From patchwork Mon Jul 29 12:13:08 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: zhangchun <zhang.chunA@h3c.com>
X-Patchwork-Id: 13744799
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 90426C3DA4A
	for <linux-mm@archiver.kernel.org>; Mon, 29 Jul 2024 12:12:01 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 03FE56B0096; Mon, 29 Jul 2024 08:12:01 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id F32396B009D; Mon, 29 Jul 2024 08:12:00 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id DF95C6B00AF; Mon, 29 Jul 2024 08:12:00 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com
 [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id C1B896B0096
	for <linux-mm@kvack.org>; Mon, 29 Jul 2024 08:12:00 -0400 (EDT)
Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id 65E031C0FE0
	for <linux-mm@kvack.org>; Mon, 29 Jul 2024 12:12:00 +0000 (UTC)
X-FDA: 82392676800.14.EE036DA
Received: from h3cspam02-ex.h3c.com (smtp.h3c.com [60.191.123.50])
	by imf21.hostedemail.com (Postfix) with ESMTP id 6E81B1C0004
	for <linux-mm@kvack.org>; Mon, 29 Jul 2024 12:11:56 +0000 (UTC)
Authentication-Results: imf21.hostedemail.com;
	dkim=none;
	spf=pass (imf21.hostedemail.com: domain of zhang.chunA@h3c.com designates
 60.191.123.50 as permitted sender) smtp.mailfrom=zhang.chunA@h3c.com;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1722255114;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references; bh=lVSW4t63341LWU9IWzeNEdRpgfAwUU5u7fvUITaedSc=;
	b=cflRu52TZVXUaz5jzIMr4hFNgQf9+E8S6OXhjhnDsqOlGZg2e/2W+/vCybC0rH0L/iES6V
	L49C/8gq0bKnHz5k+otRftqwAS08KYzbuAPhl4/i9PDrssXmuixJ7S8d1HkRTaOX7CFq54
	QFMK8MftizLhKGCrXvpWpc03swFiv7Y=
ARC-Authentication-Results: i=1;
	imf21.hostedemail.com;
	dkim=none;
	spf=pass (imf21.hostedemail.com: domain of zhang.chunA@h3c.com designates
 60.191.123.50 as permitted sender) smtp.mailfrom=zhang.chunA@h3c.com;
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722255114; a=rsa-sha256;
	cv=none;
	b=snzbV1IKv8l+m0f9UGTnHfxTRa4fKQ/BIZl/fmOVouM2uScPURIEYtbTlHnbIpcf/4KdUz
	OQNU3OCW2+FXWTvpC61cOhO/BmFH+BCIqZyLzd6auUjtOZ6lO5IV6XR3A0dmVC+yqjbNT1
	6es7uXSq64p1o3HNYDDA2U0gUbC/Xvc=
Received: from mail.maildlp.com ([172.25.15.154])
	by h3cspam02-ex.h3c.com with ESMTP id 46TCBa6O026906;
	Mon, 29 Jul 2024 20:11:36 +0800 (GMT-8)
	(envelope-from zhang.chunA@h3c.com)
Received: from DAG6EX09-BJD.srv.huawei-3com.com (unknown [10.153.34.11])
	by mail.maildlp.com (Postfix) with ESMTP id D99332004721;
	Mon, 29 Jul 2024 20:16:19 +0800 (CST)
