From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=0lZN=DQ=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-12.7 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D0C69C43457
	for <linux-mm@archiver.kernel.org>; Fri,  9 Oct 2020 07:37:09 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 6AF2222266
	for <linux-mm@archiver.kernel.org>; Fri,  9 Oct 2020 07:37:09 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6AF2222266
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id E5C996B006C; Fri,  9 Oct 2020 03:37:08 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E0B816B006E; Fri,  9 Oct 2020 03:37:08 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id CD3B96B0070; Fri,  9 Oct 2020 03:37:08 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0068.hostedemail.com [216.40.44.68])
	by kanga.kvack.org (Postfix) with ESMTP id A1CF86B006C
	for <linux-mm@kvack.org>; Fri,  9 Oct 2020 03:37:08 -0400 (EDT)
Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 4B1711EE6
	for <linux-mm@kvack.org>; Fri,  9 Oct 2020 07:37:08 +0000 (UTC)
X-FDA: 77351580936.27.doll00_51007ec271de
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin27.hostedemail.com (Postfix) with ESMTP id 2C60C3D668
	for <linux-mm@kvack.org>; Fri,  9 Oct 2020 07:37:08 +0000 (UTC)
X-HE-Tag: doll00_51007ec271de
X-Filterd-Recvd-Size: 7336
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
	by imf21.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Fri,  9 Oct 2020 07:37:06 +0000 (UTC)
IronPort-SDR: nRWDOVRy3vR3IEUsdofX5Tu1+PUOwBYe0qlKhaAbhXYXEdyYCqW6fktJEvs9e3S0Bn05nSWhRP
 8OqyRw7sK3PA==
X-IronPort-AV: E=McAfee;i="6000,8403,9768"; a="250148730"
X-IronPort-AV: E=Sophos;i="5.77,354,1596524400"; 
   d="scan'208";a="250148730"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Oct 2020 00:37:04 -0700
IronPort-SDR: MDJhdq95lbtKuXRxTvEgaUWRva3ZXx9xfAoO4FRwSYRuqtqbEihOfXNaSkAy/f7xelLYyPSwUb
 2G1M/URwmWjg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.77,354,1596524400"; 
   d="scan'208";a="518580128"
Received: from yhuang-dev.sh.intel.com ([10.239.159.65])
  by fmsmga006.fm.intel.com with ESMTP; 09 Oct 2020 00:37:01 -0700
From: "Huang, Ying" <ying.huang@intel.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Huang Ying <ying.huang@intel.com>,
	Rafael Aquini <aquini@redhat.com>,
	Hugh Dickins <hughd@google.com>,
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
	Andrea Arcangeli <aarcange@redhat.com>
Subject: [PATCH] mm: Fix a race during split THP
Date: Fri,  9 Oct 2020 15:36:47 +0800
Message-Id: <20201009073647.1531083-1-ying.huang@intel.com>
X-Mailer: git-send-email 2.28.0
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Huang Ying <ying.huang@intel.com>

It is reported that the following bug is triggered if the HDD is used as =
swap
device,

