From: Jerome Glisse <jglisse@redhat.com>
To: John Hubbard <jhubbard@nvidia.com>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org,
Evgeny Baskakov <ebaskakov@nvidia.com>,
Ralph Campbell <rcampbell@nvidia.com>,
Mark Hairgrove <mhairgrove@nvidia.com>
Subject: Re: [PATCH 04/15] mm/hmm: unregister mmu_notifier when last HMM client quit v2
Date: Wed, 21 Mar 2018 19:41:10 -0400 [thread overview]
Message-ID: <20180321234110.GK3214@redhat.com> (raw)
In-Reply-To: <a9ba54c5-a2d9-49f6-16ad-46b79525b93c@nvidia.com>
On Wed, Mar 21, 2018 at 04:22:49PM -0700, John Hubbard wrote:
> On 03/21/2018 11:16 AM, jglisse@redhat.com wrote:
> > From: Jerome Glisse <jglisse@redhat.com>
> >
> > This code was lost in translation at one point. This properly call
> > mmu_notifier_unregister_no_release() once last user is gone. This
> > fix the zombie mm_struct as without this patch we do not drop the
> > refcount we have on it.
> >
> > Changed since v1:
> > - close race window between a last mirror unregistering and a new
> > mirror registering, which could have lead to use after free()
> > kind of bug
> >
> > Signed-off-by: Jerome Glisse <jglisse@redhat.com>
> > Cc: Evgeny Baskakov <ebaskakov@nvidia.com>
> > Cc: Ralph Campbell <rcampbell@nvidia.com>
> > Cc: Mark Hairgrove <mhairgrove@nvidia.com>
> > Cc: John Hubbard <jhubbard@nvidia.com>
> > ---
> > mm/hmm.c | 35 +++++++++++++++++++++++++++++++++--
> > 1 file changed, 33 insertions(+), 2 deletions(-)
> >
> > diff --git a/mm/hmm.c b/mm/hmm.c
> > index 6088fa6ed137..f75aa8df6e97 100644
> > --- a/mm/hmm.c
> > +++ b/mm/hmm.c
> > @@ -222,13 +222,24 @@ int hmm_mirror_register(struct hmm_mirror *mirror, struct mm_struct *mm)
> > if (!mm || !mirror || !mirror->ops)
> > return -EINVAL;
> >
> > +again:
> > mirror->hmm = hmm_register(mm);
> > if (!mirror->hmm)
> > return -ENOMEM;
> >
> > down_write(&mirror->hmm->mirrors_sem);
> > - list_add(&mirror->list, &mirror->hmm->mirrors);
> > - up_write(&mirror->hmm->mirrors_sem);
> > + if (mirror->hmm->mm == NULL) {
> > + /*
> > + * A racing hmm_mirror_unregister() is about to destroy the hmm
> > + * struct. Try again to allocate a new one.
> > + */
> > + up_write(&mirror->hmm->mirrors_sem);
> > + mirror->hmm = NULL;
>
> This is being set outside of locks, so now there is another race with
> another hmm_mirror_register...
>
> I'll take a moment and draft up what I have in mind here, which is a more
> symmetrical locking scheme for these routines.
>
No this code is correct. hmm->mm is set after hmm struct is allocated
and before it is public so no one can race with that. It is clear in
hmm_mirror_unregister() under the write lock hence checking it here
under that same lock is correct.
Cheers,
Jerome
WARNING: multiple messages have this Message-ID (diff)
From: Jerome Glisse <jglisse@redhat.com>
To: John Hubbard <jhubbard@nvidia.com>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org,
Evgeny Baskakov <ebaskakov@nvidia.com>,
Ralph Campbell <rcampbell@nvidia.com>,
Mark Hairgrove <mhairgrove@nvidia.com>
Subject: Re: [PATCH 04/15] mm/hmm: unregister mmu_notifier when last HMM client quit v2
Date: Wed, 21 Mar 2018 19:41:10 -0400 [thread overview]
Message-ID: <20180321234110.GK3214@redhat.com> (raw)
In-Reply-To: <a9ba54c5-a2d9-49f6-16ad-46b79525b93c@nvidia.com>
On Wed, Mar 21, 2018 at 04:22:49PM -0700, John Hubbard wrote:
> On 03/21/2018 11:16 AM, jglisse@redhat.com wrote:
> > From: Jérôme Glisse <jglisse@redhat.com>
> >
> > This code was lost in translation at one point. This properly call
> > mmu_notifier_unregister_no_release() once last user is gone. This
> > fix the zombie mm_struct as without this patch we do not drop the
> > refcount we have on it.
