Revision e2093926a098a8ccf0f1d10f6df8dad452cb28d3 authored by Ross Zwisler on 02 June 2017, 21:46:37 UTC, committed by Linus Torvalds on 02 June 2017, 22:07:37 UTC
We currently have two related PMD vs PTE races in the DAX code. These
can both be easily triggered by having two threads reading and writing
simultaneously to the same private mapping, with the key being that
private mapping reads can be handled with PMDs but private mapping
writes are always handled with PTEs so that we can COW.
Here is the first race:
CPU 0 CPU 1
(private mapping write)
__handle_mm_fault()
create_huge_pmd() - FALLBACK
handle_pte_fault()
passes check for pmd_devmap()
(private mapping read)
__handle_mm_fault()
create_huge_pmd()
dax_iomap_pmd_fault() inserts PMD
dax_iomap_pte_fault() does a PTE fault, but we already have a DAX PMD
installed in our page tables at this spot.
Here's the second race:
CPU 0 CPU 1
(private mapping read)
__handle_mm_fault()
passes check for pmd_none()
create_huge_pmd()
dax_iomap_pmd_fault() inserts PMD
(private mapping write)
__handle_mm_fault()
create_huge_pmd() - FALLBACK
(private mapping read)
__handle_mm_fault()
passes check for pmd_none()
create_huge_pmd()
handle_pte_fault()
dax_iomap_pte_fault() inserts PTE
dax_iomap_pmd_fault() inserts PMD,
but we already have a PTE at
this spot.
The core of the issue is that while there is isolation between faults to
the same range in the DAX fault handlers via our DAX entry locking,
there is no isolation between faults in the code in mm/memory.c. This
means for instance that this code in __handle_mm_fault() can run:
if (pmd_none(*vmf.pmd) && transparent_hugepage_enabled(vma)) {
ret = create_huge_pmd(&vmf);
But by the time we actually get to run the fault handler called by
create_huge_pmd(), the PMD is no longer pmd_none() because a racing PTE
fault has installed a normal PMD here as a parent. This is the cause of
the 2nd race. The first race is similar - there is the following check
in handle_pte_fault():
} else {
/* See comment in pte_alloc_one_map() */
if (pmd_devmap(*vmf->pmd) || pmd_trans_unstable(vmf->pmd))
return 0;
So if a pmd_devmap() PMD (a DAX PMD) has been installed at vmf->pmd, we
will bail and retry the fault. This is correct, but there is nothing
preventing the PMD from being installed after this check but before we
actually get to the DAX PTE fault handlers.
In my testing these races result in the following types of errors:
BUG: Bad rss-counter state mm:ffff8800a817d280 idx:1 val:1
BUG: non-zero nr_ptes on freeing mm: 15
Fix this issue by having the DAX fault handlers verify that it is safe
to continue their fault after they have taken an entry lock to block
other racing faults.
[ross.zwisler@linux.intel.com: improve fix for colliding PMD & PTE entries]
Link: http://lkml.kernel.org/r/20170526195932.32178-1-ross.zwisler@linux.intel.com
Link: http://lkml.kernel.org/r/20170522215749.23516-2-ross.zwisler@linux.intel.com
Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Reported-by: Pawel Lebioda <pawel.lebioda@intel.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Matthew Wilcox <mawilcox@microsoft.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Pawel Lebioda <pawel.lebioda@intel.com>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Xiong Zhou <xzhou@redhat.com>
Cc: Eryu Guan <eguan@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent d0f0931
debugfs.c
/*
* Debugfs support for hosts and cards
*
* Copyright (C) 2008 Atmel Corporation
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/moduleparam.h>
#include <linux/export.h>
#include <linux/debugfs.h>
#include <linux/fs.h>
#include <linux/seq_file.h>
#include <linux/slab.h>
#include <linux/stat.h>
#include <linux/fault-inject.h>
#include <linux/mmc/card.h>
#include <linux/mmc/host.h>
#include "core.h"
#include "card.h"
