linux/arch/x86/kernel
Andrea Arcangeli 1a5a9906d4 mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode
In some cases it may happen that pmd_none_or_clear_bad() is called with
the mmap_sem hold in read mode.  In those cases the huge page faults can
allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a
false positive from pmd_bad() that will not like to see a pmd
materializing as trans huge.

It's not khugepaged causing the problem, khugepaged holds the mmap_sem
in write mode (and all those sites must hold the mmap_sem in read mode
to prevent pagetables to go away from under them, during code review it
seems vm86 mode on 32bit kernels requires that too unless it's
restricted to 1 thread per process or UP builds).  The race is only with
the huge pagefaults that can convert a pmd_none() into a
pmd_trans_huge().

Effectively all these pmd_none_or_clear_bad() sites running with
mmap_sem in read mode are somewhat speculative with the page faults, and
the result is always undefined when they run simultaneously.  This is
probably why it wasn't common to run into this.  For example if the
madvise(MADV_DONTNEED) runs zap_page_range() shortly before the page
fault, the hugepage will not be zapped, if the page fault runs first it
will be zapped.

Altering pmd_bad() not to error out if it finds hugepmds won't be enough
to fix this, because zap_pmd_range would then proceed to call
zap_pte_range (which would be incorrect if the pmd become a
pmd_trans_huge()).

The simplest way to fix this is to read the pmd in the local stack
(regardless of what we read, no need of actual CPU barriers, only
compiler barrier needed), and be sure it is not changing under the code
that computes its value.  Even if the real pmd is changing under the
value we hold on the stack, we don't care.  If we actually end up in
zap_pte_range it means the pmd was not none already and it was not huge,
and it can't become huge from under us (khugepaged locking explained
above).

All we need is to enforce that there is no way anymore that in a code
path like below, pmd_trans_huge can be false, but pmd_none_or_clear_bad
can run into a hugepmd.  The overhead of a barrier() is just a compiler
tweak and should not be measurable (I only added it for THP builds).  I
don't exclude different compiler versions may have prevented the race
too by caching the value of *pmd on the stack (that hasn't been
verified, but it wouldn't be impossible considering
pmd_none_or_clear_bad, pmd_bad, pmd_trans_huge, pmd_none are all inlines
and there's no external function called in between pmd_trans_huge and
pmd_none_or_clear_bad).

		if (pmd_trans_huge(*pmd)) {
			if (next-addr != HPAGE_PMD_SIZE) {
				VM_BUG_ON(!rwsem_is_locked(&tlb->mm->mmap_sem));
				split_huge_page_pmd(vma->vm_mm, pmd);
			} else if (zap_huge_pmd(tlb, vma, pmd, addr))
				continue;
			/* fall through */
		}
		if (pmd_none_or_clear_bad(pmd))

Because this race condition could be exercised without special
privileges this was reported in CVE-2012-1179.

The race was identified and fully explained by Ulrich who debugged it.
I'm quoting his accurate explanation below, for reference.

====== start quote =======
      mapcount 0 page_mapcount 1
      kernel BUG at mm/huge_memory.c:1384!

    At some point prior to the panic, a "bad pmd ..." message similar to the
    following is logged on the console:

      mm/memory.c:145: bad pmd ffff8800376e1f98(80000000314000e7).

    The "bad pmd ..." message is logged by pmd_clear_bad() before it clears
    the page's PMD table entry.

        143 void pmd_clear_bad(pmd_t *pmd)
        144 {
    ->  145         pmd_ERROR(*pmd);
        146         pmd_clear(pmd);
        147 }

    After the PMD table entry has been cleared, there is an inconsistency
    between the actual number of PMD table entries that are mapping the page
    and the page's map count (_mapcount field in struct page). When the page
    is subsequently reclaimed, __split_huge_page() detects this inconsistency.

