hugetlbfs: revert "use i_mmap_rwsem for more pmd sharing synchronization"

This reverts b43a9990055958e70347c56f90ea2ae32c67334c

The reverted commit caused issues with migration and poisoning of anon
huge pages.  The LTP move_pages12 test will cause an "unable to handle
kernel NULL pointer" BUG would occur with stack similar to:

  RIP: 0010:down_write+0x1b/0x40
  Call Trace:
    migrate_pages+0x81f/0xb90
    __ia32_compat_sys_migrate_pages+0x190/0x190
    do_move_pages_to_node.isra.53.part.54+0x2a/0x50
    kernel_move_pages+0x566/0x7b0
    __x64_sys_move_pages+0x24/0x30
    do_syscall_64+0x5b/0x180
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

The purpose of the reverted patch was to fix some long existing races
with huge pmd sharing.  It used i_mmap_rwsem for this purpose with the
idea that this could also be used to address truncate/page fault races
with another patch.  Further analysis has determined that i_mmap_rwsem
can not be used to address all these hugetlbfs synchronization issues.
Therefore, revert this patch while working an another approach to the
underlying issues.

Link: http://lkml.kernel.org/r/20190103235452.29335-2-mike.kravetz@oracle.com
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reported-by: Jan Stancek <jstancek@redhat.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Prakash Sangappa <prakash.sangappa@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 2 insertions, 9 deletions

diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 065c1ce191c4..d59b5a73dfb3 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -267,14 +267,10 @@ retry:
                 VM_BUG_ON(dst_addr & ~huge_page_mask(h));
 
                 /*
-                 * Serialize via i_mmap_rwsem and hugetlb_fault_mutex.
-                 * i_mmap_rwsem ensures the dst_pte remains valid even
-                 * in the case of shared pmds.  fault mutex prevents
-                 * races with other faulting threads.
+                 * Serialize via hugetlb_fault_mutex
                  */
-                mapping = dst_vma->vm_file->f_mapping;
-                i_mmap_lock_read(mapping);
                 idx = linear_page_index(dst_vma, dst_addr);
+                mapping = dst_vma->vm_file->f_mapping;
                 hash = hugetlb_fault_mutex_hash(h, dst_mm, dst_vma, mapping,
                                                                 idx, dst_addr);
                 mutex_lock(&hugetlb_fault_mutex_table[hash]);
@@ -283,7 +279,6 @@ retry:
                 dst_pte = huge_pte_alloc(dst_mm, dst_addr, huge_page_size(h));
                 if (!dst_pte) {
                         mutex_unlock(&hugetlb_fault_mutex_table[hash]);
-                        i_mmap_unlock_read(mapping);
                         goto out_unlock;
                 }
 
@@ -291,7 +286,6 @@ retry:
                 dst_pteval = huge_ptep_get(dst_pte);
                 if (!huge_pte_none(dst_pteval)) {
                         mutex_unlock(&hugetlb_fault_mutex_table[hash]);
-                        i_mmap_unlock_read(mapping);
                         goto out_unlock;
                 }
 
@@ -299,7 +293,6 @@ retry:
                                                 dst_addr, src_addr, &page);
 
                 mutex_unlock(&hugetlb_fault_mutex_table[hash]);
-                i_mmap_unlock_read(mapping);
                 vm_alloc_shared = vm_shared;
 
                 cond_resched();