lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3a3f6f69-f0f4-41a0-b960-e76423fb6dc9@lucifer.local>
Date: Thu, 12 Jun 2025 14:07:23 +0100
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: David Hildenbrand <david@...hat.com>
Cc: Baolin Wang <baolin.wang@...ux.alibaba.com>, akpm@...ux-foundation.org,
        hughd@...gle.com, Liam.Howlett@...cle.com, npache@...hat.com,
        ryan.roberts@....com, dev.jain@....com, ziy@...dia.com,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/2] mm: huge_memory: disallow hugepages if the
 system-wide THP sysfs settings are disabled

On Thu, Jun 12, 2025 at 10:51:17AM +0200, David Hildenbrand wrote:
> On 12.06.25 09:51, Baolin Wang wrote:
> >
> >
> > On 2025/6/11 20:34, David Hildenbrand wrote:
> > > On 05.06.25 10:00, Baolin Wang wrote:
> > > > The MADV_COLLAPSE will ignore the system-wide Anon THP sysfs settings,
> > > > which
> > > > means that even though we have disabled the Anon THP configuration,
> > > > MADV_COLLAPSE
> > > > will still attempt to collapse into a Anon THP. This violates the rule
> > > > we have
> > > > agreed upon: never means never.
> > > >
> > > > Another rule for madvise, referring to David's suggestion: “allowing
> > > > for collapsing
> > > > in a VM without VM_HUGEPAGE in the "madvise" mode would be fine".
> > > >
> > > > To address this issue, should check whether the Anon THP configuration
> > > > is disabled
> > > > in thp_vma_allowable_orders(), even when the TVA_ENFORCE_SYSFS flag is
> > > > set.
> > > >
> > > > In summary, the current strategy is:
> > > >
> > > > 1. If always & orders == 0, and madvise & orders == 0, and
> > > > hugepage_global_enabled() == false
> > > > (global THP settings are not enabled), it means mTHP of that orders
> > > > are prohibited
> > > > from being used, then madvise_collapse() is forbidden for that orders.
> > > >
> > > > 2. If always & orders == 0, and madvise & orders == 0, and
> > > > hugepage_global_enabled() == true
> > > > (global THP settings are enabled), and inherit & orders == 0, it means
> > > > mTHP of that
> > > > orders are still prohibited from being used, thus madvise_collapse()
> > > > is not allowed
> > > > for that orders.
> > > >
> > > > Reviewed-by: Zi Yan <ziy@...dia.com>
> > > > Signed-off-by: Baolin Wang <baolin.wang@...ux.alibaba.com>
> > > > ---
> > > >    include/linux/huge_mm.h | 23 +++++++++++++++++++----
> > > >    1 file changed, 19 insertions(+), 4 deletions(-)
> > > >
> > > > diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
> > > > index 2f190c90192d..199ddc9f04a1 100644
> > > > --- a/include/linux/huge_mm.h
> > > > +++ b/include/linux/huge_mm.h
> > > > @@ -287,20 +287,35 @@ unsigned long thp_vma_allowable_orders(struct
> > > > vm_area_struct *vma,
> > > >                           unsigned long orders)
> > > >    {
> > > >        /* Optimization to check if required orders are enabled early. */
> > > > -    if ((tva_flags & TVA_ENFORCE_SYSFS) && vma_is_anonymous(vma)) {
> > > > -        unsigned long mask = READ_ONCE(huge_anon_orders_always);
> > > > +    if (vma_is_anonymous(vma)) {
> > > > +        unsigned long always = READ_ONCE(huge_anon_orders_always);
> > > > +        unsigned long madvise = READ_ONCE(huge_anon_orders_madvise);
> > > > +        unsigned long inherit = READ_ONCE(huge_anon_orders_inherit);
> > > > +        unsigned long mask = always | madvise;
> > > > +
> > > > +        /*
> > > > +         * If the system-wide THP/mTHP sysfs settings are disabled,
> > > > +         * then we should never allow hugepages.
> > >   > +         */> +        if (!(mask & orders) &&
> > > !(hugepage_global_enabled() && (inherit & orders)))
> > > > +            return 0;
> > >
> > > I'm still trying to digest that. Isn't there a way for us to work with
> > > the orders,
> > > essentially masking off all orders that are forbidden globally. Similar
> > > to below, if !orders, then return 0?
> > > /* Orders disabled directly. */
> > > orders &= ~TODO;
> > > /* Orders disabled by inheriting from the global toggle. */
> > > if (!hugepage_global_enabled())
> > >       orders &= ~READ_ONCE(huge_anon_orders_inherit);
> > >
> > > TODO is probably a -1ULL and then clearing always/madvise/inherit. Could
> > > add a simple helper for that
> > >
> > > huge_anon_orders_never
> >
> > I followed Lorenzo's suggestion to simplify the logic. Does that look
> > more readable?
> >
> > diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
> > index 2f190c90192d..3087ac7631e0 100644
> > --- a/include/linux/huge_mm.h
> > +++ b/include/linux/huge_mm.h
> > @@ -265,6 +265,43 @@ unsigned long __thp_vma_allowable_orders(struct
> > vm_area_struct *vma,
> >                                            unsigned long tva_flags,
> >                                            unsigned long orders);
> >
> > +/* Strictly mask requested anonymous orders according to sysfs settings. */
> > +static inline unsigned long __thp_mask_anon_orders(unsigned long vm_flags,
> > +                               unsigned long tva_flags, unsigned long
> > orders)
> > +{
> > +       unsigned long always = READ_ONCE(huge_anon_orders_always);
> > +       unsigned long madvise = READ_ONCE(huge_anon_orders_madvise);
> > +       unsigned long inherit = READ_ONCE(huge_anon_orders_inherit);
> > +       bool inherit_enabled = hugepage_global_enabled();
> > +       bool has_madvise =  vm_flags & VM_HUGEPAGE;
> > +       unsigned long mask = always | madvise;
> > +
> > +       mask = always | madvise;
> > +       if (inherit_enabled)
> > +               mask |= inherit;
> > +
> > +       /* All set to/inherit NEVER - never means never globally, abort. */
> > +       if (!(mask & orders))
> > +               return 0;
>
> Still confusing. I am not sure if we would properly catch when someone
> specifies e.g., 2M and 1M, while we only have 2M disabled.

