handles both. The whole path should be very rare for THPs
considering that THPs exist on MAP_PRIVATE anonymous mappings and how many
shared futexes exist backed by such mappings? A RO mapping makes that seem
even more strange because what thread is updating the value the caller is
waiting on? It seems more like that was a shared futex on a hugetlbfs-backed
mappings which might explain why the bug was undiscovered for so long.
--
Mel Gorman
SUSE Labs
next prev parent reply other threads:[~2013-12-11 16:31 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 15:47 process 'stuck' at exit Dave Jones
2013-12-10 18:40 ` Linus Torvalds
2013-12-10 19:18 ` Thomas Gleixner
2013-12-10 19:55 ` Linus Torvalds
2013-12-10 20:27 ` Dave Jones
2013-12-10 20:34 ` Thomas Gleixner
2013-12-10 20:55 ` Dave Jones
2013-12-10 21:25 ` Darren Hart
2013-12-10 21:28 ` Thomas Gleixner
2013-12-10 21:39 ` Steven Rostedt
2013-12-10 20:33 ` Thomas Gleixner
2013-12-10 20:43 ` Linus Torvalds
2013-12-10 21:17 ` Thomas Gleixner
2013-12-10 20:35 ` Oleg Nesterov
2013-12-10 20:49 ` Dave Jones
2013-12-10 21:06 ` Darren Hart
2013-12-10 21:12 ` Dave Jones
2013-12-10 21:18 ` Linus Torvalds
2013-12-10 21:24 ` Linus Torvalds
2013-12-10 21:32 ` Dave Jones
2013-12-10 21:49 ` Linus Torvalds
2013-12-10 21:56 ` Dave Jones
2013-12-10 21:59 ` Linus Torvalds
2013-12-10 22:07 ` Dave Jones
2013-12-11 12:45 ` Ingo Molnar
2013-12-10 21:34 ` Oleg Nesterov
2013-12-10 21:41 ` Dave Jones
2013-12-10 21:57 ` Linus Torvalds
2013-12-10 22:02 ` Dave Jones
2013-12-10 22:09 ` Oleg Nesterov
2013-12-10 22:19 ` Linus Torvalds
2013-12-10 22:33 ` Linus Torvalds
2013-12-10 22:38 ` Darren Hart
2013-12-10 22:57 ` Thomas Gleixner
2013-12-10 23:05 ` Linus Torvalds
2013-12-10 23:28 ` Thomas Gleixner
2013-12-10 23:31 ` Al Viro
2013-12-11 17:08 ` Oleg Nesterov
2013-12-11 17:18 ` Thomas Gleixner
2013-12-11 17:56 ` Oleg Nesterov
2013-12-11 19:18 ` PATCH? introduce get_compound_page (Was: process 'stuck' at exit) Oleg Nesterov
2013-12-13 15:10 ` Andrea Arcangeli
2013-12-13 16:22 ` Oleg Nesterov
2013-12-13 17:34 ` Andrea Arcangeli
2013-12-16 18:36 ` Oleg Nesterov
2013-12-16 20:19 ` Andrea Arcangeli
2013-12-16 20:46 ` Oleg Nesterov
2013-12-17 16:53 ` Oleg Nesterov
2013-12-17 18:06 ` Andrea Arcangeli
2013-12-18 19:19 ` [PATCH -mm 0/7] (Was: introduce get_compound_page) Oleg Nesterov
2013-12-18 19:19 ` [PATCH -mm 1/7] mm: thp: introduce __put_nontail_page() Oleg Nesterov
2013-12-18 19:19 ` [PATCH -mm 2/7] mm: thp: change __get_page_tail() to use __put_nontail_page() Oleg Nesterov
2013-12-18 19:19 ` [PATCH -mm 3/7] mm: change release_pages() to use put_page() rather than put_compound_page() Oleg Nesterov
2013-12-18 19:19 ` [PATCH -mm 4/7] mm: thp: turn put_compound_page() into __put_page_tail() Oleg Nesterov
2013-12-18 19:36 ` Peter Zijlstra
2013-12-18 19:50 ` Oleg Nesterov
2013-12-18 19:20 ` [PATCH -mm 5/7] mm: thp: reorganize out_put_single code in __put_page_tail() Oleg Nesterov
2013-12-18 19:20 ` [PATCH -mm 6/7] mm: thp: introduce get_lock_thp_head() Oleg Nesterov
2013-12-18 21:37 ` Linus Torvalds
2013-12-19 16:29 ` Oleg Nesterov
2013-12-18 19:20 ` [PATCH -mm 7/7] mm: thp: introduce compound_head_put_tail(), change get_futex_key() to use it Oleg Nesterov
2013-12-18 19:28 ` Peter Zijlstra
2013-12-18 19:40 ` Oleg Nesterov
2013-12-19 19:08 ` [PATCH 0/1] mm: fix the theoretical compound_lock() vs prep_new_page() race Oleg Nesterov
2013-12-19 19:09 ` [PATCH 1/1] " Oleg Nesterov
2013-12-23 11:43 ` Andrea Arcangeli
2014-01-03 19:55 ` [PATCH v2 0/1] " Oleg Nesterov
2014-01-03 19:55 ` [PATCH v2 1/1] " Oleg Nesterov
2014-01-03 21:00 ` Andrew Morton
2014-01-04 16:43 ` Oleg Nesterov
2014-01-08 11:54 ` Mel Gorman
2014-01-08 13:14 ` Mel Gorman
2014-01-08 16:13 ` Oleg Nesterov
2014-01-08 18:02 ` Mel Gorman
2014-01-08 19:04 ` Oleg Nesterov
2014-01-09 11:27 ` Mel Gorman
2014-01-09 14:04 ` Oleg Nesterov
2014-01-09 18:52 ` Andrea Arcangeli
2014-01-09 19:43 ` Oleg Nesterov
2014-01-09 21:36 ` Andrea Arcangeli
2014-01-10 16:12 ` Oleg Nesterov
2014-01-10 16:50 ` Peter Zijlstra
2014-01-10 16:12 ` Mel Gorman
2013-12-20 14:19 ` [PATCH 0/1] " Martin Schwidefsky
2013-12-16 20:19 ` [PATCH 0/2] mm: thp: get_huge_page_tail() cleanups Oleg Nesterov
2013-12-16 20:19 ` [PATCH -mm 1/2] mm: thp: __get_page_tail_foll() can use get_huge_page_tail() Oleg Nesterov
2013-12-16 20:19 ` [PATCH -mm 2/2] mm: thp: turn compound_head() into BUG_ON(!PageTail) in get_huge_page_tail() Oleg Nesterov
2013-12-16 20:27 ` [PATCH 0/2] mm: thp: get_huge_page_tail() cleanups Andrea Arcangeli
2013-12-10 22:42 ` process 'stuck' at exit Thomas Gleixner
2013-12-10 22:48 ` Linus Torvalds
2013-12-10 22:58 ` Darren Hart
2013-12-10 23:01 ` Dave Jones
2013-12-10 23:00 ` Dave Jones
2013-12-11 0:05 ` Steven Rostedt
2013-12-11 0:23 ` Dave Jones
2013-12-11 0:55 ` Dave Jones
2013-12-14 20:17 ` Oleg Nesterov
2013-12-11 4:09 ` Dave Jones
2013-12-12 4:26 ` Dave Jones
2013-12-12 5:29 ` Darren Hart
2013-12-10 22:51 ` Darren Hart
2013-12-10 23:24 ` Al Viro
2013-12-11 16:31 ` Mel Gorman [this message]
2013-12-11 16:38 ` Thomas Gleixner
2013-12-11 17:57 ` Mel Gorman
2013-12-12 19:00 ` Andrea Arcangeli
2013-12-12 19:03 ` Linus Torvalds
2013-12-10 22:09 ` Steven Rostedt
2013-12-10 22:16 ` Dave Jones
2013-12-10 22:21 ` Steven Rostedt
2013-12-10 22:27 ` Dave Jones
2013-12-11 1:02 ` Mel Gorman
2013-12-10 20:57 ` Darren Hart
2013-12-10 21:09 ` Dave Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131211163125.GC24125@suse.de \
--to=mgorman@suse.de \
--cc=aarcange@redhat.com \
--cc=davej@redhat.com \
--cc=dvhart@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.