tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()

Memory hot remove unmaps and tears down various kernel page table regions
as required. The ptdump code can race with concurrent modifications of
the kernel page tables. When leaf entries are modified concurrently, the
dump code may log stale or inconsistent information for a VA range, but
this is otherwise not harmful.

But when intermediate levels of kernel page table are freed, the dump code
will continue to use memory that has been freed and potentially
reallocated for another purpose. In such cases, the ptdump code may
dereference bogus addresses, leading to a number of potential problems.

To avoid the above mentioned race condition, platforms such as arm64,
riscv and s390 take memory hotplug lock, while dumping kernel page table
via the sysfs interface /sys/kernel/debug/kernel_page_tables.

Similar race condition exists while checking for pages that might have
been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages
which in turn calls ptdump_check_wx(). Instead of solving this race
condition again, let's just move the memory hotplug lock inside generic
ptdump_check_wx() which will benefit both the scenarios.

Drop get_online_mems() and put_online_mems() combination from all existing
platform ptdump code paths.

Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com
Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> [s390]
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by

Anshuman Khandual and committed by
Andrew Morton 59305202 ab7ed56a

+2 -8
-3
arch/arm64/mm/ptdump_debugfs.c
··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 #include <linux/debugfs.h> 3 - #include <linux/memory_hotplug.h> 4 3 #include <linux/seq_file.h> 5 4 6 5 #include <asm/ptdump.h> ··· 8 9 { 9 10 struct ptdump_info *info = m->private; 10 11 11 - get_online_mems(); 12 12 ptdump_walk(m, info); 13 - put_online_mems(); 14 13 return 0; 15 14 } 16 15 DEFINE_SHOW_ATTRIBUTE(ptdump);
-3
arch/riscv/mm/ptdump.c
··· 6 6 #include <linux/efi.h> 7 7 #include <linux/init.h> 8 8 #include <linux/debugfs.h> 9 - #include <linux/memory_hotplug.h> 10 9 #include <linux/seq_file.h> 11 10 #include <linux/ptdump.h> 12 11 ··· 412 413 413 414 static int ptdump_show(struct seq_file *m, void *v) 414 415 { 415 - get_online_mems(); 416 416 ptdump_walk(m, m->private); 417 - put_online_mems(); 418 417 419 418 return 0; 420 419 }
-2
arch/s390/mm/dump_pagetables.c
··· 247 247 .marker = markers, 248 248 }; 249 249 250 - get_online_mems(); 251 250 mutex_lock(&cpa_mutex); 252 251 ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); 253 252 mutex_unlock(&cpa_mutex); 254 - put_online_mems(); 255 253 return 0; 256 254 } 257 255 DEFINE_SHOW_ATTRIBUTE(ptdump);
+2
mm/ptdump.c
··· 176 176 { 177 177 const struct ptdump_range *range = st->range; 178 178 179 + get_online_mems(); 179 180 mmap_write_lock(mm); 180 181 while (range->start != range->end) { 181 182 walk_page_range_debug(mm, range->start, range->end, ··· 184 183 range++; 185 184 } 186 185 mmap_write_unlock(mm); 186 + put_online_mems(); 187 187 188 188 /* Flush out the last page */ 189 189 st->note_page_flush(st);