       1381         if (mapcount != page_mapcount(page))
       1382                 printk(KERN_ERR "mapcount %d page_mapcount %d\n",
       1383                        mapcount, page_mapcount(page));
    -> 1384         BUG_ON(mapcount != page_mapcount(page));

    The root cause of the problem is a race of two threads in a multithreaded
    process. Thread B incurs a page fault on a virtual address that has never
    been accessed (PMD entry is zero) while Thread A is executing an madvise()
    system call on a virtual address within the same 2 MB (huge page) range.

               virtual address space
              .---------------------.
              |                     |
              |                     |
            .-|---------------------|
            | |                     |
            | |                     |<-- B(fault)
            | |                     |
      2 MB  | |/////////////////////|-.
      huge <  |/////////////////////|  > A(range)
      page  | |/////////////////////|-'
            | |                     |
            | |                     |
            '-|---------------------|
              |                     |
              |                     |
              '---------------------'

    - Thread A is executing an madvise(..., MADV_DONTNEED) system call
      on the virtual address range "A(range)" shown in the picture.

    sys_madvise
      // Acquire the semaphore in shared mode.
      down_read(&current->mm->mmap_sem)
      ...
      madvise_vma
        switch (behavior)
        case MADV_DONTNEED:
             madvise_dontneed
               zap_page_range
                 unmap_vmas
                   unmap_page_range
                     zap_pud_range
                       zap_pmd_range
                         //
                         // Assume that this huge page has never been accessed.
                         // I.e. content of the PMD entry is zero (not mapped).
                         //
                         if (pmd_trans_huge(*pmd)) {
                             // We don't get here due to the above assumption.
                         }
                         //
                         // Assume that Thread B incurred a page fault and
             .---------> // sneaks in here as shown below.
             |           //
             |           if (pmd_none_or_clear_bad(pmd))
             |               {
             |                 if (unlikely(pmd_bad(*pmd)))
             |                     pmd_clear_bad
             |                     {
             |                       pmd_ERROR
             |                         // Log "bad pmd ..." message here.
             |                       pmd_clear
             |                         // Clear the page's PMD entry.
             |                         // Thread B incremented the map count
             |                         // in page_add_new_anon_rmap(), but
             |                         // now the page is no longer mapped
             |                         // by a PMD entry (-> inconsistency).
             |                     }
             |               }
             |
             v
    - Thread B is handling a page fault on virtual address "B(fault)" shown
      in the picture.

    ...
    do_page_fault
      __do_page_fault
        // Acquire the semaphore in shared mode.
        down_read_trylock(&mm->mmap_sem)
        ...
        handle_mm_fault
          if (pmd_none(*pmd) && transparent_hugepage_enabled(vma))
              // We get here due to the above assumption (PMD entry is zero).
              do_huge_pmd_anonymous_page
                alloc_hugepage_vma
                  // Allocate a new transparent huge page here.
                ...
                __do_huge_pmd_anonymous_page
                  ...
                  spin_lock(&mm->page_table_lock)
                  ...
                  page_add_new_anon_rmap
                    // Here we increment the page's map count (starts at -1).
                    atomic_set(&page->_mapcount, 0)
                  set_pmd_at
                    // Here we set the page's PMD entry which will be cleared
                    // when Thread A calls pmd_clear_bad().
                  ...
                  spin_unlock(&mm->page_table_lock)

    The mmap_sem does not prevent the race because both threads are acquiring
    it in shared mode (down_read).  Thread B holds the page_table_lock while
    the page's map count and PMD table entry are updated.  However, Thread A
    does not synchronize on that lock.