Received: from localhost.localdomain.com (10.99.206.13) by
 DAG6EX09-BJD.srv.huawei-3com.com (10.153.34.11) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.2.1258.27; Mon, 29 Jul 2024 20:11:39 +0800
From: zhangchun <zhang.chuna@h3c.com>
To: <akpm@linux-foundation.org>
CC: <jiaoxupo@h3c.com>, <linux-kernel@vger.kernel.org>, <linux-mm@kvack.org>,
        <shaohaojize@126.com>, <zhang.chuna@h3c.com>,
        <zhang.zhansheng@h3c.com>, <zhang.zhengming@h3c.com>
Subject: [PATCH v3] =?utf-8?q?mm=3A_Give_kmap=5Flock_before_call_flush=5Ftlb?=
	=?utf-8?q?=5Fkernel=5Frang=EF=BC=8Cavoid_kmap=5Fhigh_deadlock=2E?=
Date: Mon, 29 Jul 2024 20:13:08 +0800
Message-ID: <1722255188-4478-1-git-send-email-zhang.chuna@h3c.com>
X-Mailer: git-send-email 1.8.3.1
MIME-Version: 1.0
X-Originating-IP: [10.99.206.13]
X-ClientProxiedBy: BJSMTP01-EX.srv.huawei-3com.com (10.63.20.132) To
 DAG6EX09-BJD.srv.huawei-3com.com (10.153.34.11)
X-DNSRBL: 
X-MAIL: h3cspam02-ex.h3c.com 46TCBa6O026906
X-Rspam-User: 
X-Stat-Signature: imo3d74hf66p1qtob4jec8tyn4ui1rj5
X-Rspamd-Queue-Id: 6E81B1C0004
X-Rspamd-Server: rspam11
X-HE-Tag: 1722255116-312574
X-HE-Meta: 
 U2FsdGVkX1+1FznrX4iQiS+r13eMwUXAl7o9RqQxOuiz1bcAjRjkP/HZPlkSx4cOGRWNXf9fpvw72Rn3Vq4bnvsP3L82qh+Py1cq22LvOEOLjmB4eEzqME+FYbb9h7NiQyNPpiy+W+TUBsnzCSRNXe8YMnhYa+yqUHZ11VD/43Uk0Fg4yd1syeEp8oev7iRiOYyoMRb006bOdvtRpIIyKtyZqhoNFNrtx3oxqtRpdN/5Zrc63H0SF9Mn67ftFGFsbQNJxKhioZclhvwYsVXwZkNitR2OTx2rF+OarmyRYQzha+vpM4Faps51leP0zHLbenCveOCY/H2CCAjS+hF20JYXJm75gxSxlZWxgCAnuijPd76AOZER48pb90vc7Kr2AXCkTrSFFpUHNRAMuS+6RZpLG2+IT0CJRiLDdcRzXk7CKH7Pxd/NRLSmot8KbZIAe7elIA8NehpTTzGQLpFyXLJ1AUrSZ7s4LXAZ3RgTh5CIMJZyAT+jrZNdkUs30vd3wMKIrq0vtOaybw/BDSVCgGSQpZfwQjjZSrbYloIdO511c82rfioUmWhxmKcwwhm6XZ7PKj2a8NiEQINkTe6fXBsnj2a7eJYLETolOLaFqbeMv5KlLmt+3PwkVhOYUCg/i3AZGiZlSrUMYY+dblzU31a6FEBw1AxKOiB+q5OKI11BzYN5Il3Na+DOc1Cp+gpcvXswLAoI+qYKS9Zra+9yR+wVRkgFTBHTDQFvs0ZrB8d6YZwO0jt7pVv3qHLDYRNpkSvexjfHZNERHzXz85khh3CnUhmERk9DZC8IZHFdGg4ZDI59fPxDRn/mYdsdLjJe5ZczLmwq4Pa4+qY0SKabbPIkJI6TLnr1ADrOkrFlcBNs4uVGDqw5CYplNd5CtIwwqI0EuP3yPiiPA8BSet4i4HYqg5mh5ODPUxza54yIJC502ss9rOboeH1aA+ZEjPRavTW2pH3j0aWuexttJJJ
 Vo+mcB1E
 WKJLw/q4aovsJgmd66M0gycmJ+VvUFi0smnEVl+ZcgiaRs/MXr8//0tHySiV7y+F8Qu0A8nZ9WFG9+6TGhNMhhRZ40koMg8FNJj1A7KqJcjQZIclwt5pnZP7s/unAfcErCBj/hc4flPgRi2caz6lHRdRclOLQRGQvCHMXA0oHy/Lt0FJZYytmTE8tCoYsGiy7NItYtV+HMRLHJ27OIV+mNrrKsH9S6nBh+2UtT0fTC18R2uaQRixpezhm/qNtNUtJCM0Z6cw5WtymLBHtWimD/iwOgJg6/hnq447hOL/tH25KeTk=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

