mm: fix race between mremap and removing migration entry

Hugh Dickins · torvalds · commit 486cf46f3f9b · 2011-10-19T23:42:58.000-07:00
I don't usually pay much attention to the stale "? " addresses in
stack backtraces, but this lucky report from Pawel Sikora hints that
mremap's move_ptes() has inadequate locking against page migration.

 3.0 BUG_ON(!PageLocked(p)) in migration_entry_to_page():
 kernel BUG at include/linux/swapops.h:105!
 RIP: 0010:[&lt;ffffffff81127b76&gt;]  [&lt;ffffffff81127b76&gt;]
                       migration_entry_wait+0x156/0x160
  [&lt;ffffffff811016a1&gt;] handle_pte_fault+0xae1/0xaf0
  [&lt;ffffffff810feee2&gt;] ? __pte_alloc+0x42/0x120
  [&lt;ffffffff8112c26b&gt;] ? do_huge_pmd_anonymous_page+0xab/0x310
  [&lt;ffffffff81102a31&gt;] handle_mm_fault+0x181/0x310
  [&lt;ffffffff81106097&gt;] ? vma_adjust+0x537/0x570
  [&lt;ffffffff81424bed&gt;] do_page_fault+0x11d/0x4e0
  [&lt;ffffffff81109a05&gt;] ? do_mremap+0x2d5/0x570
  [&lt;ffffffff81421d5f&gt;] page_fault+0x1f/0x30

mremap's down_write of mmap_sem, together with i_mmap_mutex or lock,
and pagetable locks, were good enough before page migration (with its
requirement that every migration entry be found) came in, and enough
while migration always held mmap_sem; but not enough nowadays, when
there's memory hotremove and compaction.

The danger is that move_ptes() lets a migration entry dodge around
behind remove_migration_pte()'s back, so it's in the old location when
looking at the new, then in the new location when looking at the old.

Either mremap's move_ptes() must additionally take anon_vma lock(), or
migration's remove_migration_pte() must stop peeking for is_swap_entry()
before it takes pagetable lock.

Consensus chooses the latter: we prefer to add overhead to migration
than to mremapping, which gets used by JVMs and by exec stack setup.

Reported-and-tested-by: Paweł Sikora &lt;pluto@agmk.net&gt;
Signed-off-by: Hugh Dickins &lt;hughd@google.com&gt;
Acked-by: Andrea Arcangeli &lt;aarcange@redhat.com&gt;
Acked-by: Mel Gorman &lt;mgorman@suse.de&gt;
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
diff --git a/mm/migrate.c b/mm/migrate.c
@@ -120,10 +120,10 @@ static int remove_migration_pte(struct page *new, struct vm_area_struct *vma,
 
 		ptep = pte_offset_map(pmd, addr);
 
-		if (!is_swap_pte(*ptep)) {
-			pte_unmap(ptep);
-			goto out;
-		}
+		/*
+		 * Peek to check is_swap_pte() before taking ptlock?  No, we
+		 * can race mremap's move_ptes(), which skips anon_vma lock.
+		 */
 
 		ptl = pte_lockptr(mm, pmd);
 	}
