From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F574C4332D for ; Fri, 20 Mar 2020 13:41:13 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id EF9D320739 for ; Fri, 20 Mar 2020 13:41:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=ziepe.ca header.i=@ziepe.ca header.b="IRiBcy01" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EF9D320739 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ziepe.ca Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 7F9CF6B0003; Fri, 20 Mar 2020 09:41:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 784186B0006; Fri, 20 Mar 2020 09:41:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 670AD6B0007; Fri, 20 Mar 2020 09:41:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0081.hostedemail.com [216.40.44.81]) by kanga.kvack.org (Postfix) with ESMTP id 4BD4D6B0003 for ; Fri, 20 Mar 2020 09:41:12 -0400 (EDT) Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id EDD7A181AC9C6 for ; Fri, 20 Mar 2020 13:41:11 +0000 (UTC) X-FDA: 76615851942.12.back26_61b6cfa7e8012 X-HE-Tag: back26_61b6cfa7e8012 X-Filterd-Recvd-Size: 4647 Received: from mail-qt1-f195.google.com (mail-qt1-f195.google.com [209.85.160.195]) by imf05.hostedemail.com (Postfix) with ESMTP for ; Fri, 20 Mar 2020 13:41:11 +0000 (UTC) Received: by mail-qt1-f195.google.com with SMTP id 10so4892996qtp.1 for ; Fri, 20 Mar 2020 06:41:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=rSXMnA8Bh+EyZeJfpwZeazUxxET567SafNKmRBbaqJE=; b=IRiBcy01pez/c8Esw6ABdeGlubYq6UBTvnqE08m54TPmYJSk0iZY8NRy4Imfi9RCkq pgYtuxDrHqPgjM1o0KyPLUcQQOMmsp/8AwWKrGmPWY2V2zTpecXI1Hmww1TRzifRUqv1 DX4dzAVbSR13Fo7jjIz8YUYee5enxM6pJW/X6pJz59lxOjUg+6nvHnnEaT8pcTz55OMt jRul4tANsV8+/6/1gFaPw67m4l9Hc++lvsRpUhKs8JRwfn579xSKiU2xI9uEr0dnW7Fr mnPY+dq6nTjmuQ5ZDgFDKjScE6rkcwbkGcsH6sXXBgbbcYl+h27ZHv6LeQTB09f7WjYe iTaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=rSXMnA8Bh+EyZeJfpwZeazUxxET567SafNKmRBbaqJE=; b=U1gA+Y7KeUi7/5M8BS75qGBycae3BNKC1fNqZE8r7HrU0pLgAlIjsAD5fF7MZKUIeY GKLYiyv4nr7cPb9rQ2kOKEW83Mq3NbhHb7WjfIaFSMoGmNeK5wT7XWXu/9qyamNSMrir APPvFJ7wZEkMOfaiXWV2rAtmixS5sq8Tv6R9ieDmU6aDKNQtHpR7WGVE9n6ggQ6H1pBe M+WwsxjdqtHy9lgk1U2ADmkro14NIxaPTe1cLPMJigk5TwSl7LyIrSTFkkXbf/DaXClB OQfJZPjNZ4O5AoJ0+w5SUwmbZTIbVqliccyyfcioM60n9GO4ERTbXajs6KW9sSezOXbQ NtPQ== X-Gm-Message-State: ANhLgQ3APSy9G6ThCR/s9riLfUgOpQzZFvON0yPMIef2eL7d1sCzmzLJ 6HMHdRNHgX7MN7Pu5hzekAnH9w== X-Google-Smtp-Source: ADFU+vuEJLxLBoH+558rgkm+/X3kgiU5w6V/n0Oh7c+Ro7Jb1c7KonYggFNpdI58VU/1xg85hzcxdQ== X-Received: by 2002:ac8:4782:: with SMTP id k2mr8138084qtq.1.1584711670687; Fri, 20 Mar 2020 06:41:10 -0700 (PDT) Received: from ziepe.ca (hlfxns017vw-142-68-57-212.dhcp-dynamic.fibreop.ns.bellaliant.net. [142.68.57.212]) by smtp.gmail.com with ESMTPSA id p23sm4024398qkm.39.2020.03.20.06.41.09 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 20 Mar 2020 06:41:10 -0700 (PDT) Received: from jgg by mlx.ziepe.ca with local (Exim 4.90_1) (envelope-from ) id 1jFHtd-0007xE-Gf; Fri, 20 Mar 2020 10:41:09 -0300 Date: Fri, 20 Mar 2020 10:41:09 -0300 From: Jason Gunthorpe To: Christoph Hellwig Cc: Dan Williams , Bharata B Rao , Christian =?utf-8?B?S8O2bmln?= , Ben Skeggs , Jerome Glisse , kvm-ppc@vger.kernel.org, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, linux-mm@kvack.org Subject: Re: [PATCH 4/4] mm: check the device private page owner in hmm_range_fault Message-ID: <20200320134109.GA30230@ziepe.ca> References: <20200316193216.920734-1-hch@lst.de> <20200316193216.920734-5-hch@lst.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200316193216.920734-5-hch@lst.de> User-Agent: Mutt/1.9.4 (2018-02-28) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Mar 16, 2020 at 08:32:16PM +0100, Christoph Hellwig wrote: > diff --git a/mm/hmm.c b/mm/hmm.c > index cfad65f6a67b..b75b3750e03d 100644 > +++ b/mm/hmm.c > @@ -216,6 +216,14 @@ int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr, > unsigned long end, uint64_t *pfns, pmd_t pmd); > #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ > > +static inline bool hmm_is_device_private_entry(struct hmm_range *range, > + swp_entry_t entry) > +{ > + return is_device_private_entry(entry) && > + device_private_entry_to_page(entry)->pgmap->owner == > + range->dev_private_owner; > +} Thinking about this some more, does the locking work out here? hmm_range_fault() runs with mmap_sem in read, and does not lock any of the page table levels. So it relies on accessing stale pte data being safe, and here we introduce for the first time a page pointer dereference and a pgmap dereference without any locking/refcounting. The get_dev_pagemap() worked on the PFN and obtained a refcount, so it created safety. Is there some tricky reason this is safe, eg a DEVICE_PRIVATE page cannot be removed from the vma without holding mmap_sem in write or something? Jason