#include "host.h"
#include "mmc_ops.h"
#ifdef CONFIG_FAIL_MMC_REQUEST
static DECLARE_FAULT_ATTR(fail_default_attr);
static char *fail_request;
module_param(fail_request, charp, 0);
#endif /* CONFIG_FAIL_MMC_REQUEST */
/* The debugfs functions are optimized away when CONFIG_DEBUG_FS isn't set. */
static int mmc_ios_show(struct seq_file *s, void *data)
{
static const char *vdd_str[] = {
[8] = "2.0",
[9] = "2.1",
[10] = "2.2",
[11] = "2.3",
[12] = "2.4",
[13] = "2.5",
[14] = "2.6",
[15] = "2.7",
[16] = "2.8",
[17] = "2.9",
[18] = "3.0",
[19] = "3.1",
[20] = "3.2",
[21] = "3.3",
[22] = "3.4",
[23] = "3.5",
[24] = "3.6",
};
struct mmc_host *host = s->private;
struct mmc_ios *ios = &host->ios;
const char *str;
seq_printf(s, "clock:\t\t%u Hz\n", ios->clock);
if (host->actual_clock)
seq_printf(s, "actual clock:\t%u Hz\n", host->actual_clock);
seq_printf(s, "vdd:\t\t%u ", ios->vdd);
if ((1 << ios->vdd) & MMC_VDD_165_195)
seq_printf(s, "(1.65 - 1.95 V)\n");
else if (ios->vdd < (ARRAY_SIZE(vdd_str) - 1)
&& vdd_str[ios->vdd] && vdd_str[ios->vdd + 1])
seq_printf(s, "(%s ~ %s V)\n", vdd_str[ios->vdd],
vdd_str[ios->vdd + 1]);
else
seq_printf(s, "(invalid)\n");
switch (ios->bus_mode) {
case MMC_BUSMODE_OPENDRAIN:
str = "open drain";
break;
case MMC_BUSMODE_PUSHPULL:
str = "push-pull";
break;
default:
str = "invalid";
break;
}
seq_printf(s, "bus mode:\t%u (%s)\n", ios->bus_mode, str);
switch (ios->chip_select) {
case MMC_CS_DONTCARE:
str = "don't care";
break;
case MMC_CS_HIGH:
str = "active high";
break;
case MMC_CS_LOW:
str = "active low";
break;
default:
str = "invalid";
break;
}
seq_printf(s, "chip select:\t%u (%s)\n", ios->chip_select, str);
switch (ios->power_mode) {
case MMC_POWER_OFF:
str = "off";
break;
case MMC_POWER_UP:
str = "up";
break;
case MMC_POWER_ON:
str = "on";
break;
default:
str = "invalid";
break;
}
seq_printf(s, "power mode:\t%u (%s)\n", ios->power_mode, str);
seq_printf(s, "bus width:\t%u (%u bits)\n",
ios->bus_width, 1 << ios->bus_width);
switch (ios->timing) {
case MMC_TIMING_LEGACY:
str = "legacy";
break;
case MMC_TIMING_MMC_HS:
str = "mmc high-speed";
break;
case MMC_TIMING_SD_HS:
str = "sd high-speed";
break;
case MMC_TIMING_UHS_SDR12:
str = "sd uhs SDR12";
break;
case MMC_TIMING_UHS_SDR25:
str = "sd uhs SDR25";
break;
case MMC_TIMING_UHS_SDR50:
str = "sd uhs SDR50";
break;
case MMC_TIMING_UHS_SDR104:
str = "sd uhs SDR104";
break;
case MMC_TIMING_UHS_DDR50:
str = "sd uhs DDR50";
break;
case MMC_TIMING_MMC_DDR52:
str = "mmc DDR52";
break;
case MMC_TIMING_MMC_HS200:
str = "mmc HS200";
break;
case MMC_TIMING_MMC_HS400:
str = mmc_card_hs400es(host->card) ?
"mmc HS400 enhanced strobe" : "mmc HS400";
break;
default:
str = "invalid";
break;
}
seq_printf(s, "timing spec:\t%u (%s)\n", ios->timing, str);
switch (ios->signal_voltage) {
case MMC_SIGNAL_VOLTAGE_330:
str = "3.30 V";
break;
case MMC_SIGNAL_VOLTAGE_180:
str = "1.80 V";
break;
case MMC_SIGNAL_VOLTAGE_120:
str = "1.20 V";
break;
default:
str = "invalid";
break;
}
seq_printf(s, "signal voltage:\t%u (%s)\n", ios->signal_voltage, str);
switch (ios->drv_type) {
case MMC_SET_DRIVER_TYPE_A:
str = "driver type A";
break;
case MMC_SET_DRIVER_TYPE_B:
str = "driver type B";
break;
case MMC_SET_DRIVER_TYPE_C:
str = "driver type C";
break;
case MMC_SET_DRIVER_TYPE_D:
str = "driver type D";
break;
default:
str = "invalid";
break;
}
seq_printf(s, "driver type:\t%u (%s)\n", ios->drv_type, str);
return 0;
}
static int mmc_ios_open(struct inode *inode, struct file *file)
{
return single_open(file, mmc_ios_show, inode->i_private);
}
static const struct file_operations mmc_ios_fops = {
.open = mmc_ios_open,
.read = seq_read,
.llseek = seq_lseek,
.release = single_release,
};
static int mmc_clock_opt_get(void *data, u64 *val)
{
struct mmc_host *host = data;
*val = host->ios.clock;
return 0;
}