CPU 0:                                                 CPU 1:
 kmap_high(){                                           kmap_xxx() {
               ...                                        irq_disable();
        spin_lock(&kmap_lock)
               ...
        map_new_virtual                                     ...
           flush_all_zero_pkmaps
              flush_tlb_kernel_range         /* CPU0 holds the kmap_lock */
                      smp_call_function_many         spin_lock(&kmap_lock)
                      ...                                   ....
        spin_unlock(&kmap_lock)
               ...

CPU 0 holds the kmap_lock, waiting for CPU 1 respond to IPI. But CPU 1 has
disabled irqs, waiting for kmap_lock, cannot answer the IPI. Fix this by 
releasing kmap_lock before call flush_tlb_kernel_range, avoid kmap_lock
deadlock.

        if (need_flush) {
            unlock_kmap();
            flush_tlb_kernel_range(PKMAP_ADDR(0), PKMAP_ADDR(LAST_PKMAP));
            lock_kmap();
        }

Dropping the lock like this is safe. kmap_lock is used to protect
pkmap_count, pkmap_page_table and last_pkmap_nr(static variable). 
When call flush_tlb_kernel_range(PKMAP_ADDR(0), PKMAP_ADDR(LAST_PKMAP)), 
flush_tlb_kernel_range will neither modify nor read these variables. 
Leave that data unprotected here is safe.

map_new_virtual aims to find an usable entry pkmap_count[last_pkmap_nr].
When read and modify the pkmap_count[last_pkmap_nr], the kmap_lock is 
not dropped. "if (!pkmap_count[last_pkmap_nr])" determine 
pkmap_count[last_pkmap_nr] is usable or not. If unusable, try agin.

Furthermore, the value of static variable last_pkmap_nr is stored in
a local variable last_pkmap_nr, when kmap_lock is acquired, this is 
thread-safe.

In an extreme case, if Thread A and Thread B access the same last_pkmap_nr,
Thread A calls function flush_tlb_kernel_range and release the kmap_lock,
and Thread B then acquires the kmap_lock and modifies the variable
pkmap_count[last_pkmap_nr]. After Thread A completes the execution 
of function the variable pkmap_count[last_pkmap_nr]. After Thread A 
completes the execution of function flush_tlb_kernel_range, it will
check the variable pkmap_count[last_pkmap_nr].

static inline unsigned long map_new_virtual(struct page *page)
{
        unsigned long vaddr;
        int count;
        unsigned int last_pkmap_nr; // local variable to store static variable last_pkmap_nr
        unsigned int color = get_pkmap_color(page);

start:
      ...
                        flush_all_zero_pkmaps();// release kmap_lock, then acquire it
                        count = get_pkmap_entries_count(color);
                }
                ...
                if (!pkmap_count[last_pkmap_nr]) // pkmap_count[last_pkmap_nr] is used or not
                        break;  /* Found a usable entry */
                if (--count)
                        continue;

               ...
        vaddr = PKMAP_ADDR(last_pkmap_nr);
        set_pte_at(&init_mm, vaddr,
                   &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));

        pkmap_count[last_pkmap_nr] = 1;
        ...
        return vaddr;
}

Fixes: 3297e760776a ("highmem: atomic highmem kmap page pinning")
Signed-off-by: zhangchun <zhang.chuna@h3c.com>
Co-developed-by: zhangzhansheng <zhang.zhansheng@h3c.com>
Signed-off-by: zhangzhansheng <zhang.zhansheng@h3c.com>
Suggested-by: Matthew Wilcox <willy@infradead.org>
Reviewed-by: zhangzhengming <zhang.zhengming@h3c.com>
---
 mm/highmem.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/mm/highmem.c b/mm/highmem.c
index ef3189b..07f2c67 100644
--- a/mm/highmem.c
+++ b/mm/highmem.c
@@ -231,8 +231,18 @@ static void flush_all_zero_pkmaps(void)
 		set_page_address(page, NULL);
 		need_flush = 1;
 	}
-	if (need_flush)
+	if (need_flush) {
+		/*
+		 * In multi-core system one CPU holds the kmap_lock, waiting
+		 * for other CPUs respond to IPI. But other CPUS has disabled
+		 * irqs, waiting for kmap_lock, cannot answer the IPI. Release
+		 * kmap_lock before call flush_tlb_kernel_range, avoid kmap_lock
+		 * deadlock.
+		 */
+		unlock_kmap();
 		flush_tlb_kernel_range(PKMAP_ADDR(0), PKMAP_ADDR(LAST_PKMAP));
+		lock_kmap();
+	}
 }
 
 void __kmap_flush_unused(void)