From patchwork Mon Sep 11 14:57:23 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthew Wilcox <willy@infradead.org>
X-Patchwork-Id: 13379417
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id ED49FEE7FF4
	for <linux-mm@archiver.kernel.org>; Mon, 11 Sep 2023 14:57:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8BD4A6B02B1; Mon, 11 Sep 2023 10:57:50 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 86D3F6B02B2; Mon, 11 Sep 2023 10:57:50 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 735DE6B02B3; Mon, 11 Sep 2023 10:57:50 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com
 [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id 5CEFD6B02B1
	for <linux-mm@kvack.org>; Mon, 11 Sep 2023 10:57:50 -0400 (EDT)
Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 218FBC0343
	for <linux-mm@kvack.org>; Mon, 11 Sep 2023 14:57:50 +0000 (UTC)
X-FDA: 81224621100.18.3C9759F
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	by imf27.hostedemail.com (Postfix) with ESMTP id 729EC40026
	for <linux-mm@kvack.org>; Mon, 11 Sep 2023 14:57:43 +0000 (UTC)
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209
 header.b="eMQe6T/v";
	dmarc=none;
	spf=none (imf27.hostedemail.com: domain of willy@infradead.org has no SPF
 policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1694444267;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=AZUiGPTePLXs//BnDzKKFrjZqVh7afOpmHsicuVAk5A=;
	b=S89/u4PXsgVMCJ5QONiHJsib/wgWjT1eGCQpM03+tx07O0DxIS9ORDe4wfzGRsQmU3CvEm
	A1xBywVR15fEmH6escvSaVQEOlffnjwMtNBY7e9nNCPAnWs77J/5OUGBws5hnVYCi0gWpU
	8hqnqWhmQWyT62xfgTS4Pj7oWe5cMU8=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=pass header.d=infradead.org header.s=casper.20170209
 header.b="eMQe6T/v";
	dmarc=none;
	spf=none (imf27.hostedemail.com: domain of willy@infradead.org has no SPF
 policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1694444267; a=rsa-sha256;
	cv=none;
	b=0TxDq8WHG+OyOqE4ptsGsVloYsUe1+87TK2X/+x/H+Pw6NQc+fmIPrJaATKXCOQMtfSvJl
	gFQ+cnxZWazQX9PeMXwtN6VsBvCIYa71Ql9eagZp5VM8OyfM1B2c5x8aDkeAjL+lcZGMzN
	cZMCRel/LMB1Z0o/209hgIyRu4heLDU=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=Content-Type:MIME-Version:Message-ID:
	Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
	Content-Description:In-Reply-To:References;
	bh=AZUiGPTePLXs//BnDzKKFrjZqVh7afOpmHsicuVAk5A=; b=eMQe6T/vc7Rx0ASuriN/v/Ct1c
	1YVLgE8qOnOBp+A27yTvwJopDPMVXto0FAll9Cc1498RJ+QvCcqz9OdtUKmUhoo5ZQshx81qSvmc3
	LrSlkgv7jfVwaLBojQZFaioqNrfwSB7ydYHG6aQKPF+lZFmYZo/PD+cX7LljdGt1bsToOqwCnx6mG
	pagf10UdiV1U9P0Cqdevoej/aFpSSSayeJhFNfLydvhLpPXjGfsUdboR8wptLmGhTIa3ngkvRmm13
	0vQuymYKAxeKKopAVRhD8R/HTrS4qOx20JbNls4Fkej/TpwOiG+fUNY9WjSX5b3ia8DcxmyfN3rH3
	p2l1nKTA==;
Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red
 Hat Linux))
	id 1qfiLr-001YSk-V6; Mon, 11 Sep 2023 14:57:23 +0000
Date: Mon, 11 Sep 2023 15:57:23 +0100
From: Matthew Wilcox <willy@infradead.org>
To: Sean Christopherson <seanjc@google.com>,
	Andi Kleen <ak@linux.intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Michal Hocko <mhocko@suse.com>, Vlastimil Babka <vbabka@suse.cz>,
	Dave Hansen <dave.hansen@intel.com>
Cc: linux-mm@kvack.org, x86@kernel.org
Subject: [willy@infradead.org: Re: [syzbot] [mm?] BUG: Bad page map (7)]
Message-ID: <ZP8q05EiU3jCs8al@casper.infradead.org>
MIME-Version: 1.0
Content-Disposition: inline
X-Rspamd-Queue-Id: 729EC40026
X-Rspam-User: 
X-Rspamd-Server: rspam02
X-Stat-Signature: wfaejjeyp9nscucibpgnrwrukr5f3hdo
X-HE-Tag: 1694444263-237862
X-HE-Meta: 
 U2FsdGVkX19K+lwIY942sm2XiuuLDuCDKuAojcinQI8jOkm3xaPCHXn+0nRVzPhP1G0aiHS6J8gib8OrMO6Hq0XHze763ncIUkbZlKq3ic7K2E3M+u6UQq1svqag1uP0VnHMxs1RvyzwyReGgnOnJCRYF6hCVO3Oeq05zT9M1KvFz2wr0HPnkAtyT7Z/06GQxYUPKO6Dn+Pem8++I7f/v4zjBXc4E1p3Xy+RPr2q1ZxhcoTdV0a0vKSe17n3NBufNAjvBf24G2j7V6E7eb+yQ4+IkyQqwQCFCLyyQaKwDHYBzv+GEyfQkdLlWojF5h06gE+diLjOXLA3h9iI0QyCoacWd00Kik72HXurmumKvfvVzQG4RfvIXM094hIR3tsr+E2hDTteqCQWOi0JGCjQBv8Y2F80icx7/NoA6WsHSVRK3zmFWFi4UE3ruCW5bd6fHgpuPzTH3WrGvKjR7vbphutrywH0r+K48SWGmidz/xytUE5sbDbvMjCTTafGn0Uo8Jt6gCMtIoqDPwPwUC8VyYvPfFuP+d91S44MckXtEfEqyAmZnfT36PqfkALQ90p5kmcKWGvYOZYl+bQwGESEyS4RzQc3wvwdHHYgk5uwWo0msdQwTv/dSlMRNqHevuRxKRa0Z0QlmGG67/ZqJy8EGyVLarLtDmxbhmUDUSjoYZ2wV9odtypjqX12gyp2OFW/TUQCxgKZQqgnXQJXpEZ3E+y66vbbReqsoQOeYiWXUYjix8L7gplAO81EMNfB9txltZ6LV8ZIrxUXz51h/psD6PvYa/JUfQp7wceVeguyjVxRWFA58DePGGkvn/pVyIfmfJgdW2jj7krg935oQVdnC0rIDvmtpgcPIbxdYjFXMH8aIwhJ/jvCAiWITWipnWtbmFjx+CQtAyGIIhW0gcbIxM2gY3kwTX0lzNS6dAAizT577o/qFu65ZP0b9Nxm83ZUuEn6dO3AlGfqpKAT7fK
 mp5XtYb7
 Y7hVsA855XRtR7ddRyf1ArGMhZtMfTOwtQX6o90b33Yvbb0CUXbuiS6hsW/RZFQHV7P8VKoTAV+YFxxcVg90JEZSZHtSsTnjjWGjb6/Jhs/BrIwMyPC3zWQxeqWFsgf+yDDnWd0YDVE/C+TtwNTgAWjXLKPYYQbpHTatxDyWaFJTf4EK9Mv/8jnkEA1VjR5q1I49ajp73RuMDsWmPnfgX2miBi4NQt6sfZ9S0ur+D7VA9DMyqjdpZBLW5Z6nNMykEi7/FUmPHfUlGBuJMUDMWWWh0M+bqdrDiasIa9yp5nE2V/cSpTcwjWTCxD8XhTgI9yRL3qpLHy2gjpfPQww5svyAcvxPOG8UmTuDuAa8ODSzJCmn/kRUMloUi099vtGhD9EMpWUGHXx1B8ODXkjx+p1geymX4f/0+FlVyZqCYQec9WHNtRzxUOw5jtFJa6o8Tp5ae17rp7TX6r8ka0Xw9YY6sihbeJH8NTGd5hyq4zuoO4O2kIDRznygZa3sWTiWc4UwXfiBFiFX+VQPAy26MMPUEjJj7E2yvj9WLndYXq5Of/WM0qVe1Ui+amkN+ZCQ6SKOdAE6U7aixFvY=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Just to get a few more eyes on this ... you seem like the experts on
inverted PTEs.