static int mmc_clock_opt_set(void *data, u64 val)
{
struct mmc_host *host = data;
/* We need this check due to input value is u64 */
if (val != 0 && (val > host->f_max || val < host->f_min))
return -EINVAL;
mmc_claim_host(host);
mmc_set_clock(host, (unsigned int) val);
mmc_release_host(host);
return 0;
}
DEFINE_SIMPLE_ATTRIBUTE(mmc_clock_fops, mmc_clock_opt_get, mmc_clock_opt_set,
"%llu\n");
void mmc_add_host_debugfs(struct mmc_host *host)
{
struct dentry *root;
root = debugfs_create_dir(mmc_hostname(host), NULL);
if (IS_ERR(root))
/* Don't complain -- debugfs just isn't enabled */
return;
if (!root)
/* Complain -- debugfs is enabled, but it failed to
* create the directory. */
goto err_root;
host->debugfs_root = root;
if (!debugfs_create_file("ios", S_IRUSR, root, host, &mmc_ios_fops))
goto err_node;
if (!debugfs_create_file("clock", S_IRUSR | S_IWUSR, root, host,
&mmc_clock_fops))
goto err_node;
#ifdef CONFIG_FAIL_MMC_REQUEST
if (fail_request)
setup_fault_attr(&fail_default_attr, fail_request);
host->fail_mmc_request = fail_default_attr;
if (IS_ERR(fault_create_debugfs_attr("fail_mmc_request",
root,
&host->fail_mmc_request)))
goto err_node;
#endif
return;
err_node:
debugfs_remove_recursive(root);
host->debugfs_root = NULL;
err_root:
dev_err(&host->class_dev, "failed to initialize debugfs\n");
}
void mmc_remove_host_debugfs(struct mmc_host *host)
{
debugfs_remove_recursive(host->debugfs_root);
}
static int mmc_dbg_card_status_get(void *data, u64 *val)
{
struct mmc_card *card = data;
u32 status;
int ret;
mmc_get_card(card);
ret = mmc_send_status(data, &status);
if (!ret)
*val = status;
mmc_put_card(card);
return ret;
}
DEFINE_SIMPLE_ATTRIBUTE(mmc_dbg_card_status_fops, mmc_dbg_card_status_get,
NULL, "%08llx\n");
#define EXT_CSD_STR_LEN 1025
static int mmc_ext_csd_open(struct inode *inode, struct file *filp)
{
struct mmc_card *card = inode->i_private;
char *buf;
ssize_t n = 0;
u8 *ext_csd;
int err, i;
buf = kmalloc(EXT_CSD_STR_LEN + 1, GFP_KERNEL);
if (!buf)
return -ENOMEM;
mmc_get_card(card);
err = mmc_get_ext_csd(card, &ext_csd);
mmc_put_card(card);
if (err)
goto out_free;
for (i = 0; i < 512; i++)
n += sprintf(buf + n, "%02x", ext_csd[i]);
n += sprintf(buf + n, "\n");
if (n != EXT_CSD_STR_LEN) {
err = -EINVAL;
goto out_free;
}
filp->private_data = buf;
kfree(ext_csd);
return 0;
out_free:
kfree(buf);
return err;
}
static ssize_t mmc_ext_csd_read(struct file *filp, char __user *ubuf,
size_t cnt, loff_t *ppos)
{
char *buf = filp->private_data;
return simple_read_from_buffer(ubuf, cnt, ppos,
buf, EXT_CSD_STR_LEN);
}
static int mmc_ext_csd_release(struct inode *inode, struct file *file)
{
kfree(file->private_data);
return 0;
}
static const struct file_operations mmc_dbg_ext_csd_fops = {
.open = mmc_ext_csd_open,
.read = mmc_ext_csd_read,
.release = mmc_ext_csd_release,
.llseek = default_llseek,
};
void mmc_add_card_debugfs(struct mmc_card *card)
{
struct mmc_host *host = card->host;
struct dentry *root;
if (!host->debugfs_root)
return;
root = debugfs_create_dir(mmc_card_id(card), host->debugfs_root);
if (IS_ERR(root))
/* Don't complain -- debugfs just isn't enabled */
return;
if (!root)
/* Complain -- debugfs is enabled, but it failed to
* create the directory. */
goto err;
card->debugfs_root = root;
if (!debugfs_create_x32("state", S_IRUSR, root, &card->state))
goto err;
if (mmc_card_mmc(card) || mmc_card_sd(card))
if (!debugfs_create_file("status", S_IRUSR, root, card,
&mmc_dbg_card_status_fops))
goto err;
if (mmc_card_mmc(card))
if (!debugfs_create_file("ext_csd", S_IRUSR, root, card,
&mmc_dbg_ext_csd_fops))
goto err;
return;
err:
debugfs_remove_recursive(root);
card->debugfs_root = NULL;
dev_err(&card->dev, "failed to initialize debugfs\n");
}
void mmc_remove_card_debugfs(struct mmc_card *card)
{
debugfs_remove_recursive(card->debugfs_root);
}
Computing file changes ...
