From: Matthew Wilcox <willy@infradead.org>
To: Jann Horn <jannh@google.com>
Cc: Linux-MM <linux-mm@kvack.org>, Zi Yan <ziy@nvidia.com>,
Peter Xu <peterx@redhat.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Konstantin Khlebnikov <khlebnikov@yandex-team.ru>,
Andrew Morton <akpm@linux-foundation.org>,
chinwen.chang@mediatek.com,
kernel list <linux-kernel@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Vlastimil Babka <vbabka@suse.cz>,
Michel Lespinasse <walken@google.com>,
syzbot <syzbot+1f52b3a18d5633fa7f82@syzkaller.appspotmail.com>
Subject: Re: split_huge_page_to_list() races with page_mapcount() on migration entry in smaps code? [was: Re: [syzbot] kernel BUG in __page_mapcount]
Date: Mon, 7 Jun 2021 19:03:23 +0100 [thread overview]
Message-ID: <YL5fayfh03Wecyd7@casper.infradead.org> (raw)
In-Reply-To: <CAG48ez0M=iwJu=Q8yUQHD-+eZDg6ZF8QCF86Sb=CN1petP=Y0Q@mail.gmail.com>
On Mon, Jun 07, 2021 at 07:27:23PM +0200, Jann Horn wrote:
> === Short summary ===
> I believe the issue here is a race between /proc/*/smaps and
> split_huge_page_to_list():
>
> The codepath for /proc/*/smaps walks the pagetables and (e.g. in
> smaps_account()) calls page_mapcount() not just on pages from normal
> PTEs but also on migration entries (since commit b1d4d9e0cbd0a
> "proc/smaps: carefully handle migration entries", from Linux v3.5).
> page_mapcount() expects compound pages to be stable.
>
> The split_huge_page_to_list() path first protects the compound page by
> locking it and replacing all its PTEs with migration entries (since
> the THP rewrite in v4.5, I think?), then does the actual splitting
> using __split_huge_page().
>
> So there's a mismatch of expectations here:
> The smaps code expects that migration entries point to stable compound
> pages, while the THP code expects that it's okay to split a compound
> page while it has migration entries.
Will it be a colossal performance penalty if we always get the page
refcount after looking it up? That will cause split_huge_page() to
fail to split the page if it hits this race.
next prev parent reply other threads:[~2021-06-07 18:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-31 0:53 [syzbot] kernel BUG in __page_mapcount syzbot
2021-06-07 17:27 ` split_huge_page_to_list() races with page_mapcount() on migration entry in smaps code? [was: Re: [syzbot] kernel BUG in __page_mapcount] Jann Horn
2021-06-07 18:03 ` Matthew Wilcox [this message]
2021-06-07 19:55 ` Jann Horn
2021-06-07 20:20 ` Matthew Wilcox
2021-06-07 20:49 ` Kirill A. Shutemov
2021-12-21 17:24 ` [syzbot] kernel BUG in __page_mapcount syzbot
2021-12-21 18:24 ` Yang Shi
2021-12-21 18:40 ` Matthew Wilcox
2021-12-21 19:07 ` Yang Shi
2021-12-22 1:42 ` Yang Shi
2022-01-05 19:05 ` Yang Shi
2022-01-11 23:14 ` Yang Shi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YL5fayfh03Wecyd7@casper.infradead.org \
--to=willy@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=chinwen.chang@mediatek.com \
--cc=jannh@google.com \
--cc=khlebnikov@yandex-team.ru \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
--cc=syzbot+1f52b3a18d5633fa7f82@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vbabka@suse.cz \
--cc=walken@google.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.