====== end quote =======

[akpm@linux-foundation.org: checkpatch fixes]
Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Dave Jones <davej@redhat.com>
Acked-by: Larry Woodman <lwoodman@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: <stable@vger.kernel.org>		[2.6.38+]
Cc: Mark Salter <msalter@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-21 17:54:54 -07:00
..
acpi x86, acpi: Skip acpi x2apic entries if the x2apic feature is not present 2011-12-23 11:00:50 -08:00
apic x86, UV: Update Boot messages for SGI UV2 platform 2012-01-08 12:35:44 +01:00
cpu driver core merge for 3.4-rc1 2012-03-20 11:16:20 -07:00
.gitignore
alternative.c x86: Call stop_machine_text_poke() on all CPUs 2011-11-14 13:05:15 +01:00
amd_gart_64.c doc: fix broken references 2011-09-27 18:08:04 +02:00
amd_nb.c Merge branch 'linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci 2012-01-11 18:50:26 -08:00
apb_timer.c Merge branch 'timers-clocksource-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2011-07-23 10:34:47 -07:00
aperture_64.c memblock, x86: Replace memblock_x86_reserve/free_range() with generic ones 2011-07-14 11:47:53 -07:00
apm_32.c PM / Sleep: Introduce "late suspend" and "early resume" of devices 2012-01-29 20:38:29 +01:00
asm-offsets.c x86, efi: EFI boot stub support 2011-12-12 14:26:10 -08:00
asm-offsets_32.c x86: Generate system call tables and unistd_*.h from tables 2011-11-17 13:35:37 -08:00
asm-offsets_64.c x86: Generate system call tables and unistd_*.h from tables 2011-11-17 13:35:37 -08:00
audit_64.c
bootflag.c
check.c memblock, x86: Replace memblock_x86_reserve/free_range() with generic ones 2011-07-14 11:47:53 -07:00
cpuid.c CPU: Introduce ARCH_HAS_CPU_AUTOPROBE and X86 parts 2012-01-26 16:49:08 -08:00
crash.c x86, nmi: Wire up NMI handlers to new routines 2011-10-10 06:56:57 +02:00
crash_dump_32.c x86: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:15 +08:00
crash_dump_64.c crash_dump: export is_kdump_kernel to modules, consolidate elfcorehdr_addr, setup_elfcorehdr and saved_max_pfn 2011-03-23 19:47:19 -07:00
devicetree.c irq_domain/x86: Convert x86 (embedded) to use common irq_domain 2012-02-23 14:37:47 -07:00
doublefault_32.c
dumpstack.c bugs, x86: Fix printk levels for panic, softlockups and stack dumps 2012-01-26 21:28:45 +01:00
dumpstack_32.c x86, dumpstack: Fix code bytes breakage due to missing KERN_CONT 2011-12-19 13:09:56 -08:00
dumpstack_64.c Merge branches 'core-urgent-for-linus', 'perf-urgent-for-linus', 'sched-urgent-for-linus' and 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-02-02 11:11:13 -08:00
e820.c Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux 2012-01-18 15:51:48 -08:00
early-quirks.c x86, quirk: Fix SB600 revision check 2011-03-16 14:03:32 +01:00
early_printk.c Merge branch 'x86-platform-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-01-11 19:13:40 -08:00
entry_32.S Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit 2012-01-17 16:41:31 -08:00
entry_64.S x86: Specify a size for the cmp in the NMI handler 2012-02-20 19:45:26 -05:00
ftrace.c x86/ftrace: Fix compiler warning in ftrace.c 2011-05-25 19:56:26 -04:00
head.c memblock, x86: Replace memblock_x86_reserve/free_range() with generic ones 2011-07-14 11:47:53 -07:00
head32.c memblock: Kill memblock_init() 2011-12-08 10:22:07 -08:00
head64.c memblock: Kill memblock_init() 2011-12-08 10:22:07 -08:00
head_32.S Merge branch 'x86-platform-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2011-03-15 20:01:36 -07:00
