[PATCH] mm/mmn: prevent unpaired invalidate_start and invalidate_end with non-blocking

[Jason Gunthorpe <jgg@mellanox.com>]

Many users of the mmu_notifier invalidate_range callbacks maintain
locking/counters/etc on a paired basis and have long expected that
invalidate_range start/end are always paired.

The recent change to add non-blocking notifiers breaks this assumption
when multiple notifiers are present in the list as an EAGAIN return from a
later notifier causes all earlier notifiers to get their
invalidate_range_end() skipped.

During the development of non-blocking each user was audited to be sure
they can skip their invalidate_range_end() if their start returns -EAGAIN,
so the only place that has a problem is when there are multiple
subscriptions.

Due to the RCU locking we can't reliably generate a subset of the linked
list representing the notifiers already called, and generate an
invalidate_range_end() pairing.

Rather than design an elaborate fix, for now, just block non-blocking
requests early on if there are multiple subscriptions.

Fixes: 93065ac753e4 ("mm, oom: distinguish blockable mode for mmu notifiers")
Cc: Michal Hocko <mhocko@suse.com>
Cc: "Jérôme Glisse" <jglisse@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
---
 include/linux/mmu_notifier.h |  1 +
 mm/mmu_notifier.c            | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

HCH suggested to make the locking common so we don't need to have an
invalidate_range_end, but that is a longer journey.

Here is a simpler stop-gap for this bug. What do you think Michal?
I don't have a good way to test this flow ..

This lightly clashes with the other mmu notififer series I just sent,
so it should go to either -rc or hmm.git

Thanks,
Jason

diff --git a/include/linux/mmu_notifier.h b/include/linux/mmu_notifier.h
index b6c004bd9f6ad9..170fa2c65d659c 100644
--- a/include/linux/mmu_notifier.h
+++ b/include/linux/mmu_notifier.h
@@ -53,6 +53,7 @@ struct mmu_notifier_mm {
 	struct hlist_head list;
 	/* to serialize the list modifications and hlist_unhashed */
 	spinlock_t lock;
+	bool multiple_subscriptions;
 };
 
 #define MMU_NOTIFIER_RANGE_BLOCKABLE (1 << 0)
diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c
index b5670620aea0fc..4e56f75c560242 100644
--- a/mm/mmu_notifier.c
+++ b/mm/mmu_notifier.c
@@ -171,6 +171,19 @@ int __mmu_notifier_invalidate_range_start(struct mmu_notifier_range *range)
 	int ret = 0;
 	int id;
 
+	/*
+	 * If there is more than one notififer subscribed to this mm then we
+	 * cannot support the EAGAIN return. invalidate_range_start/end() must
+	 * always be paired unless start returns -EAGAIN. When we return
+	 * -EAGAIN from here the caller will skip all invalidate_range_end()
+	 * calls. However, if there is more than one notififer then some
+	 * notifiers may have had a successful invalidate_range_start() -
+	 * causing imbalance when the end is skipped.
+	 */
+	if (!mmu_notifier_range_blockable(range) &&
+	    range->mm->mmu_notifier_mm->multiple_subscriptions)
+		return -EAGAIN;
+
 	id = srcu_read_lock(&srcu);
 	hlist_for_each_entry_rcu(mn, &range->mm->mmu_notifier_mm->list, hlist) {
 		if (mn->ops->invalidate_range_start) {
@@ -274,6 +287,8 @@ static int do_mmu_notifier_register(struct mmu_notifier *mn,
 	 * thanks to mm_take_all_locks().
 	 */
 	spin_lock(&mm->mmu_notifier_mm->lock);
+	mm->mmu_notifier_mm->multiple_subscriptions =
+		!hlist_empty(&mm->mmu_notifier_mm->list);
 	hlist_add_head_rcu(&mn->hlist, &mm->mmu_notifier_mm->list);
 	spin_unlock(&mm->mmu_notifier_mm->lock);
 
-- 
2.22.0