Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding

[RFC PATCH v2 0/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-07
[RFC PATCH v2 3/3] mm: make generic pXd_addr_end() macros inline functions · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-07
Re: [RFC PATCH v2 3/3] mm: make generic pXd_addr_end() macros inline functions · Mike Rapoport <rppt@kernel.org> · 2020-09-07
Re: [RFC PATCH v2 3/3] mm: make generic pXd_addr_end() macros inline functions · Christophe Leroy <hidden> · 2020-09-08
Re: [RFC PATCH v2 3/3] mm: make generic pXd_addr_end() macros inline functions · Alexander Gordeev <agordeev@linux.ibm.com> · 2020-09-08
Re: [RFC PATCH v2 3/3] mm: make generic pXd_addr_end() macros inline functions · Christophe Leroy <hidden> · 2020-09-08
[RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-07
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Christophe Leroy <hidden> · 2020-09-08
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Christian Borntraeger <hidden> · 2020-09-08
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Christophe Leroy <hidden> · 2020-09-08
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-08
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Dave Hansen <hidden> · 2020-09-08
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-08
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-09
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Dave Hansen <hidden> · 2020-09-09
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-09
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-09
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Alexander Gordeev <agordeev@linux.ibm.com> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Linus Torvalds <torvalds@linux-foundation.org> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Linus Torvalds <torvalds@linux-foundation.org> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Linus Torvalds <torvalds@linux-foundation.org> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · peterz@infradead.org · 2020-09-11
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-11
[PATCH] mm/gup: fix gup_fast with dynamic page table folding · Vasily Gorbik <gor@linux.ibm.com> · 2020-09-11
Re: [PATCH] mm/gup: fix gup_fast with dynamic page table folding · Linus Torvalds <torvalds@linux-foundation.org> · 2020-09-11
Re: [PATCH] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-11
Re: [PATCH] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-11
[PATCH v2] mm/gup: fix gup_fast with dynamic page table folding · Vasily Gorbik <gor@linux.ibm.com> · 2020-09-11
Re: [PATCH v2] mm/gup: fix gup_fast with dynamic page table folding · Mike Rapoport <rppt@kernel.org> · 2020-09-15
Re: [PATCH v2] mm/gup: fix gup_fast with dynamic page table folding · John Hubbard <jhubbard@nvidia.com> · 2020-09-15
Re: [PATCH v2] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-15
Re: [PATCH v2] mm/gup: fix gup_fast with dynamic page table folding · Vasily Gorbik <gor@linux.ibm.com> · 2020-09-15
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · John Hubbard <jhubbard@nvidia.com> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · John Hubbard <jhubbard@nvidia.com> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Alexander Gordeev <agordeev@linux.ibm.com> · 2020-09-11
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Linus Torvalds <torvalds@linux-foundation.org> · 2020-09-11
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-10
Re: [RFC PATCH v2 1/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-10
[RFC PATCH v2 2/3] mm: make pXd_addr_end() functions page-table entry aware · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-07
Re: [RFC PATCH v2 2/3] mm: make pXd_addr_end() functions page-table entry aware · Christophe Leroy <hidden> · 2020-09-08
Re: [RFC PATCH v2 2/3] mm: make pXd_addr_end() functions page-table entry aware · Alexander Gordeev <agordeev@linux.ibm.com> · 2020-09-08
Re: [RFC PATCH v2 2/3] mm: make pXd_addr_end() functions page-table entry aware · Christophe Leroy <hidden> · 2020-09-08
Re: [RFC PATCH v2 2/3] mm: make pXd_addr_end() functions page-table entry aware · Alexander Gordeev <agordeev@linux.ibm.com> · 2020-09-08
Re: [RFC PATCH v2 2/3] mm: make pXd_addr_end() functions page-table entry aware · Christophe Leroy <hidden> · 2020-09-09
Re: [RFC PATCH v2 2/3] mm: make pXd_addr_end() functions page-table entry aware · Alexander Gordeev <agordeev@linux.ibm.com> · 2020-09-08
Re: [RFC PATCH v2 2/3] mm: make pXd_addr_end() functions page-table entry aware · Dave Hansen <hidden> · 2020-09-08
Re: [RFC PATCH v2 2/3] mm: make pXd_addr_end() functions page-table entry aware · Jason Gunthorpe <jgg@ziepe.ca> · 2020-09-08
Re: [RFC PATCH v2 0/3] mm/gup: fix gup_fast with dynamic page table folding · Mike Rapoport <rppt@kernel.org> · 2020-09-07
Re: [RFC PATCH v2 0/3] mm/gup: fix gup_fast with dynamic page table folding · Christophe Leroy <hidden> · 2020-09-08
Re: [RFC PATCH v2 0/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-08
Re: [RFC PATCH v2 0/3] mm/gup: fix gup_fast with dynamic page table folding · Gerald Schaefer <gerald.schaefer@linux.ibm.com> · 2020-09-09
Re: [RFC PATCH v2 0/3] mm/gup: fix gup_fast with dynamic page table folding · Christophe Leroy <hidden> · 2020-09-08

From: Jason Gunthorpe <jgg@ziepe.ca>
Date: 2020-09-10 22:11:28
Also in: linux-arch, linux-arm-kernel, linux-mm, linux-s390, linux-um, lkml, sparclinux

On Thu, Sep 10, 2020 at 02:22:37PM -0700, John Hubbard wrote:

Or am I way off here, and it really is possible (aside from the current
s390 situation) to observe something that "is no longer a page table"?

Yes, that is the issue. Remember there is no locking for GUP
fast. While a page table cannot be freed there is nothing preventing
the page table entry from being concurrently modified.

Without the stack variable it looks like this:

       pud_t pud = READ_ONCE(*pudp);
       if (!pud_present(pud))
            return
       pmd_offset(pudp, address);

And pmd_offset() expands to

    return (pmd_t *)pud_page_vaddr(*pud) + pmd_index(address);

Between the READ_ONCE(*pudp) and (*pud) inside pmd_offset() the value
of *pud can change, eg to !pud_present.

Then pud_page_vaddr(*pud) will crash. It is not use after free, it
is using data that has not been validated.

Jason

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help