Commitced1080

kiryl

authored and

torvalds

committed

thp: fix MADV_DONTNEED vs. numa balancing race

In case prot_numa, we are under down_read(mmap_sem). It's critical tonot clear pmd intermittently to avoid race with MADV_DONTNEED which isalso under down_read(mmap_sem):CPU0:CPU1:change_huge_pmd(prot_numa=1) pmdp_huge_get_and_clear_notify()madvise_dontneed() zap_pmd_range() pmd_trans_huge(*pmd) == 0 (without ptl) // skip the pmd set_pmd_at(); // pmd is re-establishedThe race makes MADV_DONTNEED miss the huge pmd and don't clear itwhich may break userspace.Found by code analysis, never saw triggered.Link:http://lkml.kernel.org/r/20170302151034.27829-3-kirill.shutemov@linux.intel.comSigned-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>Cc: Andrea Arcangeli <aarcange@redhat.com>Cc: Hillf Danton <hillf.zj@alibaba-inc.com>Cc: <stable@vger.kernel.org>Signed-off-by: Andrew Morton <akpm@linux-foundation.org>Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 parent0a85e51 commitced1080Copy full SHA for ced1080

File tree

1 file changed

+33

-1

lines changed

mm
- huge_memory.c

1 file changed

+33

-1

lines changed

`‎mm/huge_memory.c‎`

Lines changed: 33 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1746,7 +1746,39 @@ int change_huge_pmd(struct vm_area_struct vma, pmd_t pmd,`
`1746`	`1746`	`if (prot_numa&&pmd_protnone(*pmd))`
`1747`	`1747`	`gotounlock;`
`1748`	`1748`
`1749`		`-entry=pmdp_huge_get_and_clear_notify(mm,addr,pmd);`
	`1749`	`+/*`
	`1750`	`+ * In case prot_numa, we are under down_read(mmap_sem). It's critical`
	`1751`	`+ * to not clear pmd intermittently to avoid race with MADV_DONTNEED`
	`1752`	`+ * which is also under down_read(mmap_sem):`
	`1753`	`+ *`
	`1754`	`+ *CPU0:CPU1:`
	`1755`	`+ *change_huge_pmd(prot_numa=1)`
	`1756`	`+ * pmdp_huge_get_and_clear_notify()`
	`1757`	`+ * madvise_dontneed()`
	`1758`	`+ * zap_pmd_range()`
	`1759`	`+ * pmd_trans_huge(*pmd) == 0 (without ptl)`
	`1760`	`+ * // skip the pmd`
	`1761`	`+ * set_pmd_at();`
	`1762`	`+ * // pmd is re-established`
	`1763`	`+ *`
	`1764`	`+ * The race makes MADV_DONTNEED miss the huge pmd and don't clear it`
	`1765`	`+ * which may break userspace.`
	`1766`	`+ *`
	`1767`	`+ * pmdp_invalidate() is required to make sure we don't miss`
	`1768`	`+ * dirty/young flags set by hardware.`
	`1769`	`+ */`
	`1770`	`+entry=*pmd;`
	`1771`	`+pmdp_invalidate(vma,addr,pmd);`
	`1772`	`+`
	`1773`	`+/*`
	`1774`	`+ * Recover dirty/young flags. It relies on pmdp_invalidate to not`
	`1775`	`+ * corrupt them.`
	`1776`	`+ */`
	`1777`	`+if (pmd_dirty(*pmd))`
	`1778`	`+entry=pmd_mkdirty(entry);`
	`1779`	`+if (pmd_young(*pmd))`
	`1780`	`+entry=pmd_mkyoung(entry);`
	`1781`	`+`
`1750`	`1782`	`entry=pmd_modify(entry,newprot);`
`1751`	`1783`	`if (preserve_write)`
`1752`	`1784`	`entry=pmd_mk_savedwrite(entry);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitced1080

File tree

1 file changed

1 file changed

`‎mm/huge_memory.c‎`

0 commit comments