I did wonder if we should call 'orders' something like 'requested_orders'
or something.

This check is always against the input orders which we might conceivably
want.

For instance in madvise_collapse():

	if (!thp_vma_allowable_order(vma, vma->vm_flags, 0, PMD_ORDER))
		return -EINVAL;

I don't think, if it's only possible for PMD order collapse, and that is
disabled, but mTHP 64 KB let's say is enabled, it'd be fine for
MADV_COLLAPSE to succeed at the PMD order.


>
>
> I would rewrite the function to only ever substract from "orders".

Hm.

>
> ...
>
> /* Disallow orders that are set to NEVER directly ... */
> order &= (always | madvise | inherit);
       ^s

I think you mean (always | madvise) here.

>
> /* ... or through inheritance. */
> if (inherit_enabled)
> 	orders &= ~inherit;

order & (inherit & ~inherit) is going to always be zero :)

So this should be

orders &= inherit.

The problem is, when you come to the next stage where you are done checking
the 'are we in a NEVER situation regardless of TVA_ENFORCE_SYSFS' you've
now corrupted orders.

Because you've included inherit even if !(tva_flags & TVA_ENFORCE_SYSFS).

And there's no way to recover that information.

>
> /*
>  * Otherwise, we only enforce sysfs settings if asked. In addition,
>  * if the user sets a sysfs mode of madvise and if TVA_ENFORCE_SYSFS
>  * is not set, we don't bother checking whether the VMA has VM_HUGEPAGE
>  * set.
>  */
> if (!orders || !(tva_flags & TVA_ENFORCE_SYSFS))
> 	return orders;

I don't think this is much delta to what we have now.

I do wonder if we should return mask & orders here, actually, to account
for the fact that, in theory, orders could set > PMD for
!TVA_ENFORCE_SYSFS) (not currently the case).

>
> > +
> > +       /*
> > +        * Otherwise, we only enforce sysfs settings if asked. In addition,
> > +        * if the user sets a sysfs mode of madvise and if TVA_ENFORCE_SYSFS
> > +        * is not set, we don't bother checking whether the VMA has
> > VM_HUGEPAGE
> > +        * set.
> > +        */
> > +       if (!(tva_flags & TVA_ENFORCE_SYSFS))
> > +               return orders;
> > +
> > +       mask = always;
> > +       if (has_madvise)
> > +               mask |= madvise;
> > +       if (hugepage_global_always() || (has_madvise && inherit_enabled))
> > +               mask |= inherit;
>
> Similarly, this can maybe become (not 100% sure if I got it right, the
> condition above is confusing)
>
> if (!has_madvise) {
> 	/*
> 	 * Without VM_HUGEPAGE, only allow orders that are set to
> 	 * ALWAYS directly ...
> 	  */
> 	order &= (always | inherit);

Obviously orders is corrupted at this point so this won't work, but I'm not
sure this is right?

If no madvise, only then obey always/inherit? Hm?


> 	/* ... or through inheritance. */
> 	if (!hugepage_global_always())
> 		orders &= ~inherit;

I'm not sure about this ~inherit again, that means we ignore inherit no?

> }

And we need a branch for madvise too no?

I think all of this is a _clear_ example of what a mess all this is.

I think we need a deeper refactor, but I think my suggested changes make at
least what we have here less horrid to get through.

I think maybe a better refactoring that's in the spirit of this is:

if (has_madvise) {
	mask |= madvise;
	if (inherit_enabled)
		mask |= inherit;
} else if (hugepage_global_always()) {
	mask |= inherit;
}

What do you think?

>
> --
> Cheers,
>
> David / dhildenb
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