From patchwork Mon Jul 12 03:10:49 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hugh Dickins <hughd@google.com>
X-Patchwork-Id: 12369621
Return-Path: <SRS0=Bpcp=ME=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 92CB6C07E9E
	for <linux-mm@archiver.kernel.org>; Mon, 12 Jul 2021 03:11:10 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 43C716101C
	for <linux-mm@archiver.kernel.org>; Mon, 12 Jul 2021 03:11:10 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 43C716101C
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 6714B6B0092; Sun, 11 Jul 2021 23:11:10 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 647D26B0095; Sun, 11 Jul 2021 23:11:10 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4C1D26B0096; Sun, 11 Jul 2021 23:11:10 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0250.hostedemail.com
 [216.40.44.250])
	by kanga.kvack.org (Postfix) with ESMTP id 2CE636B0092
	for <linux-mm@kvack.org>; Sun, 11 Jul 2021 23:11:10 -0400 (EDT)
Received: from smtpin10.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 30B0416941
	for <linux-mm@kvack.org>; Mon, 12 Jul 2021 03:11:09 +0000 (UTC)
X-FDA: 78352459458.10.6557331
Received: from mail-ot1-f47.google.com (mail-ot1-f47.google.com
 [209.85.210.47])
	by imf07.hostedemail.com (Postfix) with ESMTP id D4BA41003EC2
	for <linux-mm@kvack.org>; Mon, 12 Jul 2021 03:11:08 +0000 (UTC)
Received: by mail-ot1-f47.google.com with SMTP id
 o17-20020a9d76510000b02903eabfc221a9so17455633otl.0
        for <linux-mm@kvack.org>; Sun, 11 Jul 2021 20:11:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mime-version;
        bh=rW1zjeWytPoYSJ40qDYC+bDE3SJVtauEVGMHk7JHx7Q=;
        b=GH0fIXaJ7JlQrOMD+qRd9KSrlldoEV5wJtHO4+/GN8S3BuOhe7U3Oc2f3bHz2zosHM
         AVdKqfHClq46SSHc3Z1Z5idqU9esgfztT2zaStLGasb6mEv+6L/Goj9r82q0Pw6HK7kd
         Se4iKBuKW2o1q2SykjSbEmd5fAEFq8ck2SQEKtCvDPnvE3XbptnStu+RiiCm7/XRIRPx
         D53CwCcGodj+HuYcgdyg53Ybe0nfKtd6M0nVBLdhVl/ZSSMp73RzdDrXR+lsG4QbgTui
         joRLDloxQFjri0XsXgc6YXM1kmdSjdyVXmvytyiUhV0WWUZ9GbB3G9nB5B01RW1zZlW0
         BMog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version;
        bh=rW1zjeWytPoYSJ40qDYC+bDE3SJVtauEVGMHk7JHx7Q=;
        b=sJXgAO5zOgXZhu7s1RqMvHGLh7OJ8DGor7ipk3+VVxwzDjCVM1Q4zGGC9nalE7fVDR
         9jWw92P+Etlrv1e/oBv1QOOj/9xTLNOedvu3bgUdnwMtuppCtBhIjuj8DS/z307HkEbu
         EqDa1oZlXsnQI+GGtLXpKcyhLJEOnUQKT9aXn6uAtvuKw+o7BKToobI4ROOflDUQV9VI
         BVUcK/HKQU6TNavfm9uWhcxUfedUQyY9uhom1pFFiBsEw5VWcTdXWaKjeDseOMQ3Eemb
         fHA3z5RtRoHH4MRyIaza7A+lIgrqIeaeix/RJUJSK9lBqWofwb2nqGu0E9GKujzcdqUH
         hYXw==
X-Gm-Message-State: AOAM531RvCOGCzEBzs+dRmmAgvMjnrnkQTrwgUTw71MVvdzsgmbdPnEA
	xRbSGDLmLcS7WHzgPubrPoYgwg==
X-Google-Smtp-Source: 
 ABdhPJy3F/F7jKHrUzEaWcTrPNBN3wOK2PB4rBXEhvJ/i83LVYBAtnoCSY3M+BB9TTAeYMQJjnDhXQ==
X-Received: by 2002:a05:6830:2316:: with SMTP id
 u22mr35286026ote.90.1626059467933;
        Sun, 11 Jul 2021 20:11:07 -0700 (PDT)
Received: from ripple.attlocal.net
 (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147])
        by smtp.gmail.com with ESMTPSA id y26sm785217oot.7.2021.07.11.20.11.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 11 Jul 2021 20:11:07 -0700 (PDT)
Date: Sun, 11 Jul 2021 20:10:49 -0700 (PDT)
From: Hugh Dickins <hughd@google.com>
X-X-Sender: hugh@ripple.anvils
To: Linus Torvalds <torvalds@linux-foundation.org>
cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
    Andrew Morton <akpm@linux-foundation.org>,
    Alistair Popple <apopple@nvidia.com>, Jason Gunthorpe <jgg@nvidia.com>,
    Ralph Campbell <rcampbell@nvidia.com>, Christoph Hellwig <hch@lst.de>,
    Yang Shi <shy828301@gmail.com>, Shakeel Butt <shakeelb@google.com>,
    Hugh Dickins <hughd@google.com>, linux-kernel@vger.kernel.org,
    linux-mm@kvack.org
Subject: [PATCH 5.14-rc1] mm/rmap: fix munlocking Anon THP with mlocked
 ptes
Message-ID: <5a98cd9-6965-6379-37a-33448ba62a31@google.com>
MIME-Version: 1.0
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=google.com header.s=20161025 header.b=GH0fIXaJ;
	spf=pass (imf07.hostedemail.com: domain of hughd@google.com designates
 209.85.210.47 as permitted sender) smtp.mailfrom=hughd@google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Rspamd-Server: rspam05
X-Stat-Signature: 7bftutzctbrxhdb9oibnhb9ixdie5ff7
X-Rspamd-Queue-Id: D4BA41003EC2
X-HE-Tag: 1626059468-642432
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Many thanks to Kirill for reminding that PageDoubleMap cannot be relied on
to warn of pte mappings in the Anon THP case; and a scan of subpages does
not seem appropriate here.  Note how follow_trans_huge_pmd() does not even
mark an Anon THP as mlocked when compound_mapcount != 1: multiple mlocking
of Anon THP is avoided, so simply return from page_mlock() in this case.