head_64.S x86: Keep current stack in NMI breakpoints 2011-12-21 15:38:55 -05:00
hpet.c Merge branch 'driver-core-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core 2012-01-07 12:03:30 -08:00
hw_breakpoint.c
i386_ksyms_32.c
i387.c treewide: fix potentially dangerous trailing ';' in #defined values/expressions 2011-07-21 14:10:00 +02:00
i8237.c x86: Use syscore_ops instead of sysdev classes and sysdevs 2011-03-23 22:15:54 +01:00
i8253.c x86: Use common i8253 clockevent 2011-07-01 10:37:14 +02:00
i8259.c atomic: use <linux/atomic.h> 2011-07-26 16:49:47 -07:00
init_task.c
io_delay.c
ioport.c
irq.c Merge branch 'x86-apic-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-01-06 13:58:21 -08:00
irq_32.c x86-32/irq: Don't switch to irq stack for a user-mode irq 2012-02-20 09:30:18 +01:00
irq_64.c x86: Add stack top margin for stack overflow checking 2011-12-07 09:27:11 +01:00
irq_work.c
irqinit.c driver-core: remove sysdev.h usage. 2011-12-21 16:26:03 -08:00
jump_label.c jump_label, x86: Fix section mismatch 2011-12-06 20:41:02 +01:00
kdebugfs.c
kgdb.c x86, nmi: Wire up NMI handlers to new routines 2011-10-10 06:56:57 +02:00
kprobes-common.h x86/kprobes: Split out optprobe related code to kprobes-opt.c 2012-03-06 09:49:49 +01:00
kprobes-opt.c x86/kprobes: Split out optprobe related code to kprobes-opt.c 2012-03-06 09:49:49 +01:00
kprobes.c x86/kprobes: Split out optprobe related code to kprobes-opt.c 2012-03-06 09:49:49 +01:00
kvm.c static keys: Introduce 'struct static_key', static_key_true()/false() and static_key_slow_[inc|dec]() 2012-02-24 10:05:59 +01:00
kvmclock.c KVM guest: prevent tracing recursion with kvmclock 2011-11-20 10:53:48 +02:00
ldt.c
machine_kexec_32.c
machine_kexec_64.c
Makefile x86/kprobes: Split out optprobe related code to kprobes-opt.c 2012-03-06 09:49:49 +01:00
mca_32.c x86: Fix common misspellings 2011-03-18 10:39:30 +01:00
microcode_amd.c x86/microcode: Remove noisy AMD microcode warning 2012-02-07 10:53:42 +01:00
microcode_core.c x86: autoload microcode driver on Intel and AMD systems v2 2012-01-26 16:49:07 -08:00
microcode_intel.c x86, intel: Output microcode revision in /proc/cpuinfo 2011-10-14 13:16:35 +02:00
mmconf-fam10h_64.c
module.c modules: make arch's use default loader hooks 2011-07-24 22:06:04 +09:30
mpparse.c Merge branch 'memblock-kill-early_node_map' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/misc into core/memblock 2011-12-20 12:14:26 +01:00
msr.c switch device_get_devnode() and ->devnode() to umode_t * 2012-01-03 22:54:55 -05:00
nmi.c x86: Allow NMIs to hit breakpoints in i386 2011-12-21 15:38:55 -05:00
nmi_selftest.c x86, NMI: Add to_cpumask() to silence compile warning 2011-12-07 23:26:57 +01:00
paravirt-spinlocks.c
paravirt.c static keys: Introduce 'struct static_key', static_key_true()/false() and static_key_slow_[inc|dec]() 2012-02-24 10:05:59 +01:00
paravirt_patch_32.c
paravirt_patch_64.c
pci-calgary_64.c treewide: Convert uses of struct resource to resource_size(ptr) 2011-06-10 14:55:36 +02:00
pci-dma.c iommu: Add option to group multi-function devices 2011-11-15 12:22:31 +01:00
pci-iommu_table.c arch/x86/kernel/pci-iommu_table.c: Convert sprintf_symbol to %pS 2011-05-10 10:21:35 +02:00
pci-nommu.c
pci-swiotlb.c
pcspeaker.c
probe_roms.c x86: Fix files explicitly requiring export.h for EXPORT_SYMBOL/THIS_MODULE 2011-10-31 19:30:35 -04:00
