| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Nov 2022 14:20:38 +0100
From: David Hildenbrand <david@...hat.com>
To: Zi Yan <ziy@...dia.com>
Cc: Gavin Shan <gshan@...hat.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, akpm@...ux-foundation.org,
william.kucharski@...cle.com, kirill.shutemov@...ux.intel.com,
zhenyzha@...hat.com, apopple@...dia.com, hughd@...gle.com,
willy@...radead.org, shan.gavin@...il.com,
Huang Ying <ying.huang@...el.com>
Subject: Re: [PATCH v2] mm: migrate: Fix THP's mapcount on isolation
On 24.11.22 13:38, Zi Yan wrote:
>
> On 24 Nov 2022, at 5:43, David Hildenbrand wrote:
>
>> On 24.11.22 11:21, Gavin Shan wrote:
>>> On 11/24/22 6:09 PM, David Hildenbrand wrote:
>>>> On 24.11.22 10:55, Gavin Shan wrote:
>>>>> The issue is reported when removing memory through virtio_mem device.
>>>>> The transparent huge page, experienced copy-on-write fault, is wrongly
>>>>> regarded as pinned. The transparent huge page is escaped from being
>>>>> isolated in isolate_migratepages_block(). The transparent huge page
>>>>> can't be migrated and the corresponding memory block can't be put
>>>>> into offline state.
>>>>>
>>>>> Fix it by replacing page_mapcount() with total_mapcount(). With this,
>>>>> the transparent huge page can be isolated and migrated, and the memory
>>>>> block can be put into offline state. Besides, The page's refcount is
>>>>> increased a bit earlier to avoid the page is released when the check
>>>>> is executed.
>>>>
>>>> Did you look into handling pages that are in the swapcache case as well?
>>>>
>>>> See is_refcount_suitable() in mm/khugepaged.c.
>>>>
>>>> Should be easy to reproduce, let me know if you need inspiration.
>>>>
>>>
>>> Nope, I didn't look into the case. Please elaborate the details so that
>>> I can reproduce it firstly.
>>
>>
>> A simple reproducer would be (on a system with ordinary swap (not zram))
>>
>> 1) mmap a region (MAP_ANON|MAP_PRIVATE) that can hold a THP
>>
>> 2) Enable THP for that region (MADV_HUGEPAGE)
>>
>> 3) Populate a THP (e.g., write access)
>>
>> 4) PTE-map the THP, for example, using MADV_FREE on the last subpage
>>
>> 5) Trigger swapout of the THP, for example, using MADV_PAGEOUT
>
> Added the original THP swapout code author, Ying.
>
> At this step, the THP will be split, right?
>
> https://elixir.bootlin.com/linux/latest/source/mm/vmscan.c#L1786
>
> Even if a THP has PMD mapping, IIRC, it is split in the add_to_swap()
> then swapped out. But I cannot find that split code now.
I recall there was some sequence to achieve it. Maybe it was
swapping out the PMD first and not triggering a PTE-mapping first.
mm/vmscan.c:shrink_folio_list()
if (folio_test_large(folio)) {
/* cannot split folio, skip it */
if (!can_split_folio(folio, NULL))
goto activate_locked;
/*
* Split folios without a PMD map right
* away. Chances are some or all of the
* tail pages can be freed without IO.
*/
if (!folio_entire_mapcount(folio) &&
split_folio_to_list(folio, folio_list))
goto activate_locked;
}
}
So the sequence might have to be
1) mmap a region (MAP_ANON|MAP_PRIVATE) that can hold a THP
2) Enable THP for that region (MADV_HUGEPAGE)
3) Populate a THP (e.g., write access)
4) Trigger swapout of the THP, for example, using MADV_PAGEOUT
5) Access some subpage
As we don't have PMD swap entries, we will PTE-map the
THP during try_to_unmap() IIRC.
Independent of that, the check we have here also doesn't consider
ordinary order-0 pages that might be in the swapache.
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists