From patchwork Thu Nov 29 21:53:48 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Stancek <jstancek@redhat.com>
X-Patchwork-Id: 10705361
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 401C917F0
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Thu, 29 Nov 2018 21:55:27 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 31D0E2F957
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Thu, 29 Nov 2018 21:55:27 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 25A6F2F975; Thu, 29 Nov 2018 21:55:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B4BD42F957
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Thu, 29 Nov 2018 21:55:26 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 951756B54C6; Thu, 29 Nov 2018 16:55:25 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8FF766B54C7; Thu, 29 Nov 2018 16:55:25 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 817246B54C8; Thu, 29 Nov 2018 16:55:25 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com
 [209.85.160.198])
	by kanga.kvack.org (Postfix) with ESMTP id 535A96B54C6
	for <linux-mm@kvack.org>; Thu, 29 Nov 2018 16:55:25 -0500 (EST)
Received: by mail-qt1-f198.google.com with SMTP id p24so3394827qtl.2
        for <linux-mm@kvack.org>; Thu, 29 Nov 2018 13:55:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id;
        bh=GEQHqSLcOzWpoTpLmvxEdHmqnZXruT7YRpfHpL9cTkI=;
        b=Dd692r+0SzidSdiS9Evf3+gbmI/9bINpDNpVl+uajkcsHhjC4OVZVhLYsPFq5RYPyG
         Z/+X1EzsEn/Q98N796fChJAuSuqTG3c6fes+9Ls4W9M/ZSPRFEf/QG2Hs6WvYHHHkDZi
         x0HPZttq4NgBLQ78kMO3bNFBlDu5k82sWA2JuA3pRbrd8hc4+zN844HeZSdCWvmkc+Uu
         e9fU8V69Sp7/Bnf3O0gUk1gzzKyV35NiyE4+su8Vj0qy8Q7T0CzR3dDqvKqiEjJijWe9
         LIozdu4SYAish8H4CvCpc1MxXSxc18o9VNviZB3iMSQGvH72l/TZSlyEt1Vgc7WRnoHF
         gaLw==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of jstancek@redhat.com designates
 209.132.183.28 as permitted sender) smtp.mailfrom=jstancek@redhat.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
X-Gm-Message-State: AA+aEWaMin8+HzOdvRYCEmc54/khBT0R7bipUOwSP423fgID8TyNSFPl
	1nxpz9JMX/6/arbMVMrYIuaRFwipb7wYBbuizty4+rRLzFNNBLSgQg9379NrPGoxcpvK5L3e9+d
	8gfj4Iuqdcd1MJFNwFrQikR8FYj+ktgbWOTlFKVzkloHE+nxmx+iZiYml/Ofvk8d23A==
X-Received: by 2002:a37:9e8e:: with SMTP id
 h136mr3145733qke.324.1543528524948;
        Thu, 29 Nov 2018 13:55:24 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/UYkr8htEQYAzketZPoMsBwH98O3skyqbJg3aMDgkMZ6geqqoPpbPCdcB7g0TYzTIsEwFuc
X-Received: by 2002:a37:9e8e:: with SMTP id
 h136mr3145704qke.324.1543528524283;
        Thu, 29 Nov 2018 13:55:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543528524; cv=none;
        d=google.com; s=arc-20160816;
        b=mo9NH59vTWrszXeOnC6ULY7zT1fvD+ry6aremE40z4lmOEmRuAW7O/F/dENHMBPF9w
         bKBcu9/hdQ+JsaYGZJyP9KWnqEdT1v9C0nH9NW69abneKB96kJo4AbsJITDGGLeTaG3B
         UfTh4xArZPlBWZOcbwKtmU1WnqCJp7IJ0Ho21EQzD+Ve68ZyE2XzQcrWbfTHiBI9kfAB
         A0jl3w2PElO5QXt6yUX0wTSQ5eHseSALjt/pkAai9bvU0pEJsMTh03JGPtyggpm5rhum
         FgcfTvJviJgKdDQ0uau6/hoiY/VJExbGNtTpLPIk0r8Op8p7q0kVE3w4C21+mntdQaLP
         yBEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=message-id:date:subject:cc:to:from;
        bh=GEQHqSLcOzWpoTpLmvxEdHmqnZXruT7YRpfHpL9cTkI=;
        b=zKaUJPFqFpmsv/EYbstytIrOzzRKN+qPlN7V4u+qImuZG4dMbb/zzokWFpTZB7yPiP
         382Y89zppK6KEmVz0hZuMgUR2NVQxJK6c2zVCNnUvuuyd3FYJA195elGMuF5Qo7VQYAl
         szYeYppNBQvj3GqzpZvGxxVyiIR/1fCcIO2UJ6Ic57bqMIbx7pvZaOAGc6xJUfKhyPhv
         +fV8uHUbjhDyTQof37PrVna6adknvjBWdRqlC+4snyOThP9akAacbjwlNnCdPIAUj/Kc
         eNyJCpo4rCNNUnkTRW2Zvg6gALzkig9hmah3WsVLIYT98zvap5heABHjlBLTZyTpz7j8
         KxHA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of jstancek@redhat.com designates
 209.132.183.28 as permitted sender) smtp.mailfrom=jstancek@redhat.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28])
        by mx.google.com with ESMTPS id s17si1809175qve.22.2018.11.29.13.55.24
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 29 Nov 2018 13:55:24 -0800 (PST)
Received-SPF: pass (google.com: domain of jstancek@redhat.com designates
 209.132.183.28 as permitted sender) client-ip=209.132.183.28;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of jstancek@redhat.com designates
 209.132.183.28 as permitted sender) smtp.mailfrom=jstancek@redhat.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 6A5EC4E928;
	Thu, 29 Nov 2018 21:55:23 +0000 (UTC)
Received: from dustball.brq.redhat.com (unknown [10.43.17.9])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 0BD1E601B9;
	Thu, 29 Nov 2018 21:55:17 +0000 (UTC)
From: Jan Stancek <jstancek@redhat.com>
To: linux-mm@kvack.org,
	lersek@redhat.com,
	alex.williamson@redhat.com,
	aarcange@redhat.com,
	rientjes@google.com,
	kirill@shutemov.name,
	mgorman@techsingularity.net,
	mhocko@suse.com,
	jstancek@redhat.com
Cc: linux-kernel@vger.kernel.org
Subject: [PATCH] mm: page_mapped: don't assume compound page is huge or THP
Date: Thu, 29 Nov 2018 22:53:48 +0100
Message-Id: 
 <eabca57aa14f4df723173b24891f4a2d9c501f21.1543526537.git.jstancek@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]);
 Thu, 29 Nov 2018 21:55:23 +0000 (UTC)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

