linux/tools/testing/selftests/vm
Peter Xu 8913970c19 mm/userfaultfd: selftests: fix memory corruption with thp enabled
In RHEL's gating selftests we've encountered memory corruption in the
uffd event test even with upstream kernel:

        # ./userfaultfd anon 128 4
        nr_pages: 32768, nr_pages_per_cpu: 32768
        bounces: 3, mode: rnd racing read, userfaults: 6240 missing (6240) 14729 wp (14729)
        bounces: 2, mode: racing read, userfaults: 1444 missing (1444) 28877 wp (28877)
        bounces: 1, mode: rnd read, userfaults: 6055 missing (6055) 14699 wp (14699)
        bounces: 0, mode: read, userfaults: 82 missing (82) 25196 wp (25196)
        testing uffd-wp with pagemap (pgsize=4096): done
        testing uffd-wp with pagemap (pgsize=2097152): done
        testing events (fork, remap, remove): ERROR: nr 32427 memory corruption 0 1 (errno=0, line=963)
        ERROR: faulting process failed (errno=0, line=1117)

It can be easily reproduced when global thp enabled, which is the
default for RHEL.

It's also known as a side effect of commit 0db282ba2c ("selftest: use
mmap instead of posix_memalign to allocate memory", 2021-07-23), which
is imho right itself on using mmap() to make sure the addresses will be
untagged even on arm.

The problem is, for each test we allocate buffers using two
allocate_area() calls.  We assumed these two buffers won't affect each
other, however they could, because mmap() could have found that the two
buffers are near each other and having the same VMA flags, so they got
merged into one VMA.

It won't be a big problem if thp is not enabled, but when thp is
agressively enabled it means when initializing the src buffer it could
accidentally setup part of the dest buffer too when there's a shared THP
that overlaps the two regions.  Then some of the dest buffer won't be
able to be trapped by userfaultfd missing mode, then it'll cause memory
corruption as described.

To fix it, do release_pages() after initializing the src buffer.

Since the previous two release_pages() calls are after
uffd_test_ctx_clear() which will unmap all the buffers anyway (which is
stronger than release pages; as unmap() also tear town pgtables), drop
them as they shouldn't really be anything useful.

We can mark the Fixes tag upon 0db282ba2c as it's reported to only
happen there, however the real "Fixes" IMHO should be 8ba6e86408, as
before that commit we'll always do explicit release_pages() before
registration of uffd, and 8ba6e86408 changed that logic by adding
extra unmap/map and we didn't release the pages at the right place.
Meanwhile I don't have a solid glue anyway on whether posix_memalign()
could always avoid triggering this bug, hence it's safer to attach this
fix to commit 8ba6e86408.

Link: https://lkml.kernel.org/r/20210923232512.210092-1-peterx@redhat.com
Fixes: 8ba6e86408 ("userfaultfd/selftests: reinitialize test context in each test")
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1994931
Signed-off-by: Peter Xu <peterx@redhat.com>
Reported-by: Li Wang <liwan@redhat.com>
Tested-by: Li Wang <liwang@redhat.com>
Reviewed-by: Axel Rasmussen <axelrasmussen@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Nadav Amit <nadav.amit@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-10-18 20:22:02 -10:00
..
.gitignore selftests: vm: add KSM merge test 2021-09-03 09:58:18 -07:00
charge_reserved_hugetlb.sh selftests/vm: use kselftest skip code for skipped tests 2021-09-03 09:58:13 -07:00
check_config.sh selftests/vm: hmm-tests: remove the libhugetlbfs dependency 2020-12-15 12:13:38 -08:00
compaction_test.c selftests/vm: 8x compaction_test speedup 2020-10-13 18:38:34 -07:00
config mm/gup_benchmark: rename to mm/gup_test 2020-12-15 12:13:38 -08:00
gup_test.c mm/gup_benchmark: support threading 2021-06-29 10:53:48 -07:00
hmm-tests.c mm: selftests for exclusive device memory 2021-07-01 11:06:03 -07:00
hugepage-mmap.c
hugepage-shm.c
hugetlb_reparenting_test.sh selftests/vm: use kselftest skip code for skipped tests 2021-09-03 09:58:13 -07:00
khugepaged.c khugepaged: selftests: remove debug_cow 2021-06-30 20:47:26 -07:00
ksm_tests.c selftests: vm: add COW time test for KSM pages 2021-09-03 09:58:18 -07:00
madv_populate.c selftests/vm: add test for MADV_POPULATE_(READ|WRITE) 2021-06-30 20:47:31 -07:00
Makefile selftests: vm: add KSM merging across nodes test 2021-09-03 09:58:18 -07:00
map_fixed_noreplace.c tools/testing/selftests/vm/map_fixed_noreplace.c: add test for MAP_FIXED_NOREPLACE 2018-10-26 16:38:15 -07:00
map_hugetlb.c selftests/vm: fix display of page size in map_hugetlb 2020-09-19 13:13:39 -07:00
map_populate.c
memfd_secret.c secretmem: test: add basic selftest for memfd_secret(2) 2021-07-08 11:48:21 -07:00
mlock2-tests.c selftests: vm: drop dependencies on page flags from mlock2 tests 2020-04-02 09:35:31 -07:00
mlock2.h
mlock-random-test.c selftests: Fix spelling mistake "cann't" -> "cannot" 2021-09-03 09:58:13 -07:00
mremap_dontunmap.c selftests: add a MREMAP_DONTUNMAP selftest for shmem 2021-04-30 11:20:39 -07:00
mremap_test.c selftest/mremap_test: avoid crash with static build 2021-07-08 11:48:22 -07:00
on-fault-limit.c
pkey-helpers.h selftests/vm/pkeys: introduce a sub-page allocator 2020-06-04 19:06:27 -07:00
pkey-powerpc.h selftests: vm: pkeys: use the correct page size on powerpc 2020-06-04 19:06:27 -07:00
pkey-x86.h selftests/vm/pkeys: exercise x86 XSAVE init state 2021-07-01 11:06:06 -07:00
protection_keys.c selftests/vm/pkeys: exercise x86 XSAVE init state 2021-07-01 11:06:06 -07:00
run_vmtests.sh selftests: vm: add KSM merging across nodes test 2021-09-03 09:58:18 -07:00
split_huge_page_test.c mm: huge_memory: debugfs for file-backed THP split 2021-05-05 11:27:21 -07:00
test_hmm.sh mm/hmm/test: add selftests for HMM 2020-05-19 16:48:31 -03:00
test_vmalloc.sh vm/test_vmalloc.sh: adapt for updated driver interface 2021-04-30 11:20:40 -07:00
thuge-gen.c
transhuge-stress.c
userfaultfd.c mm/userfaultfd: selftests: fix memory corruption with thp enabled 2021-10-18 20:22:02 -10:00
va_128TBswitch.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 485 2019-06-19 17:09:52 +02:00
virtual_address_range.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 191 2019-05-30 11:29:21 -07:00
write_hugetlb_memory.sh hugetlb_cgroup: add hugetlb_cgroup reservation tests 2020-04-02 09:35:32 -07:00
write_to_hugetlbfs.c selftests/vm/write_to_hugetlbfs.c: fix unused variable warning 2020-05-23 10:26:31 -07:00