hugetlbfs: fix hugetlb page migration/fault race causing SIGBUS

Li Wang discovered that LTP/move_page12 V2 sometimes triggers SIGBUS in the kernel-v5.2.3 testing. This is caused by a race between hugetlb page migration and page fault. If a hugetlb page can not be allocated to satisfy a page fault, the task is sent SIGBUS. This is normal hugetlbfs behavior. A hugetlb fault mutex exists to prevent two tasks from trying to instantiate the same page. This protects against the situation where there is only one hugetlb page, and both tasks would try to allocate. Without the mutex, one would fail and SIGBUS even though the other fault would be successful. There is a similar race between hugetlb page migration and fault. Migration code will allocate a page for the target of the migration. It will then unmap the original page from all page tables. It does this unmap by first clearing the pte and then writing a migration entry. The page table lock is held for the duration of this clear and write operation. However, the beginnings of the hugetlb page fault code optimistically checks the pte without taking the page table lock. If clear (as it can be during the migration unmap operation), a hugetlb page allocation is attempted to satisfy the fault. Note that the page which will eventually satisfy this fault was already allocated by the migration code. However, the allocation within the fault path could fail which would result in the task incorrectly being sent SIGBUS. Ideally, we could take the hugetlb fault mutex in the migration code when modifying the page tables. However, locks must be taken in the order of hugetlb fault mutex, page lock, page table lock. This would require significant rework of the migration code. Instead, the issue is addressed in the hugetlb fault code. After failing to allocate a huge page, take the page table lock and check for huge_pte_none before returning an error. This is the same check that must be made further in the code even if page allocation is successful. Link: http://lkml.kernel.org/r/20190808000533.7701-1-mike.kravetz@oracle.com Fixes: 290408d4a250 ("hugetlb: hugepage migration core") Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com> Reported-by: Li Wang <liwang@redhat.com> Tested-by: Li Wang <liwang@redhat.com> Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Acked-by: Michal Hocko <mhocko@suse.com> Cc: Cyril Hrubis <chrubis@suse.cz> Cc: Xishi Qiu <xishi.qiuxishi@alibaba-inc.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Mike Kravetz <mike.kravetz@oracle.com> 2019-08-13 18:38:00 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2019-08-13 19:06:53 -0400
commit: 4643d67e8cb0b3536ef0ab5cddd1cedc73fa14ad (patch)
tree: d42fc9f79372aecd26c58acd2b482a1eadcdb2ff
parent: 28360f398778d7623a5ff8a8e90958c0d925e120 (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index ede7e7f5d1ab..6d7296dd11b8 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3856,6 +3856,25 @@ retry:
                page = alloc_huge_page(vma, haddr, 0);
                if (IS_ERR(page)) {
+                        /*
+                         * Returning error will result in faulting task being
+                         * sent SIGBUS.  The hugetlb fault mutex prevents two
+                         * tasks from racing to fault in the same page which
+                         * could result in false unable to allocate errors.
+                         * Page migration does not take the fault mutex, but
+                         * does a clear then write of pte's under page table
+                         * lock.  Page fault code could race with migration,
+                         * notice the clear pte and try to allocate a page
+                         * here.  Before returning error, get ptl and make
+                         * sure there really is no pte entry.
+                         */
+                        ptl = huge_pte_lock(h, mm, ptep);
+                        if (!huge_pte_none(huge_ptep_get(ptep))) {
+                                ret = 0;
+                                spin_unlock(ptl);
+                                goto out;
+                        }
+                        spin_unlock(ptl);
                        ret = vmf_error(PTR_ERR(page));
                        goto out;
                }
author	Mike Kravetz <mike.kravetz@oracle.com>	2019-08-13 18:38:00 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2019-08-13 19:06:53 -0400
commit	4643d67e8cb0b3536ef0ab5cddd1cedc73fa14ad (patch)
tree	d42fc9f79372aecd26c58acd2b482a1eadcdb2ff
parent	28360f398778d7623a5ff8a8e90958c0d925e120 (diff)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c index ede7e7f5d1ab..6d7296dd11b8 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c
@@ -3856,6 +3856,25 @@ retry:
3856		3856
3857	page = alloc_huge_page(vma, haddr, 0);	3857	page = alloc_huge_page(vma, haddr, 0);
3858	if (IS_ERR(page)) {	3858	if (IS_ERR(page)) {
		3859	/*
		3860	* Returning error will result in faulting task being
		3861	* sent SIGBUS. The hugetlb fault mutex prevents two
		3862	* tasks from racing to fault in the same page which
		3863	* could result in false unable to allocate errors.
		3864	* Page migration does not take the fault mutex, but
		3865	* does a clear then write of pte's under page table
		3866	* lock. Page fault code could race with migration,
		3867	* notice the clear pte and try to allocate a page
		3868	* here. Before returning error, get ptl and make
		3869	* sure there really is no pte entry.
		3870	*/
		3871	ptl = huge_pte_lock(h, mm, ptep);
		3872	if (!huge_pte_none(huge_ptep_get(ptep))) {
		3873	ret = 0;
		3874	spin_unlock(ptl);
		3875	goto out;
		3876	}
		3877	spin_unlock(ptl);
3859	ret = vmf_error(PTR_ERR(page));	3878	ret = vmf_error(PTR_ERR(page));
3860	goto out;	3879	goto out;
3861	}	3880	}