From: Muchun Song <muchun.song@linux.dev>
To: Yu Zhao <yuzhao@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
David Hildenbrand <david@redhat.com>,
Frank van der Linden <fvdl@google.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Peter Xu <peterx@redhat.com>,
Yang Shi <yang@os.amperecomputing.com>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH mm-unstable v2] mm/hugetlb_vmemmap: fix race with speculative PFN walkers
Date: Fri, 28 Jun 2024 10:35:16 +0800 [thread overview]
Message-ID: <38D49672-674B-43F8-AFD3-73BFD8876DCE@linux.dev> (raw)
In-Reply-To: <CAOUHufb4O7oCsGcH5VcSoAw5cUiwYjGCfvLBHPZgo-G=HtiLVw@mail.gmail.com>
> On Jun 28, 2024, at 07:04, Yu Zhao <yuzhao@google.com> wrote:
>
> On Thu, Jun 27, 2024 at 4:47 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>>
>> On Thu, 27 Jun 2024 16:27:05 -0600 Yu Zhao <yuzhao@google.com> wrote:
>>
>>> While investigating HVO for THPs [1], it turns out that speculative
>>> PFN walkers like compaction can race with vmemmap modifications, e.g.,
>>>
>>> CPU 1 (vmemmap modifier) CPU 2 (speculative PFN walker)
>>> ------------------------------- ------------------------------
>>> Allocates an LRU folio page1
>>> Sees page1
>>> Frees page1
>>>
>>> Allocates a hugeTLB folio page2
>>> (page1 being a tail of page2)
>>>
>>> Updates vmemmap mapping page1
>>> get_page_unless_zero(page1)
>>>
>>> Even though page1->_refcount is zero after HVO, get_page_unless_zero()
>>> can still try to modify this read-only field, resulting in a crash.
>>
>> Ah. So we should backport this into earlier kernels, yes?
>>
>> Are we able to identify a Fixes: for this? Looks difficult.
>>
>> This seems quite hard to trigger. Do any particular userspace actions
>> invoke the race?
>
> Yes, *very* hard to trigger:
> 1. Most hugeTLB use cases I know of are static, i.e., reserved at boot
> time, because allocating at runtime is not reliable at all.
> 2. On top of that, someone has to be very unlucky to get tripped over
> above, because the race window is so small -- I wasn't able to trigger
> it with a stress testing that does nothing but that (with THPs
> though).
>
> So I don't think it's worth cc'ing stable, unless Muchun recommends.
I agree with Yu.
Thanks.
next prev parent reply other threads:[~2024-06-28 2:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-27 22:27 [PATCH mm-unstable v2] mm/hugetlb_vmemmap: fix race with speculative PFN walkers Yu Zhao
2024-06-27 22:47 ` Andrew Morton
2024-06-27 23:04 ` Yu Zhao
2024-06-28 2:35 ` Muchun Song [this message]
2024-07-02 13:24 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=38D49672-674B-43F8-AFD3-73BFD8876DCE@linux.dev \
--to=muchun.song@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=fvdl@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
--cc=willy@infradead.org \
--cc=yang@os.amperecomputing.com \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.