[ 5758.157556] BUG: kernel NULL pointer dereference, address: 00000000000=
00007
[ 5758.165331] #PF: supervisor write access in kernel mode
[ 5758.171161] #PF: error_code(0x0002) - not-present page
[ 5758.176894] PGD 0 P4D 0
[ 5758.179721] Oops: 0002 [#1] SMP PTI
[ 5758.183614] CPU: 10 PID: 316 Comm: kswapd1 Kdump: loaded Tainted: G S =
              --------- ---  5.9.0-0.rc3.1.tst.el8.x86_64 #1
[ 5758.196717] Hardware name: Intel Corporation S2600CP/S2600CP, BIOS SE5=
C600.86B.02.01.0002.082220131453 08/22/2013
[ 5758.208176] RIP: 0010:split_swap_cluster+0x47/0x60
[ 5758.213522] Code: c1 e3 06 48 c1 eb 0f 48 8d 1c d8 48 89 df e8 d0 20 6=
a 00 80 63 07 fb 48 85 db 74 16 48 89 df c6 07 00 66 66 66 90 31 c0 5b c3=
 <80> 24 25 07 00 00 00 fb 31 c0 5b c3 b8 f0 ff ff ff 5b c3 66 0f 1f
[ 5758.234478] RSP: 0018:ffffb147442d7af0 EFLAGS: 00010246
[ 5758.240309] RAX: 0000000000000000 RBX: 000000000014b217 RCX: ffffb1477=
9fd9000
[ 5758.248281] RDX: 000000000014b217 RSI: ffff9c52f2ab1400 RDI: 000000000=
014b217
[ 5758.256246] RBP: ffffe00c51168080 R08: ffffe00c5116fe08 R09: ffff9c52f=
ffd3000
[ 5758.264208] R10: ffffe00c511537c8 R11: ffff9c52fffd3c90 R12: 000000000=
0000000
[ 5758.272172] R13: ffffe00c51170000 R14: ffffe00c51170000 R15: ffffe00c5=
1168040
[ 5758.280134] FS:  0000000000000000(0000) GS:ffff9c52f2a80000(0000) knlG=
S:0000000000000000
[ 5758.289163] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5758.295575] CR2: 0000000000000007 CR3: 0000000022a0e003 CR4: 000000000=
00606e0
[ 5758.303538] Call Trace:
[ 5758.306273]  split_huge_page_to_list+0x88b/0x950
[ 5758.311433]  deferred_split_scan+0x1ca/0x310
[ 5758.316202]  do_shrink_slab+0x12c/0x2a0
[ 5758.320491]  shrink_slab+0x20f/0x2c0
[ 5758.324482]  shrink_node+0x240/0x6c0
[ 5758.328469]  balance_pgdat+0x2d1/0x550
[ 5758.332652]  kswapd+0x201/0x3c0
[ 5758.336157]  ? finish_wait+0x80/0x80
[ 5758.340147]  ? balance_pgdat+0x550/0x550
[ 5758.344525]  kthread+0x114/0x130
[ 5758.348126]  ? kthread_park+0x80/0x80
[ 5758.352214]  ret_from_fork+0x22/0x30
[ 5758.356203] Modules linked in: fuse zram rfkill sunrpc intel_rapl_msr =
intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp =
mgag200 iTCO_wdt crct10dif_pclmul iTCO_vendor_support drm_kms_helper crc3=
2_pclmul ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fop=
s cec rapl joydev intel_cstate ipmi_si ipmi_devintf drm intel_uncore i2c_=
i801 ipmi_msghandler pcspkr lpc_ich mei_me i2c_smbus mei ioatdma ip_table=
s xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg igb ahci libahci i2c_algo_b=
it crc32c_intel libata dca wmi dm_mirror dm_region_hash dm_log dm_mod
[ 5758.412673] CR2: 0000000000000007
[    0.000000] Linux version 5.9.0-0.rc3.1.tst.el8.x86_64 (mockbuild@x86-=
vm-15.build.eng.bos.redhat.com) (gcc (GCC) 8.3.1 20191121 (Red Hat 8.3.1-=
5), GNU ld version 2.30-79.el8) #1 SMP Wed Sep 9 16:03:34 EDT 2020

After further digging it's found that the following race condition exists=
 in the
original implementation,

CPU1                                                             CPU2
----                                                             ----
deferred_split_scan()
  split_huge_page(page) /* page isn't compound head */
    split_huge_page_to_list(page, NULL)
      __split_huge_page(page, )
        ClearPageCompound(head)
        /* unlock all subpages except page (not head) */
                                                                 add_to_s=
wap(head)  /* not THP */
                                                                   get_sw=
ap_page(head)
                                                                   add_to=
_swap_cache(head, )
                                                                     SetP=
ageSwapCache(head)
     if PageSwapCache(head)
       split_swap_cluster(/* swap entry of head */)
         /* Deref sis->cluster_info: NULL accessing! */

So, in split_huge_page_to_list(), PageSwapCache() is called for the alrea=
dy
split and unlocked "head", which may be added to swap cache in another CP=
U.  So
split_swap_cluster() may be called wrongly.

To fix the race, the call to split_swap_cluster() is moved to
__split_huge_page() before all subpages are unlocked.  So that the
PageSwapCache() is stable.

Fixes: 59807685a7e77 ("mm, THP, swap: support splitting THP for THP swap =
out")
Reported-and-tested-by: Rafael Aquini <aquini@redhat.com>
Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
---
 mm/huge_memory.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index cba3812a5c3e..87b0389673dd 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2478,6 +2478,12 @@ static void __split_huge_page(struct page *page, s=
truct list_head *list,
=20
 	remap_page(head, nr);
=20
+	if (PageSwapCache(head)) {
+		swp_entry_t entry =3D { .val =3D page_private(head) };
+
+		split_swap_cluster(entry);
+	}
+
 	for (i =3D 0; i < nr; i++) {
 		struct page *subpage =3D head + i;
 		if (subpage =3D=3D page)
@@ -2713,12 +2719,7 @@ int split_huge_page_to_list(struct page *page, str=
uct list_head *list)
 		}
=20
 		__split_huge_page(page, list, end, flags);
-		if (PageSwapCache(head)) {
-			swp_entry_t entry =3D { .val =3D page_private(head) };
-
-			ret =3D split_swap_cluster(entry);
-		} else
-			ret =3D 0;
+		ret =3D 0;
 	} else {
 		if (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) {
 			pr_alert("total_mapcount: %u, page_count(): %u\n",
--=20
2.28.0