From nobody Mon May 13 02:22:26 2024
Delivered-To: importer2@patchew.org
Received-SPF: pass (zohomail.com: domain of vger.kernel.org designates
 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
 envelope-from=linux-kernel-owner@vger.kernel.org; helo=vger.kernel.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as
 permitted sender)  smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
	dmarc=pass(p=reject dis=none)  header.from=google.com
ARC-Seal: i=1; a=rsa-sha256; t=1622162820; cv=none;
	d=zohomail.com; s=zohoarc;
	b=RRr9ooluOftPWNWdz5lsbdOgjpDpP8DO+tLwU81UvTygVJYuXPWJh2Oj5P+q+TenBqkorfJRJgwzwEPPboLRzRDDLpfLk/A2jLW+zq1uzb8f8t7u8L38s4lIA9YbZYlz4CynnmgGWnATInsvfrf+uBK3AyI6kAxqA/tsbv95nEk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1622162820;
 h=Content-Type:Cc:Date:From:List-Id:MIME-Version:Message-ID:Subject:To;
	bh=PlH95++B36nHBbK4Jduk7vzZIY/Sp5eibx3QUHpkfY4=;
	b=ciWVDdNZRF5yCUBODxaYn52SLLpdMcc80Ga2puaXlg80v9LT32P370K/U/7oqsy3Ys6KRL9nuum23nsKc35PqBvwuk/qcTyiYgpCpLqgkfjhV8n67+++Y8rrYmN9Z5top6fDerki6+2SRqpDkcihbWvkwei5mtxYb2jVBpzXwJU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of vger.kernel.org designates 23.128.96.18 as
 permitted sender)  smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
	dmarc=pass header.from=<almasrymina@google.com> (p=reject dis=none)
 header.from=<almasrymina@google.com>
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by
 mx.zohomail.com
	with SMTP id 1622162820044554.5331137871168;
 Thu, 27 May 2021 17:47:00 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234573AbhE1Asc (ORCPT <rfc822;importer2@patchew.org>);
        Thu, 27 May 2021 20:48:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46756 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229864AbhE1Asb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 May 2021 20:48:31 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB035C061574
        for <linux-kernel@vger.kernel.org>;
 Thu, 27 May 2021 17:46:57 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id
 m205-20020a25d4d60000b029052a8de1fe41so2351612ybf.23
        for <linux-kernel@vger.kernel.org>;
 Thu, 27 May 2021 17:46:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:cc;
        bh=PlH95++B36nHBbK4Jduk7vzZIY/Sp5eibx3QUHpkfY4=;
        b=d8JjgOYRm5B+az3o5xuyhJh4s4yOm3NSMPpy9CvUAUdDygC5AmVSotAECzCOWOmOCK
         MtEFJvT/fk65zwVtYPJ1TEzGWEeN9Ca6yQDjrucYfC5pfTScNpzBQm9l187O49k7+yo8
         ncN6n70im6MOOYNAsIho6nIgWGXR0TLfKrJGaggtrh5V7bEZuHwcLrYT207BjNul4F51
         VXa+rKxgOFpC4IlNQDcb5aNKTXzQUQpVaEbDaKWn6f2OGeYOMAmdDgqKqetmyUKN3UOd
         Y+Ky2OCUKLTsa6/W9PbdMpIq6ERJtuNnbcztazqZkEYzAa4/DoW2pq3FSK62fzEusbFu
         h8uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:cc;
        bh=PlH95++B36nHBbK4Jduk7vzZIY/Sp5eibx3QUHpkfY4=;
        b=QRZUSN1czLwLZ8RNbbhbHVHvCFx1EAbNXjNYSWf+YerR4XeGOncKsMAkWnC1MZ7F1H
         qo3q7pQewGWP4q/oT4QMY9H8vSD6VotbdDLywkir6avzrhVBzNruPApBq5pU6H7QLMKK
         1lDx/z4NpkEI38W+fvOREzn5t+AGx9U5EX/V3XS4WvTzbaoqoOLOyz5GbHOuVPhaQnKn
         4lQdBAf5SngsA4kh1Z/+kqkm3cesjel0FqpnguCZgCpwyXMLbkgd0W3E7gDun0hqbmtg
         To5EuuhkvWCtTqa0d1Olrvz+0F6hgJOVk32lFHVVatpMmoGH20TXcuJHUqpUEq3KOZki
         XXQw==
X-Gm-Message-State: AOAM532TxPc9vIrY5yxJN/+Znaj68+MNE/RYWaYQIhd5jKzKGFDmFHFA
        zE3fVwm8JEyE+kmqCL3Q47r7oKcF6RNi8G4HAQ==
X-Google-Smtp-Source: 
 ABdhPJypQIi7OLeQOMkKC8MqPd+cdGydq1CCA7pc+vFNILHmJek6bUDtkR6qrp28z/EouWBP2MGghJ0c3azUecOTpw==
X-Received: from almasrymina.svl.corp.google.com
 ([2620:15c:2cd:202:b35:38bd:7e0f:3b1d])
 (user=almasrymina job=sendgmr) by 2002:a25:7a41:: with SMTP id
 v62mr8586302ybc.225.1622162816966; Thu, 27 May 2021 17:46:56 -0700 (PDT)
Date: Thu, 27 May 2021 17:46:49 -0700
Message-Id: <20210528004649.85298-1-almasrymina@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.32.0.rc0.204.g9fa02ecfa5-goog
Subject: [PATCH v4] mm,
 hugetlb: Fix simple resv_huge_pages underflow on UFFDIO_COPY
From: Mina Almasry <almasrymina@google.com>
Cc: Mina Almasry <almasrymina@google.com>,
        Axel Rasmussen <axelrasmussen@google.com>,
        Peter Xu <peterx@redhat.com>, linux-mm@kvack.org,
        Mike Kravetz <mike.kravetz@oracle.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org
To: unlisted-recipients:; (no To-header on input)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-ZohoMail-DKIM: pass (identity @google.com)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The userfaultfd hugetlb tests detect a resv_huge_pages underflow. This
happens when hugetlb_mcopy_atomic_pte() is called with !is_continue on
an index for which we already have a page in the cache. When this
happens, we allocate a second page, double consuming the reservation,
and then fail to insert the page into the cache and return -EEXIST.

