diff options
| author | Mike Kravetz <mike.kravetz@oracle.com> | 2018-12-28 03:39:38 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2018-12-28 15:11:51 -0500 |
| commit | b43a9990055958e70347c56f90ea2ae32c67334c (patch) | |
| tree | 91f90f0c3e73ca076cbc4a9780bd7d5a271b6257 /mm/rmap.c | |
| parent | 1ecc07fd0a6d350bbf4dc176e0d654661b304a30 (diff) | |
hugetlbfs: use i_mmap_rwsem for more pmd sharing synchronization
While looking at BUGs associated with invalid huge page map counts, it was
discovered and observed that a huge pte pointer could become 'invalid' and
point to another task's page table. Consider the following:
A task takes a page fault on a shared hugetlbfs file and calls
huge_pte_alloc to get a ptep. Suppose the returned ptep points to a
shared pmd.
Now, another task truncates the hugetlbfs file. As part of truncation, it
unmaps everyone who has the file mapped. If the range being truncated is
covered by a shared pmd, huge_pmd_unshare will be called. For all but the
last user of the shared pmd, huge_pmd_unshare will clear the pud pointing
to the pmd. If the task in the middle of the page fault is not the last
user, the ptep returned by huge_pte_alloc now points to another task's
page table or worse. This leads to bad things such as incorrect page
map/reference counts or invalid memory references.
To fix, expand the use of i_mmap_rwsem as follows:
- i_mmap_rwsem is held in read mode whenever huge_pmd_share is called.
huge_pmd_share is only called via huge_pte_alloc, so callers of
huge_pte_alloc take i_mmap_rwsem before calling. In addition, callers
of huge_pte_alloc continue to hold the semaphore until finished with the
ptep.
- i_mmap_rwsem is held in write mode whenever huge_pmd_unshare is
called.
[mike.kravetz@oracle.com: add explicit check for mapping != null]
Link: http://lkml.kernel.org/r/20181218223557.5202-2-mike.kravetz@oracle.com
Fixes: 39dde65c9940 ("shared page table for hugetlb page")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Prakash Sangappa <prakash.sangappa@oracle.com>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm/rmap.c')
| -rw-r--r-- | mm/rmap.c | 4 |
1 files changed, 4 insertions, 0 deletions
| @@ -25,6 +25,7 @@ | |||
| 25 | * page->flags PG_locked (lock_page) | 25 | * page->flags PG_locked (lock_page) |
| 26 | * hugetlbfs_i_mmap_rwsem_key (in huge_pmd_share) | 26 | * hugetlbfs_i_mmap_rwsem_key (in huge_pmd_share) |
| 27 | * mapping->i_mmap_rwsem | 27 | * mapping->i_mmap_rwsem |
| 28 | * hugetlb_fault_mutex (hugetlbfs specific page fault mutex) | ||
| 28 | * anon_vma->rwsem | 29 | * anon_vma->rwsem |
| 29 | * mm->page_table_lock or pte_lock | 30 | * mm->page_table_lock or pte_lock |
| 30 | * zone_lru_lock (in mark_page_accessed, isolate_lru_page) | 31 | * zone_lru_lock (in mark_page_accessed, isolate_lru_page) |
| @@ -1378,6 +1379,9 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma, | |||
| 1378 | /* | 1379 | /* |
| 1379 | * If sharing is possible, start and end will be adjusted | 1380 | * If sharing is possible, start and end will be adjusted |
| 1380 | * accordingly. | 1381 | * accordingly. |
| 1382 | * | ||
| 1383 | * If called for a huge page, caller must hold i_mmap_rwsem | ||
| 1384 | * in write mode as it is possible to call huge_pmd_unshare. | ||
| 1381 | */ | 1385 | */ |
| 1382 | adjust_range_if_pmd_sharing_possible(vma, &range.start, | 1386 | adjust_range_if_pmd_sharing_possible(vma, &range.start, |
| 1383 | &range.end); | 1387 | &range.end); |