From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6AD68C4828D for ; Wed, 7 Feb 2024 03:04:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 00AC16B0078; Tue, 6 Feb 2024 22:04:10 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id EFC226B007D; Tue, 6 Feb 2024 22:04:09 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DEB886B007E; Tue, 6 Feb 2024 22:04:09 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id D00EA6B0078 for ; Tue, 6 Feb 2024 22:04:09 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id A809980488 for ; Wed, 7 Feb 2024 03:04:09 +0000 (UTC) X-FDA: 81763513818.10.BBE09A4 Received: from out-187.mta1.migadu.com (out-187.mta1.migadu.com [95.215.58.187]) by imf02.hostedemail.com (Postfix) with ESMTP id AF5878000B for ; Wed, 7 Feb 2024 03:04:07 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=pYQu4DVc; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf02.hostedemail.com: domain of chengming.zhou@linux.dev designates 95.215.58.187 as permitted sender) smtp.mailfrom=chengming.zhou@linux.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1707275047; a=rsa-sha256; cv=none; b=0wtAAu1zhTiwnmJt7yxRiywTjac5KvLqZcIyBeiYIfD69s3HEfMFiFp3UaalvPNm2coGMB Wa/iJnP0BSk8IC422pjDjUJOzBNLe8SnUXObg7AKmm50zMHcCm3GcHzvr7HH3sATEB1Afh NmDeaytK7eXIrK/AfEYXbApGiP5eFCM= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=pYQu4DVc; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf02.hostedemail.com: domain of chengming.zhou@linux.dev designates 95.215.58.187 as permitted sender) smtp.mailfrom=chengming.zhou@linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1707275047; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=aodKCO9SzZpERllHyASlIPFj8T1P/bqIO8tH069pJpo=; b=dwh2vtO75NSdAmU+J2AHS+FymaRSUuD0KAAVLMZmg/kU0erk/IHDDT0PO5cQunSDWcCBhD IobyJg5sGdjZQ6X9wCFwUMAmkmbM1KWl2bR+gpnj98cJAvDKgG9rwgGfkenk83y24pQHY7 H+6rkxTjGDhzAqpfuGIF8m6bOm565yA= Message-ID: <1956a3ac-fad2-46bc-b6d6-66f9ba334528@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1707275044; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aodKCO9SzZpERllHyASlIPFj8T1P/bqIO8tH069pJpo=; b=pYQu4DVc//xTINNAc+DeiXcMugmjLMddIiqIZLiMw/wvfgOYa0lKhqRopIqnA1kRUDV2Pn DHtfEsF9S30YcT4xO2FgTnFnBAdCWB+rSC0w6E0Mvi7cZEHViCyVPVQtRECzcCcPo6k3bn eMDS7+5sQUMqI2RWS2h2tqOohd+AjTs= Date: Wed, 7 Feb 2024 11:03:35 +0800 MIME-Version: 1.0 Subject: Re: [PATCH v2] mm/swap_state: update zswap LRU's protection range with the folio locked Content-Language: en-US To: Nhat Pham , akpm@linux-foundation.org Cc: hannes@cmpxchg.org, yosryahmed@google.com, linux-mm@kvack.org, kernel-team@meta.com, linux-kernel@vger.kernel.org References: <20240206180855.3987204-1-nphamcs@gmail.com> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Chengming Zhou In-Reply-To: <20240206180855.3987204-1-nphamcs@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: AF5878000B X-Stat-Signature: bmerf8ghyj7ei33oo3xfkuh3be6j73gh X-HE-Tag: 1707275047-39041 X-HE-Meta: U2FsdGVkX1+2BeWQMSP86aqH+AISJACZavmQcyABZgMroEkwxNIr6Rxp8i2y9VMEm7/KvLMvooF4TLTt4abiQziP2ZRfXQogC0TL7GGfdi8fmaah9atUmmExvtf6vk/wHbcaNn/+OlWRsf5D7cK6Pw4KhXR7ni8UKRYoMBlmiLap3esYeVfMLGnRmtDBFYd5GwV5lcx1l/xp1y+xRTXuYOOhkwapE03vkxXOsmMh1tMP15XvXs68hC3hIb+jgG0gI2i9KuGHq5UJ7q2YhZqXw1jKxunxke5O2cM3C1O1uIwl5vASTBnN/jQW6xkuaXkqpc9s6ty+Sn+t32i0j/jTxQM3AclT6TIChISj9WSKFJlbsx4G8WSqHEAwkNhx8x/MKKo6fRGo0v/DB+r+DoA8Ypp8fdvKogxZTFL8GY40x5maUorCvc4ZSOvX101s+ENdjwL9N58k/gDUY5AZZK9glA6xB+4gpjoIP4BgMTODANcF6FGnXZmrDRYORRPKKHbiq4kut1HI4kU6u06j20xxDTbHqzacXMxEqzuVQFlyNavb17Buy/bGv1rmpdMkcjOXi3ga2NHpeVnuFSFV8Tc5bjFOM/uJsN+LBKNmtbjTBsyET3EZ+EVv6LHdgFY5en+N4buIre1E94CbDz03TmP/lb84uvBO6KHLJPaZe+L5MP6dLDPV2uznO528KgzBtpPiUl7eErS3UI4aecznIUZpnuDN9xzdTCiPLoKEdTscMJsbZzvX7ZMBXZ4/jmq9aBe2tHRVqzUfzqFXijuO36edfGRjX96PV9uw3Vzwqvi0ozMsiTAl8yxrx37p937jigGWaM6fk2/9Xo8v3b5y2dj2Aby+76Kv/s3814Mi5ONVMobV2MrhhOtZwAFJ/8qsK3OQzrk3WOugEXg0x1dKp1Gn8wLqMFITPg+swnXceKa6iaAr7bUVNlNI3l9qjCAw139AVMrw+pjlmzjsz2weTu8 +qD8vW8j l4FC61pGenSBBZJW/S+NVykLUdK1+yBpZjlWE7tF4tgLJWxnELVTmsgChrie5H5Db0qiL3gCbvuWKGegJP5H/cZC5bvzN3JFYTty+ZWIENpxmA8KvprE99Z1SDFBQ3JYHav6wXqYjP6NdC0JB4NYpB3FIpR+mKFatW8AaP87YPWZxarY1m4ydwozG1xbs1Qpl30BCQK+o8e7Vwph+M0uBwuYGvnbThvX5jolxCQXbXagnrNwciKTg3pjzdFkO/KgcA0e+4x9teKdW0194HGG7LZhdKei1cCTNzDU05fajkrN+3m0KKj6LMOYnA6v73ojl5HZbounHjwxd2KuYUL7forqEfdVqG+/IV6gWASHorpTr8EBcmZ5qQAYai42s4mhbXwfc X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/2/7 02:08, Nhat Pham wrote: > When a folio is swapped in, the protection size of the corresponding > zswap LRU is incremented, so that the zswap shrinker is more > conservative with its reclaiming action. This field is embedded within > the struct lruvec, so updating it requires looking up the folio's memcg > and lruvec. However, currently this lookup can happen after the folio is > unlocked, for instance if a new folio is allocated, and > swap_read_folio() unlocks the folio before returning. In this scenario, > there is no stability guarantee for the binding between a folio and its > memcg and lruvec: > > * A folio's memcg and lruvec can be freed between the lookup and the > update, leading to a UAF. > * Folio migration can clear the now-unlocked folio's memcg_data, which > directs the zswap LRU protection size update towards the root memcg > instead of the original memcg. This was recently picked up by the > syzbot thanks to a warning in the inlined folio_lruvec() call. > > Move the zswap LRU protection range update above the swap_read_folio() > call, and only when a new page is allocated, to prevent this. > > Reported-by: syzbot+17a611d10af7d18a7092@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/000000000000ae47f90610803260@google.com/ > Fixes: b5ba474f3f51 ("zswap: shrink zswap pool based on memory pressure") > Signed-off-by: Nhat Pham LGTM, thanks! Reviewed-by: Chengming Zhou > --- > mm/swap_state.c | 10 ++++++---- > mm/zswap.c | 1 + > 2 files changed, 7 insertions(+), 4 deletions(-) > > diff --git a/mm/swap_state.c b/mm/swap_state.c > index e671266ad772..7255c01a1e4e 100644 > --- a/mm/swap_state.c > +++ b/mm/swap_state.c > @@ -680,9 +680,10 @@ struct folio *swap_cluster_readahead(swp_entry_t entry, gfp_t gfp_mask, > /* The page was likely read above, so no need for plugging here */ > folio = __read_swap_cache_async(entry, gfp_mask, mpol, ilx, > &page_allocated, false); > - if (unlikely(page_allocated)) > + if (unlikely(page_allocated)) { > + zswap_folio_swapin(folio); > swap_read_folio(folio, false, NULL); > - zswap_folio_swapin(folio); > + } > return folio; > } > > @@ -855,9 +856,10 @@ static struct folio *swap_vma_readahead(swp_entry_t targ_entry, gfp_t gfp_mask, > /* The folio was likely read above, so no need for plugging here */ > folio = __read_swap_cache_async(targ_entry, gfp_mask, mpol, targ_ilx, > &page_allocated, false); > - if (unlikely(page_allocated)) > + if (unlikely(page_allocated)) { > + zswap_folio_swapin(folio); > swap_read_folio(folio, false, NULL); > - zswap_folio_swapin(folio); > + } > return folio; > } > > diff --git a/mm/zswap.c b/mm/zswap.c > index 4aea03285532..8c548f73d52e 100644 > --- a/mm/zswap.c > +++ b/mm/zswap.c > @@ -827,6 +827,7 @@ void zswap_folio_swapin(struct folio *folio) > struct lruvec *lruvec; > > if (folio) { > + VM_WARN_ON_ONCE(!folio_test_locked(folio)); > lruvec = folio_lruvec(folio); > atomic_long_inc(&lruvec->zswap_lruvec_state.nr_zswap_protected); > } > > base-commit: 91f3daa1765ee4e0c89987dc25f72c40f07af34d