syzbot says this works, but it's only going to have done limited
testing.

----- Forwarded message from Matthew Wilcox <willy@infradead.org> -----

Date: Mon, 11 Sep 2023 14:26:09 +0100
From: Matthew Wilcox <willy@infradead.org>
To: Yin Fengwei <fengwei.yin@intel.com>
Cc: syzbot <syzbot+55cc72f8cc3a549119df@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mm?] BUG: Bad page map (7)

On Mon, Sep 11, 2023 at 03:12:27PM +0800, Yin Fengwei wrote:
>  
> +static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
> +               pte_t *ptep, pte_t pte, unsigned int nr)
> +{
> +       bool protnone = (pte_flags(pte) & (_PAGE_PROTNONE | _PAGE_PRESENT))
> +                       == _PAGE_PROTNONE;
> +
> +       page_table_check_ptes_set(mm, ptep, pte, nr);
> +
> +       for(;;) {
> +               native_set_pte(ptep, pte);
> +               if (--nr == 0)
> +                       break;
> +
> +               ptep++;
> +               if (protnone)
> +                       pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
> +               else
> +                       pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
> +       }
> +}
> +#define set_ptes set_ptes

Thanks for figuring this out.  I don't think I would have been able to!

I think this solution probably breaks pgtable-2level configs,
unfortunately.  How about this?  If other architectures decide to adopt
the inverted page table entry in the future, it'll work for them too.

#syz test



----- End forwarded message -----

diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h
index e9482a11ac52..a89be3e9b032 100644
--- a/arch/x86/include/asm/pgtable-2level.h
+++ b/arch/x86/include/asm/pgtable-2level.h
@@ -123,9 +123,6 @@ static inline u64 flip_protnone_guard(u64 oldval, u64 val, u64 mask)
 	return val;
 }
 
-static inline bool __pte_needs_invert(u64 val)
-{
-	return false;
-}
+#define __pte_needs_invert(val)	false
 
 #endif /* _ASM_X86_PGTABLE_2LEVEL_H */
diff --git a/arch/x86/include/asm/pgtable-invert.h b/arch/x86/include/asm/pgtable-invert.h
index a0c1525f1b6f..f21726add655 100644
--- a/arch/x86/include/asm/pgtable-invert.h
+++ b/arch/x86/include/asm/pgtable-invert.h
@@ -17,6 +17,7 @@ static inline bool __pte_needs_invert(u64 val)
 {
 	return val && !(val & _PAGE_PRESENT);
 }
+#define __pte_needs_invert __pte_needs_invert
 
 /* Get a mask to xor with the page table entry to get the correct pfn. */
 static inline u64 protnone_mask(u64 val)
diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
index 1fba072b3dac..34b12e94b850 100644
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -205,6 +205,10 @@ static inline int pmd_young(pmd_t pmd)
 #define arch_flush_lazy_mmu_mode()	do {} while (0)
 #endif
 
+#ifndef __pte_needs_invert
+#define __pte_needs_invert(pte)	false
+#endif
+
 #ifndef set_ptes
 /**
  * set_ptes - Map consecutive pages to a contiguous range of addresses.
@@ -231,7 +235,10 @@ static inline void set_ptes(struct mm_struct *mm, unsigned long addr,
 		if (--nr == 0)
 			break;
 		ptep++;
-		pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
+		if (__pte_needs_invert(pte_val(pte)))
+			pte = __pte(pte_val(pte) - (1UL << PFN_PTE_SHIFT));
+		else
+			pte = __pte(pte_val(pte) + (1UL << PFN_PTE_SHIFT));
 	}
 	arch_leave_lazy_mmu_mode();
 }