Link: https://lore.kernel.org/lkml/cfa154c-d595-406-eb7d-eb9df730f944@google.com/
Fixes: d9770fcc1c0c ("mm/rmap: fix old bug: munlocking THP missed other mlocks")
Reported-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Ralph Campbell <rcampbell@nvidia.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Yang Shi <shy828301@gmail.com>
Cc: Shakeel Butt <shakeelb@google.com>
---
Linus, thanks a lot for last-minute hoovering up those four mm/rmap
patches, with 3/4 fixing the syzbot and 0day reports on munlocking ...

BUT

... the version of 2/4 in 5.14-rc1 is defective (PageDoubleMap is a
confusing flag which behaves differently on anon and file), Kirill had
spotted that, and what he Acked was the v2 which went into mmotm, rather
than the first version I posted.  This patch here converts the v1 in rc1
into the v2 Acked by Kirill.

What will go wrong with v1 in?  I don't actually know: nothing terrible,
can only affect people splitting and mlocking anon THPs, maybe nobody and
nobot will notice, maybe some VM_BUG_ONs or "Bad page"s will turn up.
I'll be on the lookout to point reporters to this fix (more lines than
strictly necessary, because it removes a level of indentation).

And sorry for putting 2/4 before the more urgent 3/4, but I couldn't
tell what to do in 3/4, without first fixing the older bug in 2/4.

Hugh

 mm/rmap.c |   39 ++++++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 17 deletions(-)

--- 5.14-rc1/mm/rmap.c
+++ linux/mm/rmap.c
@@ -1440,21 +1440,20 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
 		/*
 		 * If the page is mlock()d, we cannot swap it out.
 		 */
-		if (!(flags & TTU_IGNORE_MLOCK)) {
-			if (vma->vm_flags & VM_LOCKED) {
-				/* PTE-mapped THP are never marked as mlocked */
-				if (!PageTransCompound(page) ||
-				    (PageHead(page) && !PageDoubleMap(page))) {
-					/*
-					 * Holding pte lock, we do *not* need
-					 * mmap_lock here
-					 */
-					mlock_vma_page(page);
-				}
-				ret = false;
-				page_vma_mapped_walk_done(&pvmw);
-				break;
-			}
+		if (!(flags & TTU_IGNORE_MLOCK) &&
+		    (vma->vm_flags & VM_LOCKED)) {
+			/*
+			 * PTE-mapped THP are never marked as mlocked: so do
+			 * not set it on a DoubleMap THP, nor on an Anon THP
+			 * (which may still be PTE-mapped after DoubleMap was
+			 * cleared).  But stop unmapping even in those cases.
+			 */
+			if (!PageTransCompound(page) || (PageHead(page) &&
+			     !PageDoubleMap(page) && !PageAnon(page)))
+				mlock_vma_page(page);
+			page_vma_mapped_walk_done(&pvmw);
+			ret = false;
+			break;
 		}
 
 		/* Unexpected PMD-mapped THP? */
@@ -1986,8 +1985,10 @@ static bool page_mlock_one(struct page *page, struct vm_area_struct *vma,
 		 */
 		if (vma->vm_flags & VM_LOCKED) {
 			/*
-			 * PTE-mapped THP are never marked as mlocked, but
-			 * this function is never called when PageDoubleMap().
+			 * PTE-mapped THP are never marked as mlocked; but
+			 * this function is never called on a DoubleMap THP,
+			 * nor on an Anon THP (which may still be PTE-mapped
+			 * after DoubleMap was cleared).
 			 */
 			mlock_vma_page(page);
 			/*
@@ -2022,6 +2023,10 @@ void page_mlock(struct page *page)
 	VM_BUG_ON_PAGE(!PageLocked(page) || PageLRU(page), page);
 	VM_BUG_ON_PAGE(PageCompound(page) && PageDoubleMap(page), page);
 
+	/* Anon THP are only marked as mlocked when singly mapped */
+	if (PageTransCompound(page) && PageAnon(page))
+		return;
+
 	rmap_walk(page, &rwc);
 }