cxl: Fix possible deadlock when processing page faults from cxllib

cxllib_handle_fault() is called by an external driver when it needs to have the host resolve page faults for a buffer. The buffer can cover several pages and VMAs. The function iterates over all the pages used by the buffer, based on the page size of the VMA. To ensure some stability while processing the faults, the thread T1 grabs the mm->mmap_sem semaphore with read access (R1). However, when processing a page fault for a single page, one of the underlying functions, copro_handle_mm_fault(), also grabs the same semaphore with read access (R2). So the thread T1 takes the semaphore twice. If another thread T2 tries to access the semaphore in write mode W1 (say, because it wants to allocate memory and calls 'brk'), then that thread T2 will have to wait because there's a reader (R1). If the thread T1 is processing a new page at that time, it won't get an automatic grant at R2, because there's now a writer thread waiting (T2). And we have a deadlock. The timeline is: 1. thread T1 owns the semaphore with read access R1 2. thread T2 requests write access W1 and waits 3. thread T1 requests read access R2 and waits The fix is for the thread T1 to release the semaphore R1 once it got the information it needs from the current VMA. The address space/VMAs could evolve while T1 iterates over the full buffer, but in the unlikely case where T1 misses a page, the external driver will raise a new page fault when retrying the memory access. Fixes: 3ced8d730063 ("cxl: Export library to support IBM XSL") Cc: stable@vger.kernel.org # 4.13+ Signed-off-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
author: Frederic Barrat <fbarrat@linux.vnet.ibm.com> 2018-04-03 09:54:02 -0400
committer: Michael Ellerman <mpe@ellerman.id.au> 2018-04-04 08:09:33 -0400
commit: ad7b4e8022b9864c075fe71e1328b1d25cad82f6 (patch)
tree: aaafc1678f2daf5f63b668ac69fb0c72d96b2994 /drivers/misc/cxl
parent: 5d6a03ebc88f82b0b0adcec24eabb9eb2fcd97db (diff)
1 files changed, 55 insertions, 30 deletions
diff --git a/drivers/misc/cxl/cxllib.c b/drivers/misc/cxl/cxllib.c
index bea1eb004b49..0bc7c31cf739 100644
--- a/drivers/misc/cxl/cxllib.c
+++ b/drivers/misc/cxl/cxllib.c
@@ -208,49 +208,74 @@ int cxllib_get_PE_attributes(struct task_struct *task,
 }
 EXPORT_SYMBOL_GPL(cxllib_get_PE_attributes);
-int cxllib_handle_fault(struct mm_struct *mm, u64 addr, u64 size, u64 flags)
+static int get_vma_info(struct mm_struct *mm, u64 addr,
+                        u64 *vma_start, u64 *vma_end,
+                        unsigned long *page_size)
 {
-        int rc;
-        u64 dar;
        struct vm_area_struct *vma = NULL;
-        unsigned long page_size;
+        int rc = 0;
-        if (mm == NULL)
-                return -EFAULT;
        down_read(&mm->mmap_sem);
        vma = find_vma(mm, addr);
        if (!vma) {
-                pr_err("Can't find vma for addr %016llx\n", addr);
                rc = -EFAULT;
                goto out;
        }
-        /* get the size of the pages allocated */
+        *page_size = vma_kernel_pagesize(vma);
-        page_size = vma_kernel_pagesize(vma);
+        *vma_start = vma->vm_start;
+        *vma_end = vma->vm_end;
-        for (dar = (addr & ~(page_size - 1)); dar < (addr + size); dar += page_size) {
+out:
-                if (dar < vma->vm_start || dar >= vma->vm_end) {
+        up_read(&mm->mmap_sem);
-                        vma = find_vma(mm, addr);
+        return rc;
-                        if (!vma) {
+}
-                                pr_err("Can't find vma for addr %016llx\n", addr);
-                                rc = -EFAULT;
+int cxllib_handle_fault(struct mm_struct *mm, u64 addr, u64 size, u64 flags)
-                                goto out;
+{
-                        }
+        int rc;
-                        /* get the size of the pages allocated */
+        u64 dar, vma_start, vma_end;
-                        page_size = vma_kernel_pagesize(vma);
+        unsigned long page_size;
+        if (mm == NULL)
+                return -EFAULT;
+        /*
+         * The buffer we have to process can extend over several pages
+         * and may also cover several VMAs.
+         * We iterate over all the pages. The page size could vary
+         * between VMAs.
+         */
+        rc = get_vma_info(mm, addr, &vma_start, &vma_end, &page_size);
+        if (rc)
+                return rc;
+        for (dar = (addr & ~(page_size - 1)); dar < (addr + size);
+             dar += page_size) {
+                if (dar < vma_start || dar >= vma_end) {
+                        /*
+                         * We don't hold the mm->mmap_sem semaphore
+                         * while iterating, since the semaphore is
+                         * required by one of the lower-level page
+                         * fault processing functions and it could
+                         * create a deadlock.
+                         *
+                         * It means the VMAs can be altered between 2
+                         * loop iterations and we could theoretically
+                         * miss a page (however unlikely). But that's
+                         * not really a problem, as the driver will
+                         * retry access, get another page fault on the
+                         * missing page and call us again.
