From patchwork Fri Aug 24 19:25:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jerome Glisse X-Patchwork-Id: 10575703 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D4A03921 for ; Fri, 24 Aug 2018 19:26:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4C612BA85 for ; Fri, 24 Aug 2018 19:26:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B89AE2BAE7; Fri, 24 Aug 2018 19:26:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4F15C2BA85 for ; Fri, 24 Aug 2018 19:26:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6D10D6B312E; Fri, 24 Aug 2018 15:25:55 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 635476B312F; Fri, 24 Aug 2018 15:25:55 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 43A0C6B3131; Fri, 24 Aug 2018 15:25:55 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qk0-f200.google.com (mail-qk0-f200.google.com [209.85.220.200]) by kanga.kvack.org (Postfix) with ESMTP id 0FE146B312F for ; Fri, 24 Aug 2018 15:25:55 -0400 (EDT) Received: by mail-qk0-f200.google.com with SMTP id t9-v6so8649515qkl.2 for ; Fri, 24 Aug 2018 12:25:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=i15p8svO4F0HhB2UonErervpfRK+VRH3fmW+ilgKuaQ=; b=SXBIe7YU6GWuzDLLcztx0wAWl1Cnmo19MiMEiEso+NBaet53EnP7iWbIfHdRGa2SId lwYyVNe97ECtdflt+snZWQBZKVE6VNb2ebU4cCB9fThwEm52BQZIhWT+DmbyKWDYyd00 NAA2mfzxgtQJnPp5jVn9OnDwB93tUnS3SesKFZw8bNWig+hgt0Eb0+51oET13xH02kO1 gWL8SBiCLKQdrDwCKPean3cnln+PNiktWTJXyGmy02TsryM0rLQXE0uu6249yKQ2i2FS Qw3t0qUe6CUFzjjdFikT7+faBl18piRj1MGAmTXyED3HV4euL2gVW1uuxsCyllbcqKhX Okag== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of jglisse@redhat.com designates 66.187.233.73 as permitted sender) smtp.mailfrom=jglisse@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: APzg51DxNBNl5JjAatr/WjWWHuOQrVaEhvK0z/5TJKJsv5UwxDHnVo+Z Z+aFD7DrsQtaB41L6eTp/epeVjJJV9c4yVzEFSJkabxpNa7gq5DytxT3rQnScipF4UYRHmZvQmS Mo5+ab3GDSsrof8z+ZPplk3Ai9Jwf486hkPVcNgfGHCVNLy2ShJFSYASvMmVLIki6xQ== X-Received: by 2002:a37:1298:: with SMTP id 24-v6mr3192957qks.174.1535138754850; Fri, 24 Aug 2018 12:25:54 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbTrj2CBpUrTVPQFZpanuDETDbgBD2Cs4v0KNAXBmLEbHMdntLnakpwe+sxwLv4GCmMIbZl X-Received: by 2002:a37:1298:: with SMTP id 24-v6mr3192924qks.174.1535138754222; Fri, 24 Aug 2018 12:25:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535138754; cv=none; d=google.com; s=arc-20160816; b=ZhGHApdL5pzVnhcbWVPjcCqkM9yfMyFhwInNEagUx3InkDNZ9tSwV+nTVbFQlroVeS r7VIvs8to1gHKmeorimxJCXxFkpmsNbf2F4XQDsiQ/jaCE0i7Hn1+d0pX2HP+HaMwMqC MOZ3XY83HdiPbeuX9MzwGW+L7LU+00JCoCtdq4PLnAmkI4wJItdQw+PF2JvO3ABYZDKU PmJAJcR7D1gPICjhmjj1SWYWQZG2XxDQw+0ypvth8nbfERLLaREixWgX0RKlQOlKnUIw Gv3qPCRm/Tf9L5zG8qciW9qHb/szMEkjF8mn9xTxSbSDDHbxiFFgLM2o07byaLdAuXCQ TkMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:arc-authentication-results; bh=i15p8svO4F0HhB2UonErervpfRK+VRH3fmW+ilgKuaQ=; b=Nydn7VtIHnMnZEEeETXI30l9+Xw98jiG3jH1eKWITpLPXzJQfMkcQOZ2bzumbx2gwJ UjSc9teOnGaDUodLJXzm515BG5DHptiQuIglRXO+tbPdoEywqXhvtFdjsg/Zy9mkyYoa PQQmnyCPb+bnigSjTxURIRCKvMAAwilifpts5H0bkN9jZGwZcdOZy9LeXrQ9XRIJ9nhh 1CeSlKpAl6EGEDUfi31g92WdTizjGVDJHEXSemMdjtPWlGHdcV5ozHB9zvGOGx/auirB DDwgcrim370zoykLAHVCNhehVx/I0dHG/+XnOpXFHtd7vBuQy/0cvfiLTUeNtYPZd7Op d1BA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of jglisse@redhat.com designates 66.187.233.73 as permitted sender) smtp.mailfrom=jglisse@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx3-rdu2.redhat.com. [66.187.233.73]) by mx.google.com with ESMTPS id b24-v6si4098549qtk.113.2018.08.24.12.25.54 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Aug 2018 12:25:54 -0700 (PDT) Received-SPF: pass (google.com: