From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BFA98C32774
	for <linux-mm@archiver.kernel.org>; Tue, 23 Aug 2022 14:47:44 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id E0F788D0002; Tue, 23 Aug 2022 10:47:40 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id DBDEB8D0001; Tue, 23 Aug 2022 10:47:40 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id CAE018D0002; Tue, 23 Aug 2022 10:47:40 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id BA3A88D0001
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 10:47:40 -0400 (EDT)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 859E5C10BE
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 14:47:40 +0000 (UTC)
X-FDA: 79831136280.11.5E085C1
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
	by imf09.hostedemail.com (Postfix) with ESMTP id C2AD6140041
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 14:47:38 +0000 (UTC)
Received: from dggpemm500023.china.huawei.com (unknown [172.30.72.56])
	by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MBsS45vpGzkWV3;
	Tue, 23 Aug 2022 22:44:04 +0800 (CST)
Received: from dggpemm500001.china.huawei.com (7.185.36.107) by
 dggpemm500023.china.huawei.com (7.185.36.83) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Tue, 23 Aug 2022 22:47:34 +0800
Received: from [10.174.177.243] (10.174.177.243) by
 dggpemm500001.china.huawei.com (7.185.36.107) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Tue, 23 Aug 2022 22:47:33 +0800
Message-ID: <16cf184f-95ec-a763-0606-7423db8dcb0f@huawei.com>
Date: Tue, 23 Aug 2022 22:47:33 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.1
Subject: Re: [PATCH] mm: fix pgdat->kswap accessed concurrently
Content-Language: en-US
From: Kefeng Wang <wangkefeng.wang@huawei.com>
To: Andrew Morton <akpm@linux-foundation.org>, Muchun Song
	<muchun.song@linux.dev>
CC: Linux MM <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>
References: <20220820032506.126860-1-wangkefeng.wang@huawei.com>
 <1E87F09C-4904-49E2-B45C-C408DD5F6F62@linux.dev>
 <20220820135955.1520aa480fe04ab31d4fce1f@linux-foundation.org>
 <abe568d8-2d48-7e73-fe66-822915c0bd74@huawei.com>
In-Reply-To: <abe568d8-2d48-7e73-fe66-822915c0bd74@huawei.com>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.174.177.243]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 dggpemm500001.china.huawei.com (7.185.36.107)
X-CFilter-Loop: Reflected
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1661266059; a=rsa-sha256;
	cv=none;
	b=ssaMfCRAjwLkKMJ0HbPes835FEdQfDmfVn7kfobTyqQXWNT54yr3ioxI1KgWl6wwfjpmuF
	8DgXyPvVHH6ayKrduTPn7DBx0CqB2jr8zKzTpan3dP+VDUSBdCjXwdSzlN0sFnL0oQCvaC
	WHGDnQijhpFSQyqohCGVHZwM0Zvlg6A=
ARC-Authentication-Results: i=1;
	imf09.hostedemail.com;
	dkim=none;
	spf=pass (imf09.hostedemail.com: domain of wangkefeng.wang@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=wangkefeng.wang@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1661266059;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=M3i1eDyBU2iylqOsT1glzCCozsP5mdfdXmORYuPdwTU=;
	b=xuKU5gJnPhmS2RLrdu5wE5DvqWUKyXCDA7Zy541fhb4mKb+R95iZuMlN/1Zcs9CSosEf0G
	Fz+PuM6bPgfP5WPU7dTtj6cr2ZqM+qz6WtFFYkievDMbPXPXUlIfK8bTD24zKZoph47zFU
	equG9jrjD2bOKGrmfaWs3FC/VCPuJRY=
X-Rspam-User: 
X-Stat-Signature: 6hkp317rjipeeoa9nh4rbwpbjyy4u7h4
X-Rspamd-Queue-Id: C2AD6140041
X-Rspamd-Server: rspam12
Authentication-Results: imf09.hostedemail.com;
	dkim=none;
	spf=pass (imf09.hostedemail.com: domain of wangkefeng.wang@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=wangkefeng.wang@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
X-HE-Tag: 1661266058-989419
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>


On 2022/8/23 9:07, Kefeng Wang wrote:
>
> On 2022/8/21 4:59, Andrew Morton wrote:
>> On Sat, 20 Aug 2022 15:33:04 +0800 Muchun Song 
>> <muchun.song@linux.dev> wrote:
>>
>>>
>>>> +    if (IS_ERR(t)) {
>>>>         /* failure at boot is fatal */
>>>>         BUG_ON(system_state < SYSTEM_RUNNING);
>>>>         pr_err("Failed to start kswapd on node %d\n", nid);
>>>> -        pgdat->kswapd = NULL;
>>>> +        WRITE_ONCE(pgdat->kswapd, NULL);
>>>> +    } else {
>>>> +        WRITE_ONCE(pgdat->kswapd, t);
>>>>     }
>>>> }
>>> IIUC, the race is like the followings:
>>>
>>> CPU 0:                    CPU 1:
>>>
>>> kswapd_run()
>>>     pgdat->kswapd = kthread_run()
>>>     if (IS_ERR(pgdat->kswapd))
>>>                     kswapd_is_running
>>>                         // load pgdat->kswapd and it is NOT NULL.
>>>         pgdat->kswapd = NULL
>>>                         task_is_running(pgdat->kswapd); // NULL 
>>> pointer dereference
>>>
>> But don't we still have a bug?  Sure, kswapd_is_running() will no
>> longer deref a null pointer.  But it now runs kswapd_is_running()
>> against a task which has exited - a use-after-free?

The UAF is caused by race between kswapd_stop() and kcompactd(), right?

so  kcompactd() should be stop before kswapd_stop() to avoid the above UAF.

$ git diff
diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
index fad6d1f2262a..2fd45ccbce45 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1940,8 +1940,8 @@ int __ref offline_pages(unsigned long start_pfn, 
unsigned long nr_pages,

         node_states_clear_node(node, &arg);
         if (arg.status_change_nid >= 0) {
-               kswapd_stop(node);
                 kcompactd_stop(node);
+               kswapd_stop(node);
         }

         writeback_set_ratelimit();

> we could add get/put_task_struct() to avoid the UAF， will update， 
> thanks.

sorry, the task refcount won't fix anything.


> .