LTP proc01 testcase has been observed to rarely trigger crashes
on arm64:
    page_mapped+0x78/0xb4
    stable_page_flags+0x27c/0x338
    kpageflags_read+0xfc/0x164
    proc_reg_read+0x7c/0xb8
    __vfs_read+0x58/0x178
    vfs_read+0x90/0x14c
    SyS_read+0x60/0xc0

Issue is that page_mapped() assumes that if compound page is not
huge, then it must be THP. But if this is 'normal' compound page
(COMPOUND_PAGE_DTOR), then following loop can keep running until
it tries to read from memory that isn't mapped and triggers a panic:
        for (i = 0; i < hpage_nr_pages(page); i++) {
                if (atomic_read(&page[i]._mapcount) >= 0)
                        return true;
	}

I could replicate this on x86 (v4.20-rc4-98-g60b548237fed) only
with a custom kernel module [1] which:
- allocates compound page (PAGEC) of order 1
- allocates 2 normal pages (COPY), which are initialized to 0xff
  (to satisfy _mapcount >= 0)
- 2 PAGEC page structs are copied to address of first COPY page
- second page of COPY is marked as not present
- call to page_mapped(COPY) now triggers fault on access to 2nd COPY
  page at offset 0x30 (_mapcount)

[1] https://github.com/jstancek/reproducers/blob/master/kernel/page_mapped_crash/repro.c

This patch modifies page_mapped() to check for 'normal'
compound pages (COMPOUND_PAGE_DTOR).

Debugged-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jan Stancek <jstancek@redhat.com>
---
 include/linux/mm.h | 9 +++++++++
 mm/util.c          | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/include/linux/mm.h b/include/linux/mm.h
index 5411de93a363..18b0bb953f92 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -700,6 +700,15 @@ static inline compound_page_dtor *get_compound_page_dtor(struct page *page)
 	return compound_page_dtors[page[1].compound_dtor];
 }
 
+static inline int PageNormalCompound(struct page *page)
+{
+	if (!PageCompound(page))
+		return 0;
+
+	page = compound_head(page);
+	return page[1].compound_dtor == COMPOUND_PAGE_DTOR;
+}
+
 static inline unsigned int compound_order(struct page *page)
 {
 	if (!PageHead(page))
diff --git a/mm/util.c b/mm/util.c
index 8bf08b5b5760..06c1640cb7b3 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -478,6 +478,8 @@ bool page_mapped(struct page *page)
 		return true;
 	if (PageHuge(page))
 		return false;
+	if (PageNormalCompound(page))
+		return false;
 	for (i = 0; i < hpage_nr_pages(page); i++) {
 		if (atomic_read(&page[i]._mapcount) >= 0)
 			return true;