From: Minchan Kim <minchan@kernel.org>
To: Jan Stancek <jstancek@redhat.com>
Cc: linux-mm@kvack.org, akpm@linux-foundation.org,
willy@infradead.org, peterz@infradead.org, riel@surriel.com,
mhocko@suse.com, ying.huang@intel.com, jrdr.linux@gmail.com,
jglisse@redhat.com, aneesh.kumar@linux.ibm.com, david@redhat.com,
aarcange@redhat.com, raquini@redhat.com, rientjes@google.com,
kirill@shutemov.name, mgorman@techsingularity.net,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] mm/memory.c: do_fault: avoid usage of stale vm_area_struct
Date: Mon, 4 Mar 2019 17:10:48 +0900 [thread overview]
Message-ID: <20190304081048.GA98096@google.com> (raw)
In-Reply-To: <5b3fdf19e2a5be460a384b936f5b56e13733f1b8.1551595137.git.jstancek@redhat.com>
On Sun, Mar 03, 2019 at 08:28:04AM +0100, Jan Stancek wrote:
> LTP testcase mtest06 [1] can trigger a crash on s390x running 5.0.0-rc8.
> This is a stress test, where one thread mmaps/writes/munmaps memory area
> and other thread is trying to read from it:
>
> CPU: 0 PID: 2611 Comm: mmap1 Not tainted 5.0.0-rc8+ #51
> Hardware name: IBM 2964 N63 400 (z/VM 6.4.0)
> Krnl PSW : 0404e00180000000 00000000001ac8d8 (__lock_acquire+0x7/0x7a8)
> Call Trace:
> ([<0000000000000000>] (null))
> [<00000000001adae4>] lock_acquire+0xec/0x258
> [<000000000080d1ac>] _raw_spin_lock_bh+0x5c/0x98
> [<000000000012a780>] page_table_free+0x48/0x1a8
> [<00000000002f6e54>] do_fault+0xdc/0x670
> [<00000000002fadae>] __handle_mm_fault+0x416/0x5f0
> [<00000000002fb138>] handle_mm_fault+0x1b0/0x320
> [<00000000001248cc>] do_dat_exception+0x19c/0x2c8
> [<000000000080e5ee>] pgm_check_handler+0x19e/0x200
>
> page_table_free() is called with NULL mm parameter, but because
> "0" is a valid address on s390 (see S390_lowcore), it keeps
> going until it eventually crashes in lockdep's lock_acquire.
> This crash is reproducible at least since 4.14.
>
> Problem is that "vmf->vma" used in do_fault() can become stale.
> Because mmap_sem may be released, other threads can come in,
> call munmap() and cause "vma" be returned to kmem cache, and
> get zeroed/re-initialized and re-used:
>
> handle_mm_fault |
> __handle_mm_fault |
> do_fault |
> vma = vmf->vma |
> do_read_fault |
> __do_fault |
> vma->vm_ops->fault(vmf); |
> mmap_sem is released |
> |
> | do_munmap()
> | remove_vma_list()
> | remove_vma()
> | vm_area_free()
> | # vma is released
> | ...
> | # same vma is allocated
> | # from kmem cache
> | do_mmap()
> | vm_area_alloc()
> | memset(vma, 0, ...)
> |
> pte_free(vma->vm_mm, ...); |
> page_table_free |
> spin_lock_bh(&mm->context.lock);|
> <crash> |
>
> Cache mm_struct to avoid using potentially stale "vma".
>
> [1] https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/mem/mtest06/mmap1.c
>
> Signed-off-by: Jan Stancek <jstancek@redhat.com>
> Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Reviewed-by: Minchan Kim <minchan@kernel.org>
Isn't it -stable material?
next prev parent reply other threads:[~2019-03-04 8:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-02 15:11 [PATCH] mm/memory.c: do_fault: avoid usage of stale vm_area_struct Jan Stancek
2019-03-02 17:10 ` Matthew Wilcox
2019-03-02 18:00 ` Jan Stancek
2019-03-02 18:19 ` [PATCH v2] " Jan Stancek
2019-03-02 18:45 ` Peter Zijlstra
2019-03-02 18:51 ` Andrea Arcangeli
2019-03-03 7:27 ` Jan Stancek
2019-03-03 7:28 ` [PATCH v3] " Jan Stancek
2019-03-03 10:36 ` Matthew Wilcox
2019-03-04 0:13 ` Rafael Aquini
2019-03-04 8:10 ` Minchan Kim [this message]
2019-03-04 8:19 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190304081048.GA98096@google.com \
--to=minchan@kernel.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@linux.ibm.com \
--cc=david@redhat.com \
--cc=jglisse@redhat.com \
--cc=jrdr.linux@gmail.com \
--cc=jstancek@redhat.com \
--cc=kirill@shutemov.name \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mgorman@techsingularity.net \
--cc=mhocko@suse.com \
--cc=peterz@infradead.org \
--cc=raquini@redhat.com \
--cc=riel@surriel.com \
--cc=rientjes@google.com \
--cc=willy@infradead.org \
--cc=ying.huang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).