Re: [PATCH 1/7] mm/memory.c: Fix race when faulting a device private page

[PATCH 0/7] Fix several device private page reference counting issues · Alistair Popple <apopple@nvidia.com> · 2022-09-26
[PATCH 1/7] mm/memory.c: Fix race when faulting a device private page · Alistair Popple <apopple@nvidia.com> · 2022-09-26
Re: [PATCH 1/7] mm/memory.c: Fix race when faulting a device private page · Michael Ellerman <mpe@ellerman.id.au> · 2022-09-29
Re: [PATCH 1/7] mm/memory.c: Fix race when faulting a device private page · Alistair Popple <apopple@nvidia.com> · 2022-09-29
Re: [PATCH 1/7] mm/memory.c: Fix race when faulting a device private page · Michael Ellerman <mpe@ellerman.id.au> · 2022-09-29
[PATCH 2/7] mm: Free device private pages have zero refcount · Alistair Popple <apopple@nvidia.com> · 2022-09-26
Re: [PATCH 2/7] mm: Free device private pages have zero refcount · Jason Gunthorpe <jgg@nvidia.com> · 2022-09-26
Re: [PATCH 2/7] mm: Free device private pages have zero refcount · Alistair Popple <apopple@nvidia.com> · 2022-09-27
Re: [PATCH 2/7] mm: Free device private pages have zero refcount · Dan Williams <hidden> · 2022-09-29
Re: [PATCH 2/7] mm: Free device private pages have zero refcount · Alistair Popple <apopple@nvidia.com> · 2022-09-30
Re: [PATCH 2/7] mm: Free device private pages have zero refcount · Dan Williams <hidden> · 2022-09-30
[PATCH 3/7] mm/migrate_device.c: Refactor migrate_vma and migrate_deivce_coherent_page() · Alistair Popple <apopple@nvidia.com> · 2022-09-26
[PATCH 4/7] mm/migrate_device.c: Add migrate_device_range() · Alistair Popple <apopple@nvidia.com> · 2022-09-26
[PATCH 5/7] nouveau/dmem: Refactor nouveau_dmem_fault_copy_one() · Alistair Popple <apopple@nvidia.com> · 2022-09-26
Re: [PATCH 5/7] nouveau/dmem: Refactor nouveau_dmem_fault_copy_one() · Lyude Paul <lyude@redhat.com> · 2022-09-26
Re: [PATCH 5/7] nouveau/dmem: Refactor nouveau_dmem_fault_copy_one() · Alistair Popple <apopple@nvidia.com> · 2022-09-28
[PATCH 6/7] nouveau/dmem: Evict device private memory during release · Alistair Popple <apopple@nvidia.com> · 2022-09-26
Re: [PATCH 6/7] nouveau/dmem: Evict device private memory during release · kernel test robot <hidden> · 2022-09-26
Re: [PATCH 6/7] nouveau/dmem: Evict device private memory during release · Lyude Paul <lyude@redhat.com> · 2022-09-26
Re: [PATCH 6/7] nouveau/dmem: Evict device private memory during release · John Hubbard <jhubbard@nvidia.com> · 2022-09-26
Re: [PATCH 6/7] nouveau/dmem: Evict device private memory during release · Alistair Popple <apopple@nvidia.com> · 2022-09-27
Re: [PATCH 6/7] nouveau/dmem: Evict device private memory during release · Lyude Paul <lyude@redhat.com> · 2022-09-28
Re: [PATCH 6/7] nouveau/dmem: Evict device private memory during release · Felix Kuehling <felix.kuehling@amd.com> · 2022-09-26
Re: [PATCH 6/7] nouveau/dmem: Evict device private memory during release · Alistair Popple <apopple@nvidia.com> · 2022-09-27
Re: [PATCH 6/7] nouveau/dmem: Evict device private memory during release · Lyude Paul <lyude@redhat.com> · 2022-09-28
[PATCH 7/7] hmm-tests: Add test for migrate_device_range() · Alistair Popple <apopple@nvidia.com> · 2022-09-26

From: Michael Ellerman <mpe@ellerman.id.au>
Date: 2022-09-29 05:07:35
Also in: amd-gfx, dri-devel, linux-mm, lkml, nouveau

Alistair Popple [off-list ref] writes:

Michael Ellerman [off-list ref] writes:

quoted

Alistair Popple [off-list ref] writes:

quoted

When the CPU tries to access a device private page the migrate_to_ram()
callback associated with the pgmap for the page is called. However no
reference is taken on the faulting page. Therefore a concurrent
migration of the device private page can free the page and possibly the
underlying pgmap. This results in a race which can crash the kernel due
to the migrate_to_ram() function pointer becoming invalid. It also means
drivers can't reliably read the zone_device_data field because the page
may have been freed with memunmap_pages().

Close the race by getting a reference on the page while holding the ptl
to ensure it has not been freed. Unfortunately the elevated reference
count will cause the migration required to handle the fault to fail. To
avoid this failure pass the faulting page into the migrate_vma functions
so that if an elevated reference count is found it can be checked to see
if it's expected or not.

Signed-off-by: Alistair Popple <apopple@nvidia.com>
---
 arch/powerpc/kvm/book3s_hv_uvmem.c       | 15 ++++++-----
 drivers/gpu/drm/amd/amdkfd/kfd_migrate.c | 17 +++++++------
 drivers/gpu/drm/amd/amdkfd/kfd_migrate.h |  2 +-
 drivers/gpu/drm/amd/amdkfd/kfd_svm.c     | 11 +++++---
 include/linux/migrate.h                  |  8 ++++++-
 lib/test_hmm.c                           |  7 ++---
 mm/memory.c                              | 16 +++++++++++-
 mm/migrate.c                             | 34 ++++++++++++++-----------
 mm/migrate_device.c                      | 18 +++++++++----
 9 files changed, 87 insertions(+), 41 deletions(-)

diff --git a/arch/powerpc/kvm/book3s_hv_uvmem.c b/arch/powerpc/kvm/book3s_hv_uvmem.c
index 5980063..d4eacf4 100644
--- a/arch/powerpc/kvm/book3s_hv_uvmem.c
+++ b/arch/powerpc/kvm/book3s_hv_uvmem.c

@@ -508,10 +508,10 @@ unsigned long kvmppc_h_svm_init_start(struct kvm *kvm)

...

quoted

@@ -994,7 +997,7 @@ static vm_fault_t kvmppc_uvmem_migrate_to_ram(struct vm_fault *vmf)

 	if (kvmppc_svm_page_out(vmf->vma, vmf->address,
 				vmf->address + PAGE_SIZE, PAGE_SHIFT,
-				pvt->kvm, pvt->gpa))
+				pvt->kvm, pvt->gpa, vmf->page))
 		return VM_FAULT_SIGBUS;
 	else
 		return 0;

I don't have a UV test system, but as-is it doesn't even compile :)

Ugh, thanks. I did get as far as installing a PPC cross-compiler and
building a kernel. Apparently I did not get as far as enabling
CONFIG_PPC_UV :)

No worries, that's really on us. If we're going to keep the code in the
tree then it should really be enabled in at least one of our defconfigs.

cheers

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help