domain of jglisse@redhat.com designates 66.187.233.73 as permitted sender) client-ip=66.187.233.73; Authentication-Results: mx.google.com; spf=pass (google.com: domain of jglisse@redhat.com designates 66.187.233.73 as permitted sender) smtp.mailfrom=jglisse@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D56E440241C3; Fri, 24 Aug 2018 19:25:53 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-122-125.rdu2.redhat.com [10.10.122.125]) by smtp.corp.redhat.com (Postfix) with ESMTP id 784B32026D6D; Fri, 24 Aug 2018 19:25:53 +0000 (UTC) From: jglisse@redhat.com To: linux-mm@kvack.org Cc: Andrew Morton , linux-kernel@vger.kernel.org, Ralph Campbell , stable@vger.kernel.org Subject: [PATCH 3/7] mm/hmm: fix race between hmm_mirror_unregister() and mmu_notifier callback Date: Fri, 24 Aug 2018 15:25:45 -0400 Message-Id: <20180824192549.30844-4-jglisse@redhat.com> In-Reply-To: <20180824192549.30844-1-jglisse@redhat.com> References: <20180824192549.30844-1-jglisse@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Fri, 24 Aug 2018 19:25:53 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Fri, 24 Aug 2018 19:25:53 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'jglisse@redhat.com' RCPT:'' X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Ralph Campbell In hmm_mirror_unregister(), mm->hmm is set to NULL and then mmu_notifier_unregister_no_release() is called. That creates a small window where mmu_notifier can call mmu_notifier_ops with mm->hmm equal to NULL. Fix this by first unregistering mmu notifier callbacks and then setting mm->hmm to NULL. Similarly in hmm_register(), set mm->hmm before registering mmu_notifier callbacks so callback functions always see mm->hmm set. Signed-off-by: Ralph Campbell Reviewed-by: John Hubbard Reviewed-by: Jérôme Glisse Cc: Andrew Morton Cc: stable@vger.kernel.org Reviewed-by: Balbir Singh --- mm/hmm.c | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/mm/hmm.c b/mm/hmm.c index 9a068a1da487..a16678d08127 100644 --- a/mm/hmm.c +++ b/mm/hmm.c @@ -91,16 +91,6 @@ static struct hmm *hmm_register(struct mm_struct *mm) spin_lock_init(&hmm->lock); hmm->mm = mm; - /* - * We should only get here if hold the mmap_sem in write mode ie on - * registration of first mirror through hmm_mirror_register() - */ - hmm->mmu_notifier.ops = &hmm_mmu_notifier_ops; - if (__mmu_notifier_register(&hmm->mmu_notifier, mm)) { - kfree(hmm); - return NULL; - } - spin_lock(&mm->page_table_lock); if (!mm->hmm) mm->hmm = hmm; @@ -108,12 +98,27 @@ static struct hmm *hmm_register(struct mm_struct *mm) cleanup = true; spin_unlock(&mm->page_table_lock); - if (cleanup) { - mmu_notifier_unregister(&hmm->mmu_notifier, mm); - kfree(hmm); - } + if (cleanup) + goto error; + + /* + * We should only get here if hold the mmap_sem in write mode ie on + * registration of first mirror through hmm_mirror_register() + */ + hmm->mmu_notifier.ops = &hmm_mmu_notifier_ops; + if (__mmu_notifier_register(&hmm->mmu_notifier, mm)) + goto error_mm; return mm->hmm; + +error_mm: + spin_lock(&mm->page_table_lock); + if (mm->hmm == hmm) + mm->hmm = NULL; + spin_unlock(&mm->page_table_lock); +error: + kfree(hmm); + return NULL; } void hmm_mm_destroy(struct mm_struct *mm) @@ -278,12 +283,13 @@ void hmm_mirror_unregister(struct hmm_mirror *mirror) if (!should_unregister || mm == NULL) return; + mmu_notifier_unregister_no_release(&hmm->mmu_notifier, mm); + spin_lock(&mm->page_table_lock); if (mm->hmm == hmm) mm->hmm = NULL; spin_unlock(&mm->page_table_lock); - mmu_notifier_unregister_no_release(&hmm->mmu_notifier, mm); kfree(hmm); } EXPORT_SYMBOL(hmm_mirror_unregister);