[1/2] mm: support poison recovery from do_cow_fault()

Message ID	20240906024201.1214712-2-wangkefeng.wang@huawei.com (mailing list archive)
State	New
Headers	show Return-Path: <owner-linux-mm@kvack.org> From: Kefeng Wang <wangkefeng.wang@huawei.com> To: Andrew Morton <akpm@linux-foundation.org> CC: <linux-mm@kvack.org>, Jane Chu <jane.chu@oracle.com>, Miaohe Lin <linmiaohe@huawei.com>, Naoya Horiguchi <nao.horiguchi@gmail.com>, Tony Luck <tony.luck@intel.com>, Jiaqi Yan <jiaqiyan@google.com>, David Hildenbrand <david@redhat.com>, Kefeng Wang <wangkefeng.wang@huawei.com> Subject: [PATCH 1/2] mm: support poison recovery from do_cow_fault() Date: Fri, 6 Sep 2024 10:42:00 +0800 Message-ID: <20240906024201.1214712-2-wangkefeng.wang@huawei.com> In-Reply-To: <20240906024201.1214712-1-wangkefeng.wang@huawei.com> References: <20240906024201.1214712-1-wangkefeng.wang@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	mm: hwpoison: two more poison recovery \| expand [0/2] mm: hwpoison: two more poison recovery [1/2] mm: support poison recovery from do_cow_fault() [2/2] mm: support poison recovery from copy_present_page()

Message ID

20240906024201.1214712-2-wangkefeng.wang@huawei.com (mailing list archive)

State

New

Headers

From: Kefeng Wang <wangkefeng.wang@huawei.com>
To: Andrew Morton <akpm@linux-foundation.org>
CC: <linux-mm@kvack.org>, Jane Chu <jane.chu@oracle.com>, Miaohe Lin
	<linmiaohe@huawei.com>, Naoya Horiguchi <nao.horiguchi@gmail.com>, Tony Luck
	<tony.luck@intel.com>, Jiaqi Yan <jiaqiyan@google.com>, David Hildenbrand
	<david@redhat.com>, Kefeng Wang <wangkefeng.wang@huawei.com>
Subject: [PATCH 1/2] mm: support poison recovery from do_cow_fault()
Date: Fri, 6 Sep 2024 10:42:00 +0800
Message-ID: <20240906024201.1214712-2-wangkefeng.wang@huawei.com>
In-Reply-To: <20240906024201.1214712-1-wangkefeng.wang@huawei.com>
References: <20240906024201.1214712-1-wangkefeng.wang@huawei.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

mm: hwpoison: two more poison recovery | expand

Commit Message

Kefeng Wang Sept. 6, 2024, 2:42 a.m. UTC

Like commit a873dfe1032a ("mm, hwpoison: try to recover from copy-on
write faults"), there is another path which could crash because it does
not have recovery code where poison is consumed by the kernel in
do_cow_fault(), a crash calltrace shown below on old kernel, but it
could be happened in the lastest mainline code,

  CPU: 7 PID: 3248 Comm: mpi Kdump: loaded Tainted: G           OE     5.10.0 #1
  pc : copy_page+0xc/0xbc
  lr : copy_user_highpage+0x50/0x9c
  Call trace:
    copy_page+0xc/0xbc
    do_cow_fault+0x118/0x2bc
    do_fault+0x40/0x1a4
    handle_pte_fault+0x154/0x230
    __handle_mm_fault+0x1a8/0x38c
    handle_mm_fault+0xf0/0x250
    do_page_fault+0x184/0x454
    do_translation_fault+0xac/0xd4
    do_mem_abort+0x44/0xbc

Fix it by using copy_mc_user_highpage() to handle this case and return
VM_FAULT_HWPOISON for cow fault.

Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
---
 mm/memory.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Jane Chu Sept. 6, 2024, 10:17 p.m. UTC | #1

On 9/5/2024 7:42 PM, Kefeng Wang wrote:

> Like commit a873dfe1032a ("mm, hwpoison: try to recover from copy-on
> write faults"), there is another path which could crash because it does
> not have recovery code where poison is consumed by the kernel in
> do_cow_fault(), a crash calltrace shown below on old kernel, but it
> could be happened in the lastest mainline code,
>
>    CPU: 7 PID: 3248 Comm: mpi Kdump: loaded Tainted: G           OE     5.10.0 #1
>    pc : copy_page+0xc/0xbc
>    lr : copy_user_highpage+0x50/0x9c
>    Call trace:
>      copy_page+0xc/0xbc
>      do_cow_fault+0x118/0x2bc
>      do_fault+0x40/0x1a4
>      handle_pte_fault+0x154/0x230
>      __handle_mm_fault+0x1a8/0x38c
>      handle_mm_fault+0xf0/0x250
>      do_page_fault+0x184/0x454
>      do_translation_fault+0xac/0xd4
>      do_mem_abort+0x44/0xbc
>
> Fix it by using copy_mc_user_highpage() to handle this case and return
> VM_FAULT_HWPOISON for cow fault.
>
> Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
> ---
>   mm/memory.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/mm/memory.c b/mm/memory.c
> index 42674c0748cb..d310c073a1b3 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -5089,7 +5089,10 @@ static vm_fault_t do_cow_fault(struct vm_fault *vmf)
>   	if (ret & VM_FAULT_DONE_COW)
>   		return ret;
>   
> -	copy_user_highpage(vmf->cow_page, vmf->page, vmf->address, vma);
> +	if (copy_mc_user_highpage(vmf->cow_page, vmf->page, vmf->address, vma)) {
> +		ret = VM_FAULT_HWPOISON;
> +		goto uncharge_out;
> +	}
>   	__folio_mark_uptodate(folio);
>   
>   	ret |= finish_fault(vmf);

Thanks for catching it!

