From patchwork Thu Apr 1 18:21:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Suren Baghdasaryan X-Patchwork-Id: 12179165 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-26.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98FFCC43460 for ; Thu, 1 Apr 2021 18:21:36 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 3A9A760201 for ; Thu, 1 Apr 2021 18:21:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3A9A760201 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id C268A6B007E; Thu, 1 Apr 2021 14:21:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BFF016B0080; Thu, 1 Apr 2021 14:21:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AED766B0081; Thu, 1 Apr 2021 14:21:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0213.hostedemail.com [216.40.44.213]) by kanga.kvack.org (Postfix) with ESMTP id 9141F6B007E for ; Thu, 1 Apr 2021 14:21:35 -0400 (EDT) Received: from smtpin31.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 4BEDEBF10 for ; Thu, 1 Apr 2021 18:21:35 +0000 (UTC) X-FDA: 77984616150.31.EAAF123 Received: from mail-qk1-f202.google.com (mail-qk1-f202.google.com [209.85.222.202]) by imf22.hostedemail.com (Postfix) with ESMTP id 68ABCC0001F7 for ; Thu, 1 Apr 2021 18:21:34 +0000 (UTC) Received: by mail-qk1-f202.google.com with SMTP id v136so4310416qkb.9 for ; Thu, 01 Apr 2021 11:21:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=8Xx3EMbt3lWftC565J98KDcCTdVlINzv28vYEZ4TIC0=; b=CyTw/nT5gMtmomOnKvEQJWZQC7zx7O8RFWGWRxX1tBWJoRo/mtzO45PCK/X6LfVZBz TZj6ALX+DBVMAVBlnTM+hlWEgoJM0Ebb5G+cDixyLdkNAnMyJWoDadrg2W1TXJ8th1OW K8GsDUjTdnEv+/LqBvFA5sS0KivmMPAw/x6BAd4tcpCohJgaIGS0n2YVooRvSsnYW2e2 BpR1BcAhpDqAkqf63CK8ZPeIwwFfr3YbefIcirUMQ2NOSxK6x7ktzhGRAp+bvEk48aF1 sfgIgYMBx4denxOtxjkHtyapTJ3khXVxmZ7xCSYyW1wtcgznxcTYvNjW/Ntjctq20j0k a77A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=8Xx3EMbt3lWftC565J98KDcCTdVlINzv28vYEZ4TIC0=; b=eKV/4Xa8sHkY3GheXe9Nz0AOdqWsSeI1njQsqBHaPqADQNXpghK7Bxp6ioquBKbJg8 /Vh/54sfOODd+pNnQ7ghk2CWt1lXm3uxaR9qPjbfX9LlCTv03UFEwx65D+JWZiUL2uLl YCrILqr9ROPYF5JXuKpiWGoZJwtIGOKSogtOBf3Ch0MTe1/s/m9q1dcaTwkDg0PQDN+B UazDGHxiY6brgCAiie+toFyt0pzEoGjDmM6KpGgJiSNRudrE85BK4jvB5P+1rpzVreVZ CJmc4EBc4XGIJ3Y2k/Cg7ohzfOC/UqqNjO7Dg0DolbbndkmF4x58ANEmOVU+/nytrIpB 0IcA== X-Gm-Message-State: AOAM532iSHx8+WK3jgZXukdUccpu3ParPKwNaLIXP2bNKJHCp3DSf0Q9 VjMQaelPRDmM89/RR8yJv23NSlIJ2Ps= X-Google-Smtp-Source: ABdhPJzYZtXxecIdNmcFtDCEDkAl7Gs49jiklL4srXB9l0qyspWnXlQ8pnumnoU7LzSqaXDiu3/eTNejh00= X-Received: from surenb1.mtv.corp.google.com ([2620:15c:211:200:899:1066:21fc:b3c5]) (user=surenb job=sendgmr) by 2002:a05:6214:1c0c:: with SMTP id u12mr9334832qvc.24.1617301294229; Thu, 01 Apr 2021 11:21:34 -0700 (PDT) Date: Thu, 1 Apr 2021 11:21:23 -0700 In-Reply-To: <20210401182125.171484-1-surenb@google.com> Message-Id: <20210401182125.171484-4-surenb@google.com> Mime-Version: 1.0 References: <20210401182125.171484-1-surenb@google.com> X-Mailer: git-send-email 2.31.0.291.g576ba9dcdaf-goog Subject: [PATCH 3/5] mm: fix misplaced unlock_page in do_wp_page() From: Suren Baghdasaryan To: stable@vger.kernel.org Cc: gregkh@linuxfoundation.org, jannh@google.com, ktkhai@virtuozzo.com, torvalds@linux-foundation.org, shli@fb.com, namit@vmware.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@android.com, surenb@google.com, Qian Cai , Alex Shi , Gerald Schaefer X-Rspamd-Queue-Id: 68ABCC0001F7 X-Stat-Signature: 8ip3ndaugxzcsjqep4ae71a3juu7bnj8 X-Rspamd-Server: rspam02 Received-SPF: none (flex--surenb.bounces.google.com>: No applicable sender policy available) receiver=imf22; identity=mailfrom; envelope-from="<3Lg9mYAYKCO0hjgTcQVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--surenb.bounces.google.com>"; helo=mail-qk1-f202.google.com; client-ip=209.85.222.202 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1617301294-555944 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Linus Torvalds Commit 09854ba94c6a ("mm: do_wp_page() simplification") reorganized all the code around the page re-use vs copy, but in the process also moved the final unlock_page() around to after the wp_page_reuse() call. That normally doesn't matter - but it means that the unlock_page() is now done after releasing the page table lock. Again, not a big deal, you'd think. But it turns out that it's very wrong indeed, because once we've released the page table lock, we've basically lost our only reference to the page - the page tables - and it could now be free'd at any time. We do hold the mmap_sem, so no actual unmap() can happen, but madvise can come in and a MADV_DONTNEED will zap the page range - and free the page. So now the page may be free'd just as we're unlocking it, which in turn will usually trigger a "Bad page state" error in the freeing path. To make matters more confusing, by the time the debug code prints out the page state, the unlock has typically completed and everything looks fine again. This all doesn't happen in any normal situations, but it does trigger with the dirtyc0w_child LTP test. And it seems to trigger much more easily (but not expclusively) on s390 than elsewhere, probably because s390 doesn't do the "batch pages up for freeing after the TLB flush" that gives the unlock_page() more time to complete and makes the race harder to hit. Fixes: 09854ba94c6a ("mm: do_wp_page() simplification") Link: https://lore.kernel.org/lkml/a46e9bbef2ed4e17778f5615e818526ef848d791.camel@redhat.com/ Link: https://lore.kernel.org/linux-mm/c41149a8-211e-390b-af1d-d5eee690fecb@linux.alibaba.com/ Reported-by: Qian Cai Reported-by: Alex Shi Bisected-and-analyzed-by: Gerald Schaefer Tested-by: Gerald Schaefer Signed-off-by: Linus Torvalds --- mm/memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/memory.c b/mm/memory.c index d95a4573a273..656d90a75cf8 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2863,8 +2863,8 @@ static vm_fault_t do_wp_page(struct vm_fault *vmf) * page count reference, and the page is locked, * it's dark out, and we're wearing sunglasses. Hit it. */ - wp_page_reuse(vmf); unlock_page(page); + wp_page_reuse(vmf); return VM_FAULT_WRITE; } else if (unlikely((vma->vm_flags & (VM_WRITE|VM_SHARED)) == (VM_WRITE|VM_SHARED))) {