> >
> > Changed since v1:
> > - close race window between a last mirror unregistering and a new
> > mirror registering, which could have lead to use after free()
> > kind of bug
> >
> > Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
> > Cc: Evgeny Baskakov <ebaskakov@nvidia.com>
> > Cc: Ralph Campbell <rcampbell@nvidia.com>
> > Cc: Mark Hairgrove <mhairgrove@nvidia.com>
> > Cc: John Hubbard <jhubbard@nvidia.com>
> > ---
> > mm/hmm.c | 35 +++++++++++++++++++++++++++++++++--
> > 1 file changed, 33 insertions(+), 2 deletions(-)
> >
> > diff --git a/mm/hmm.c b/mm/hmm.c
> > index 6088fa6ed137..f75aa8df6e97 100644
> > --- a/mm/hmm.c
> > +++ b/mm/hmm.c
> > @@ -222,13 +222,24 @@ int hmm_mirror_register(struct hmm_mirror *mirror, struct mm_struct *mm)
> > if (!mm || !mirror || !mirror->ops)
> > return -EINVAL;
> >
> > +again:
> > mirror->hmm = hmm_register(mm);
> > if (!mirror->hmm)
> > return -ENOMEM;
> >
> > down_write(&mirror->hmm->mirrors_sem);
> > - list_add(&mirror->list, &mirror->hmm->mirrors);
> > - up_write(&mirror->hmm->mirrors_sem);
> > + if (mirror->hmm->mm == NULL) {
> > + /*
> > + * A racing hmm_mirror_unregister() is about to destroy the hmm
> > + * struct. Try again to allocate a new one.
> > + */
> > + up_write(&mirror->hmm->mirrors_sem);
> > + mirror->hmm = NULL;
>
> This is being set outside of locks, so now there is another race with
> another hmm_mirror_register...
>
> I'll take a moment and draft up what I have in mind here, which is a more
> symmetrical locking scheme for these routines.
>
No this code is correct. hmm->mm is set after hmm struct is allocated
and before it is public so no one can race with that. It is clear in
hmm_mirror_unregister() under the write lock hence checking it here
under that same lock is correct.
Cheers,
Jérôme
next prev parent reply other threads:[~2018-03-21 23:41 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-20 2:00 [PATCH 00/15] hmm: fixes and documentations v3 jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 01/15] mm/hmm: documentation editorial update to HMM documentation jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 02/15] mm/hmm: fix header file if/else/endif maze v2 jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 03/15] mm/hmm: HMM should have a callback before MM is destroyed v2 jglisse
2018-03-20 2:00 ` jglisse
2018-03-21 4:14 ` John Hubbard
2018-03-21 4:14 ` John Hubbard
2018-03-21 18:03 ` Jerome Glisse
2018-03-21 18:03 ` Jerome Glisse
2018-03-21 18:03 ` Jerome Glisse
2018-03-21 22:16 ` John Hubbard
2018-03-21 22:16 ` John Hubbard
2018-03-21 22:46 ` Jerome Glisse
2018-03-21 22:46 ` Jerome Glisse
2018-03-21 22:46 ` Jerome Glisse
2018-03-21 23:10 ` John Hubbard
2018-03-21 23:10 ` John Hubbard
2018-03-21 23:37 ` Jerome Glisse
2018-03-21 23:37 ` Jerome Glisse
2018-03-21 23:37 ` Jerome Glisse
2018-03-22 0:11 ` John Hubbard
2018-03-22 0:11 ` John Hubbard
2018-03-22 1:32 ` Jerome Glisse
2018-03-22 1:32 ` Jerome Glisse
2018-03-22 1:32 ` Jerome Glisse
2018-03-22 1:28 ` [PATCH 03/15] mm/hmm: HMM should have a callback before MM is destroyed v3 jglisse
2018-03-22 1:28 ` jglisse
2018-03-22 6:58 ` John Hubbard
2018-03-22 6:58 ` John Hubbard
2018-03-20 2:00 ` [PATCH 04/15] mm/hmm: unregister mmu_notifier when last HMM client quit jglisse
