Commit 4655e5e5 authored Nov 15, 2019 by Song Liu Committed by Linus Torvalds Nov 15, 2019

mm,thp: recheck each page before collapsing file THP

In collapse_file(), for !is_shmem case, current check cannot guarantee
the locked page is up-to-date.  Specifically, xas_unlock_irq() should
not be called before lock_page() and get_page(); and it is necessary to
recheck PageUptodate() after locking the page.

With this bug and CONFIG_READ_ONLY_THP_FOR_FS=y, madvise(HUGE)'ed .text
may contain corrupted data.  This is because khugepaged mistakenly
collapses some not up-to-date sub pages into a huge page, and assumes
the huge page is up-to-date.  This will NOT corrupt data in the disk,
because the page is read-only and never written back.  Fix this by
properly checking PageUptodate() after locking the page.  This check
replaces "VM_BUG_ON_PAGE(!PageUptodate(page), page);".

Also, move PageDirty() check after locking the page.  Current khugepaged
should not try to collapse dirty file THP, because it is limited to
read-only .text.  The only case we hit a dirty page here is when the
page hasn't been written since write.  Bail out and retry when this
happens.

syzbot reported bug on previous version of this patch.

Link: http://lkml.kernel.org/r/20191106060930.2571389-2-songliubraving@fb.com


Fixes: 99cb0dbd ("mm,thp: add read-only THP support for (non-shmem) FS")
Signed-off-by: Song Liu <songliubraving@fb.com>
Reported-by:  <syzbot+efb9e48b9fbdc49bb34a@syzkaller.appspotmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: William Kucharski <william.kucharski@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent aea4df4c

mm/khugepaged.c

+16 −12

Original line number	Diff line number	Diff line
		@@ -1602,17 +1602,6 @@ static void collapse_file(struct mm_struct *mm,
		result = SCAN_FAIL;
		goto xa_unlocked;
		}
		} else if (!PageUptodate(page)) {
		xas_unlock_irq(&xas);
		wait_on_page_locked(page);
		if (!trylock_page(page)) {
		result = SCAN_PAGE_LOCK;
		goto xa_unlocked;
		}
		get_page(page);
		} else if (PageDirty(page)) {
		result = SCAN_FAIL;
		goto xa_locked;
		} else if (trylock_page(page)) {
		get_page(page);
		xas_unlock_irq(&xas);
		@@ -1627,7 +1616,12 @@ static void collapse_file(struct mm_struct *mm,
		* without racing with truncate.
		*/
		VM_BUG_ON_PAGE(!PageLocked(page), page);
		VM_BUG_ON_PAGE(!PageUptodate(page), page);

		/* make sure the page is up to date */
		if (unlikely(!PageUptodate(page))) {
		result = SCAN_FAIL;
		goto out_unlock;
		}

		/*
		* If file was truncated then extended, or hole-punched, before
		@@ -1643,6 +1637,16 @@ static void collapse_file(struct mm_struct *mm,
		goto out_unlock;
		}

		if (!is_shmem && PageDirty(page)) {
		/*
		* khugepaged only works on read-only fd, so this
		* page is dirty because it hasn't been flushed
		* since first write.
		*/
		result = SCAN_FAIL;
		goto out_unlock;
		}

		if (isolate_lru_page(page)) {
		result = SCAN_DEL_PAGE_LRU;
		goto out_unlock;

Admin message