Reviewed-by: Jane Chu <jane.chu@oracle.com>

-jane

Miaohe Lin Sept. 10, 2024, 1:58 a.m. UTC | #2

On 2024/9/6 10:42, Kefeng Wang wrote:
> Like commit a873dfe1032a ("mm, hwpoison: try to recover from copy-on
> write faults"), there is another path which could crash because it does
> not have recovery code where poison is consumed by the kernel in
> do_cow_fault(), a crash calltrace shown below on old kernel, but it
> could be happened in the lastest mainline code,
> 
>   CPU: 7 PID: 3248 Comm: mpi Kdump: loaded Tainted: G           OE     5.10.0 #1
>   pc : copy_page+0xc/0xbc
>   lr : copy_user_highpage+0x50/0x9c
>   Call trace:
>     copy_page+0xc/0xbc
>     do_cow_fault+0x118/0x2bc
>     do_fault+0x40/0x1a4
>     handle_pte_fault+0x154/0x230
>     __handle_mm_fault+0x1a8/0x38c
>     handle_mm_fault+0xf0/0x250
>     do_page_fault+0x184/0x454
>     do_translation_fault+0xac/0xd4
>     do_mem_abort+0x44/0xbc
> 
> Fix it by using copy_mc_user_highpage() to handle this case and return
> VM_FAULT_HWPOISON for cow fault.
> 
> Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
> ---
>  mm/memory.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/mm/memory.c b/mm/memory.c
> index 42674c0748cb..d310c073a1b3 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -5089,7 +5089,10 @@ static vm_fault_t do_cow_fault(struct vm_fault *vmf)
>  	if (ret & VM_FAULT_DONE_COW)
>  		return ret;
>  
> -	copy_user_highpage(vmf->cow_page, vmf->page, vmf->address, vma);
> +	if (copy_mc_user_highpage(vmf->cow_page, vmf->page, vmf->address, vma)) {
> +		ret = VM_FAULT_HWPOISON;
> +		goto uncharge_out;
> +	}

When copy_mc_user_highpage fails, we should have vmf->page locked and hold the extra refcnt
of vmf->page. So we should call unlock_page(vmf->page) and put_page(vmf->page) before goto
uncharge_out?

Thanks.
.

Kefeng Wang Sept. 10, 2024, 2:13 a.m. UTC | #3

On 2024/9/10 9:58, Miaohe Lin wrote:
> On 2024/9/6 10:42, Kefeng Wang wrote:
>> Like commit a873dfe1032a ("mm, hwpoison: try to recover from copy-on
>> write faults"), there is another path which could crash because it does
>> not have recovery code where poison is consumed by the kernel in
>> do_cow_fault(), a crash calltrace shown below on old kernel, but it
>> could be happened in the lastest mainline code,
>>
>>    CPU: 7 PID: 3248 Comm: mpi Kdump: loaded Tainted: G           OE     5.10.0 #1
>>    pc : copy_page+0xc/0xbc
>>    lr : copy_user_highpage+0x50/0x9c
>>    Call trace:
>>      copy_page+0xc/0xbc
>>      do_cow_fault+0x118/0x2bc
>>      do_fault+0x40/0x1a4
>>      handle_pte_fault+0x154/0x230
>>      __handle_mm_fault+0x1a8/0x38c
>>      handle_mm_fault+0xf0/0x250
>>      do_page_fault+0x184/0x454
>>      do_translation_fault+0xac/0xd4
>>      do_mem_abort+0x44/0xbc
>>
>> Fix it by using copy_mc_user_highpage() to handle this case and return
>> VM_FAULT_HWPOISON for cow fault.
>>
>> Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
>> ---
>>   mm/memory.c | 5 ++++-
>>   1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/mm/memory.c b/mm/memory.c
>> index 42674c0748cb..d310c073a1b3 100644
>> --- a/mm/memory.c
>> +++ b/mm/memory.c
>> @@ -5089,7 +5089,10 @@ static vm_fault_t do_cow_fault(struct vm_fault *vmf)
>>   	if (ret & VM_FAULT_DONE_COW)
>>   		return ret;
>>   
>> -	copy_user_highpage(vmf->cow_page, vmf->page, vmf->address, vma);
>> +	if (copy_mc_user_highpage(vmf->cow_page, vmf->page, vmf->address, vma)) {
>> +		ret = VM_FAULT_HWPOISON;
>> +		goto uncharge_out;
>> +	}
> 
> When copy_mc_user_highpage fails, we should have vmf->page locked and hold the extra refcnt
> of vmf->page. So we should call unlock_page(vmf->page) and put_page(vmf->page) before goto
> uncharge_out?
> 

Right, for upstream, we need to more handling for vmf->page, will fix, 
thanks.

> Thanks.
> .

diff --git a/mm/memory.c b/mm/memory.c
index 42674c0748cb..d310c073a1b3 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -5089,7 +5089,10 @@  static vm_fault_t do_cow_fault(struct vm_fault *vmf)
 	if (ret & VM_FAULT_DONE_COW)
 		return ret;
 
-	copy_user_highpage(vmf->cow_page, vmf->page, vmf->address, vma);
+	if (copy_mc_user_highpage(vmf->cow_page, vmf->page, vmf->address, vma)) {
+		ret = VM_FAULT_HWPOISON;
+		goto uncharge_out;
+	}
 	__folio_mark_uptodate(folio);
 
 	ret |= finish_fault(vmf);

[1/2] mm: support poison recovery from do_cow_fault()

Commit Message

Comments

Patch