process.c x86/tracing: Denote the power and cpuidle tracepoints as _rcuidle() 2012-02-13 09:14:43 -05:00
process_32.c sched/rt: Use schedule_preempt_disabled() 2012-03-01 10:28:03 +01:00
process_64.c sched/rt: Use schedule_preempt_disabled() 2012-03-01 10:28:03 +01:00
ptrace.c audit: inline audit_syscall_entry to reduce burden on archs 2012-01-17 16:16:56 -05:00
pvclock.c
quirks.c x86, amd: Fix up numa_node information for AMD CPU family 15h model 0-0fh northbridge functions 2011-12-05 18:13:11 +01:00
reboot.c x86/reboot: Remove VersaLogic Menlow reboot quirk 2012-01-30 10:52:33 +01:00
reboot_32.S x86, reboot: Fix relocations in reboot_32.S 2011-05-02 14:44:46 -07:00
reboot_fixups_32.c
relocate_kernel_32.S kexec, x86: Fix incorrect jump back address if not preserving context 2011-07-21 11:19:28 +02:00
relocate_kernel_64.S kexec, x86: Fix incorrect jump back address if not preserving context 2011-07-21 11:19:28 +02:00
resource.c
rtc.c x86/rtc, mrst: Don't register a platform RTC device for for Intel MID platforms 2011-12-05 17:09:21 +01:00
setup.c Merge branch 'x86-efi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-01-11 19:12:33 -08:00
setup_percpu.c
signal.c signal: add block_sigmask() for adding sigmask to current->blocked 2012-01-10 16:30:54 -08:00
smp.c x86, reboot: Fix typo in nmi reboot path 2012-01-07 12:19:37 +01:00
smpboot.c sched: Cleanup cpu_active madness 2012-03-12 20:43:15 +01:00
stacktrace.c x86: Swap save_stack_trace_regs parameters 2011-06-14 22:48:51 -04:00
step.c x86-64: Add user_64bit_mode paravirt op 2011-08-04 16:13:49 -07:00
sys_i386_32.c
sys_x86_64.c x86, amd: Include linux/elf.h since we use stuff from asm/elf.h 2011-09-28 10:34:31 +02:00
syscall_32.c x86, syscall: Re-fix typo in comment 2011-11-18 16:25:07 -08:00
syscall_64.c x86: Generate system call tables and unistd_*.h from tables 2011-11-17 13:35:37 -08:00
tboot.c x86: Fix files explicitly requiring export.h for EXPORT_SYMBOL/THIS_MODULE 2011-10-31 19:30:35 -04:00
tce_64.c
test_nx.c x86: Eliminate various 'set but not used' warnings 2011-05-21 19:10:33 +02:00
test_rodata.c
time.c x86/time: Eliminate unused irq0_irqs counter 2012-02-27 08:46:25 +01:00
tls.c
tls.h
topology.c x86: Fix files explicitly requiring export.h for EXPORT_SYMBOL/THIS_MODULE 2011-10-31 19:30:35 -04:00
trampoline.c memblock, x86: Replace memblock_x86_reserve/free_range() with generic ones 2011-07-14 11:47:53 -07:00
trampoline_32.S
trampoline_64.S
traps.c i387: use 'restore_fpu_checking()' directly in task switching code 2012-02-20 10:58:28 -08:00
tsc.c sched/x86: Fix overflow in cyc2ns_offset 2012-03-13 16:27:51 +01:00
tsc_sync.c x86/tsc: Reduce the TSC sync check time for core-siblings 2012-02-22 11:49:40 +01:00
verify_cpu.S x86: Fix common misspellings 2011-03-18 10:39:30 +01:00
vm86_32.c mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode 2012-03-21 17:54:54 -07:00
vmlinux.lds.S x86-64: Rework vsyscall emulation and add vsyscall= parameter 2011-08-10 19:26:46 -05:00
vsmp_64.c
vsyscall_64.c x86: Default to vsyscall=emulate 2011-12-05 12:17:29 +01:00
vsyscall_emu_64.S x86-64: Rework vsyscall emulation and add vsyscall= parameter 2011-08-10 19:26:46 -05:00
vsyscall_trace.h x86-64: Add vsyscall:emulate_vsyscall trace event 2011-08-04 16:13:53 -07:00
x86_init.c Merge branch 'linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci 2012-01-11 18:50:26 -08:00
x8664_ksyms_64.c
xsave.c i387: move TS_USEDFPU flag from thread_info to task_struct 2012-02-18 10:19:41 -08:00