To fix this, we first if there exists a page in the cache which already
consumed the reservation, and return -EEXIST immediately if so.

There is still a rare condition where we fail to copy the page contents
AND race with a call for hugetlb_no_page() for this index and again we
will underflow resv_huge_pages. That is fixed in a more complicated
patch not targeted for -stable.

Test:
Hacked the code locally such that resv_huge_pages underflows produce
a warning, then:

./tools/testing/selftests/vm/userfaultfd hugetlb_shared 10
	2 /tmp/kokonut_test/huge/userfaultfd_test && echo test success
./tools/testing/selftests/vm/userfaultfd hugetlb 10
	2 /tmp/kokonut_test/huge/userfaultfd_test && echo test success

Both tests succeed and produce no warnings. After the
test runs number of free/resv hugepages is correct.

Signed-off-by: Mina Almasry <almasrymina@google.com>
Cc: Axel Rasmussen <axelrasmussen@google.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: linux-mm@kvack.org
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org

---
 mm/hugetlb.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index ead5d12e0604..76e2a6efc165 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4925,10 +4925,20 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_=
mm,
 		if (!page)
 			goto out;
 	} else if (!*pagep) {
-		ret =3D -ENOMEM;
+		/* If a page already exists, then it's UFFDIO_COPY for
+		 * a non-missing case. Return -EEXIST.
+		 */
+		if (vm_shared &&
+		    hugetlbfs_pagecache_present(h, dst_vma, dst_addr)) {
+			ret =3D -EEXIST;
+			goto out;
+		}
+
 		page =3D alloc_huge_page(dst_vma, dst_addr, 0);
-		if (IS_ERR(page))
+		if (IS_ERR(page)) {
+			ret =3D -ENOMEM;
 			goto out;
+		}

 		ret =3D copy_huge_page_from_user(page,
 						(const void __user *) src_addr,
--
2.32.0.rc0.204.g9fa02ecfa5-goog