From: David Hildenbrand <david@redhat.com>
To: Pei Li <peili.dev@gmail.com>, Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
skhan@linuxfoundation.org, syzkaller-bugs@googlegroups.com,
linux-kernel-mentees@lists.linuxfoundation.org,
syzbot+35a4414f6e247f515443@syzkaller.appspotmail.com,
Peter Xu <peterx@redhat.com>
Subject: Re: [PATCH] mm: Fix mmap_assert_locked() in follow_pte()
Date: Thu, 11 Jul 2024 23:45:54 +0200 [thread overview]
Message-ID: <3879ee72-84de-4d2a-93a8-c0b3dc3f0a4c@redhat.com> (raw)
In-Reply-To: <92a2dc30-6e48-44ea-9cde-693b911f200d@redhat.com>
On 11.07.24 23:33, David Hildenbrand wrote:
> On 11.07.24 07:13, Pei Li wrote:
>> This patch fixes this warning by acquiring read lock before entering
>> untrack_pfn() while write lock is not held.
>>
>> syzbot has tested the proposed patch and the reproducer did not
>> trigger any issue.
>>
>> Reported-by: syzbot+35a4414f6e247f515443@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=35a4414f6e247f515443
>> Tested-by: syzbot+35a4414f6e247f515443@syzkaller.appspotmail.com
>> Signed-off-by: Pei Li <peili.dev@gmail.com>
>> ---
>> Syzbot reported the following warning in follow_pte():
>>
>> WARNING: CPU: 3 PID: 5192 at include/linux/rwsem.h:195 rwsem_assert_held include/linux/rwsem.h:195 [inline]
>> WARNING: CPU: 3 PID: 5192 at include/linux/rwsem.h:195 mmap_assert_locked include/linux/mmap_lock.h:65 [inline]
>> WARNING: CPU: 3 PID: 5192 at include/linux/rwsem.h:195 follow_pte+0x414/0x4c0 mm/memory.c:5980
>>
>> This is because we are assuming that mm->mmap_lock should be held when
>> entering follow_pte(). This is added in commit c5541ba378e3 (mm:
>> follow_pte() improvements).
>>
>> However, in the following call stack, we are not acquring the lock:
>> follow_phys arch/x86/mm/pat/memtype.c:957 [inline]
>> get_pat_info+0xf2/0x510 arch/x86/mm/pat/memtype.c:991
>> untrack_pfn+0xf7/0x4d0 arch/x86/mm/pat/memtype.c:1104
>> unmap_single_vma+0x1bd/0x2b0 mm/memory.c:1819
>> zap_page_range_single+0x326/0x560 mm/memory.c:1920
>
> That implies that unmap_vmas() is called without the mmap lock in read
> mode, correct?
>
> Do we know how this happens?
>
> * exit_mmap() holds the mmap lock in read mode
> * unmap_region is documented to hold the mmap lock in read mode
I think this is it (missed the call from zap_page_range_single()):
follow_phys arch/x86/mm/pat/memtype.c:957 [inline]
get_pat_info+0xf2/0x510 arch/x86/mm/pat/memtype.c:991
untrack_pfn+0xf7/0x4d0 arch/x86/mm/pat/memtype.c:1104
unmap_single_vma+0x1bd/0x2b0 mm/memory.c:1819
zap_page_range_single+0x326/0x560 mm/memory.c:1920
unmap_mapping_range_vma mm/memory.c:3684 [inline]
unmap_mapping_range_tree mm/memory.c:3701 [inline]
unmap_mapping_pages mm/memory.c:3767 [inline]
unmap_mapping_range+0x1ee/0x280 mm/memory.c:3804
truncate_pagecache+0x53/0x90 mm/truncate.c:731
simple_setattr+0xf2/0x120 fs/libfs.c:886
notify_change+0xec6/0x11f0 fs/attr.c:499
do_truncate+0x15c/0x220 fs/open.c:65
handle_truncate fs/namei.c:3308 [inline]
I think Peter recently questioned whether untrack_pfn() should be even
called from the place, but I might misremember things.
Fix should work (I suspect we are not violating some locking rules?),
PFNMAP should not happen there too often that we really care.
If everything fails, we could drop the assert, but I'm hoping we can
avoid that. We really want most users of follow_pte() to do the right thing.
--
Cheers,
David / dhildenb
next prev parent reply other threads:[~2024-07-11 21:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-11 5:13 [PATCH] mm: Fix mmap_assert_locked() in follow_pte() Pei Li
2024-07-11 21:22 ` Andrew Morton
2024-07-11 21:33 ` David Hildenbrand
2024-07-11 21:45 ` David Hildenbrand [this message]
2024-07-11 21:51 ` David Hildenbrand
2024-07-12 8:04 ` Sergey Senozhatsky
-- strict thread matches above, loose matches on Subject: below --
2024-07-12 12:17 Bert Karwatzki
2024-07-12 12:43 Bert Karwatzki
[not found] <ZpBhCHsG39wIVnQN@x1n>
2024-07-12 13:19 ` David Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3879ee72-84de-4d2a-93a8-c0b3dc3f0a4c@redhat.com \
--to=david@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peili.dev@gmail.com \
--cc=peterx@redhat.com \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+35a4414f6e247f515443@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).