+                         */
+                        rc = get_vma_info(mm, dar, &vma_start, &vma_end,
+                                        &page_size);
+                        if (rc)
+                                return rc;
                }
                rc = cxl_handle_mm_fault(mm, flags, dar);
-                if (rc) {
+                if (rc)
-                        pr_err("cxl_handle_mm_fault failed %d", rc);
+                        return -EFAULT;
-                        rc = -EFAULT;
-                        goto out;
-                }
        }
-        rc = 0;
+        return 0;
-out:
-        up_read(&mm->mmap_sem);
-        return rc;
 }
 EXPORT_SYMBOL_GPL(cxllib_handle_fault);
author	Frederic Barrat <fbarrat@linux.vnet.ibm.com>	2018-04-03 09:54:02 -0400
committer	Michael Ellerman <mpe@ellerman.id.au>	2018-04-04 08:09:33 -0400
commit	ad7b4e8022b9864c075fe71e1328b1d25cad82f6 (patch)
tree	aaafc1678f2daf5f63b668ac69fb0c72d96b2994 /drivers/misc/cxl
parent	5d6a03ebc88f82b0b0adcec24eabb9eb2fcd97db (diff)

diff --git a/drivers/misc/cxl/cxllib.c b/drivers/misc/cxl/cxllib.c index bea1eb004b49..0bc7c31cf739 100644 --- a/drivers/misc/cxl/cxllib.c +++ b/drivers/misc/cxl/cxllib.c
@@ -208,49 +208,74 @@ int cxllib_get_PE_attributes(struct task_struct *task,
208	}	208	}
209	EXPORT_SYMBOL_GPL(cxllib_get_PE_attributes);	209	EXPORT_SYMBOL_GPL(cxllib_get_PE_attributes);
210		210
211	int cxllib_handle_fault(struct mm_struct *mm, u64 addr, u64 size, u64 flags)	211	static int get_vma_info(struct mm_struct *mm, u64 addr,
		212	u64 vma_start, u64 vma_end,
		213	unsigned long *page_size)
212	{	214	{
213	int rc;
214	u64 dar;
215	struct vm_area_struct *vma = NULL;	215	struct vm_area_struct *vma = NULL;
216	unsigned long page_size;	216	int rc = 0;
217
218	if (mm == NULL)
219	return -EFAULT;
220		217
221	down_read(&mm->mmap_sem);	218	down_read(&mm->mmap_sem);
222		219
223	vma = find_vma(mm, addr);	220	vma = find_vma(mm, addr);
224	if (!vma) {	221	if (!vma) {
225	pr_err("Can't find vma for addr %016llx\n", addr);
226	rc = -EFAULT;	222	rc = -EFAULT;
227	goto out;	223	goto out;
228	}	224	}
229	/* get the size of the pages allocated */	225	*page_size = vma_kernel_pagesize(vma);
230	page_size = vma_kernel_pagesize(vma);	226	*vma_start = vma->vm_start;
231		227	*vma_end = vma->vm_end;
232	for (dar = (addr & ~(page_size - 1)); dar < (addr + size); dar += page_size) {	228	out:
233	if (dar < vma->vm_start \|\| dar >= vma->vm_end) {	229	up_read(&mm->mmap_sem);
234	vma = find_vma(mm, addr);	230	return rc;
235	if (!vma) {	231	}
236	pr_err("Can't find vma for addr %016llx\n", addr);	232
237	rc = -EFAULT;	233	int cxllib_handle_fault(struct mm_struct *mm, u64 addr, u64 size, u64 flags)
238	goto out;	234	{
239	}	235	int rc;
240	/* get the size of the pages allocated */	236	u64 dar, vma_start, vma_end;
241	page_size = vma_kernel_pagesize(vma);	237	unsigned long page_size;
		238
		239	if (mm == NULL)
		240	return -EFAULT;
		241
		242	/*
		243	* The buffer we have to process can extend over several pages
		244	* and may also cover several VMAs.
		245	* We iterate over all the pages. The page size could vary
		246	* between VMAs.
		247	*/
		248	rc = get_vma_info(mm, addr, &vma_start, &vma_end, &page_size);
		249	if (rc)
		250	return rc;
		251
		252	for (dar = (addr & ~(page_size - 1)); dar < (addr + size);
		253	dar += page_size) {
		254	if (dar < vma_start \|\| dar >= vma_end) {
		255	/*
		256	* We don't hold the mm->mmap_sem semaphore
		257	* while iterating, since the semaphore is
		258	* required by one of the lower-level page
		259	* fault processing functions and it could
		260	* create a deadlock.
		261	*
		262	* It means the VMAs can be altered between 2
		263	* loop iterations and we could theoretically
		264	* miss a page (however unlikely). But that's
		265	* not really a problem, as the driver will
		266	* retry access, get another page fault on the
		267	* missing page and call us again.
		268	*/
		269	rc = get_vma_info(mm, dar, &vma_start, &vma_end,
		270	&page_size);
		271	if (rc)
		272	return rc;
242	}	273	}
243		274
244	rc = cxl_handle_mm_fault(mm, flags, dar);	275	rc = cxl_handle_mm_fault(mm, flags, dar);
245	if (rc) {	276	if (rc)
246	pr_err("cxl_handle_mm_fault failed %d", rc);	277	return -EFAULT;
247	rc = -EFAULT;
248	goto out;
249	}
250	}	278	}
251	rc = 0;	279	return 0;
252	out:
253	up_read(&mm->mmap_sem);
254	return rc;
255	}	280	}
256	EXPORT_SYMBOL_GPL(cxllib_handle_fault);	281	EXPORT_SYMBOL_GPL(cxllib_handle_fault);