2018-03-20 2:00 ` jglisse
2018-03-21 4:24 ` John Hubbard
2018-03-21 4:24 ` John Hubbard
2018-03-21 18:12 ` Jerome Glisse
2018-03-21 18:12 ` Jerome Glisse
2018-03-21 18:16 ` [PATCH 04/15] mm/hmm: unregister mmu_notifier when last HMM client quit v2 jglisse
2018-03-21 18:16 ` jglisse
2018-03-21 23:22 ` John Hubbard
2018-03-21 23:22 ` John Hubbard
2018-03-21 23:41 ` Jerome Glisse [this message]
2018-03-21 23:41 ` Jerome Glisse
2018-03-22 22:47 ` John Hubbard
2018-03-22 22:47 ` John Hubbard
2018-03-22 23:37 ` Jerome Glisse
2018-03-22 23:37 ` Jerome Glisse
2018-03-23 0:13 ` John Hubbard
2018-03-23 0:13 ` John Hubbard
2018-03-23 0:50 ` Jerome Glisse
2018-03-23 0:50 ` Jerome Glisse
2018-03-23 0:56 ` John Hubbard
2018-03-23 0:56 ` John Hubbard
2018-03-22 1:30 ` [PATCH 04/15] mm/hmm: unregister mmu_notifier when last HMM client quit v3 jglisse
2018-03-22 1:30 ` jglisse
2018-03-22 22:36 ` Andrew Morton
2018-03-20 2:00 ` [PATCH 05/15] mm/hmm: hmm_pfns_bad() was accessing wrong struct jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 06/15] mm/hmm: use struct for hmm_vma_fault(), hmm_vma_get_pfns() parameters v2 jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 07/15] mm/hmm: remove HMM_PFN_READ flag and ignore peculiar architecture v2 jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 08/15] mm/hmm: use uint64_t for HMM pfn instead of defining hmm_pfn_t to ulong v2 jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 09/15] mm/hmm: cleanup special vma handling (VM_SPECIAL) jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 10/15] mm/hmm: do not differentiate between empty entry or missing directory v2 jglisse
2018-03-20 2:00 ` jglisse
2018-03-21 5:24 ` John Hubbard
2018-03-21 5:24 ` John Hubbard
2018-03-21 14:48 ` Jerome Glisse
2018-03-21 14:48 ` Jerome Glisse
2018-03-21 23:16 ` John Hubbard
2018-03-21 23:16 ` John Hubbard
2018-03-20 2:00 ` [PATCH 11/15] mm/hmm: rename HMM_PFN_DEVICE_UNADDRESSABLE to HMM_PFN_DEVICE_PRIVATE jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 12/15] mm/hmm: move hmm_pfns_clear() closer to where it is use jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 13/15] mm/hmm: factor out pte and pmd handling to simplify hmm_vma_walk_pmd() jglisse
2018-03-20 2:00 ` jglisse
2018-03-21 5:07 ` John Hubbard
2018-03-21 5:07 ` John Hubbard
2018-03-21 15:08 ` Jerome Glisse
2018-03-21 15:08 ` Jerome Glisse
2018-03-21 22:36 ` John Hubbard
2018-03-21 22:36 ` John Hubbard
2018-03-20 2:00 ` [PATCH 14/15] mm/hmm: change hmm_vma_fault() to allow write fault on page basis jglisse
2018-03-20 2:00 ` jglisse
2018-03-20 2:00 ` [PATCH 15/15] mm/hmm: use device driver encoding for HMM pfn v2 jglisse
2018-03-20 2:00 ` jglisse
2018-03-21 4:39 ` John Hubbard
2018-03-21 4:39 ` John Hubbard
2018-03-21 15:52 ` Jerome Glisse
2018-03-21 15:52 ` Jerome Glisse
2018-03-21 23:19 ` John Hubbard
2018-03-21 23:19 ` John Hubbard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180321234110.GK3214@redhat.com \
--to=jglisse@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ebaskakov@nvidia.com \
--cc=jhubbard@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhairgrove@nvidia.com \
--cc=rcampbell@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.