From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02284C4828D for ; Wed, 7 Feb 2024 11:54:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 453036B0074; Wed, 7 Feb 2024 06:54:29 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4040C6B0075; Wed, 7 Feb 2024 06:54:29 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2F1F86B0078; Wed, 7 Feb 2024 06:54:29 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 1A8796B0074 for ; Wed, 7 Feb 2024 06:54:29 -0500 (EST) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id E18B31A0572 for ; Wed, 7 Feb 2024 11:54:28 +0000 (UTC) X-FDA: 81764850216.10.DBC55AB Received: from out-173.mta1.migadu.com (out-173.mta1.migadu.com [95.215.58.173]) by imf01.hostedemail.com (Postfix) with ESMTP id 97A7940012 for ; Wed, 7 Feb 2024 11:54:26 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=G7urxb1z; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf01.hostedemail.com: domain of chengming.zhou@linux.dev designates 95.215.58.173 as permitted sender) smtp.mailfrom=chengming.zhou@linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1707306866; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=ck3hKl39ypdTqSG4pfP4RVVn2fuXE/aqcuy4S0hHA80=; b=iK77qYg8AnZYt9S2D0mxmA1TlFGlUmE9wOg7FYcQsRKZiKHmWf21Yk7Y0bo9fx53gnCeXO Hr24hLm/vQD79sgdRK8x4owMkew1eMlMCNtbGPrsMq1EeWEMHgvHKhFVhD61N4NOxjtZ9P Gr9r2ScKbUxzADKsKpaZLLqJEqnu4XY= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=G7urxb1z; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf01.hostedemail.com: domain of chengming.zhou@linux.dev designates 95.215.58.173 as permitted sender) smtp.mailfrom=chengming.zhou@linux.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1707306866; a=rsa-sha256; cv=none; b=Ol3XP4QQpLpC7dNlGa525/Z2zdRRuyiOrFaEembAL13RuAAH5kVNwD4sXmpBIY/2FC8SWi /r6dp0eUSASOTcuLSirvXhb2HMPhYVWRsrUl8cdDHJMnN6Ayp1l+n3ldr0ruvYhYTbBb1x X1wWwYtI4Nv1RL6a8OyBeVzqIh1gCPg= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1707306864; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=ck3hKl39ypdTqSG4pfP4RVVn2fuXE/aqcuy4S0hHA80=; b=G7urxb1z2CoYjeym/6zM/gbzSaxYgXK5VSTQONwGFNmhxuLtuFZCpnGIfyLLjDcRpNm+Qu of6IbTfTcagmeY/OPVN6FZRaBR2SGUd8nfLeIUcbcPVZUQwg4W4EpbPJKHzPiNRh2P1Cym r3yO3vleg65c9uXw28g77L1hoFSfh5Q= From: chengming.zhou@linux.dev To: hannes@cmpxchg.org, yosryahmed@google.com, nphamcs@gmail.com, akpm@linux-foundation.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, chengming.zhou@linux.dev, Chengming Zhou , stable@vger.kernel.org, Chris Li Subject: [PATCH v4] mm/zswap: invalidate old entry when store fail or !zswap_enabled Date: Wed, 7 Feb 2024 11:54:06 +0000 Message-Id: <20240207115406.3865746-1-chengming.zhou@linux.dev> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT X-Rspamd-Queue-Id: 97A7940012 X-Rspam-User: X-Rspamd-Server: rspam04 X-Stat-Signature: swxm4mnrbqeghejrq6ic3ga6mfzns5cm X-HE-Tag: 1707306866-584384 X-HE-Meta: U2FsdGVkX18HwW7uTMguGgCTRZyn/rq3ZU5KPSY12FoFD6q74k+WIBciYvDtKG2St3gskukFYexyobWLR8Wb6LpYMh0tK1QOLuFR/LY2hz4cPmULQ+Mw47bZpPyF9bmdRVHRlz0/AQneigzGzZ3wLz4HwNmXIiv3HtlZCCGVGQs8tDbAutcAAwm3PkVlUK3kjQL7EZBlSI3ykvMheaNNx2lSontX+sPl9E9P2ikwV18W/li/i7z20DU2v5ugdogTXuAnneg04LKlUh/HZ4UchlalJhDIIxjYtqGIUTEP+qoXWycKhpgfkQh3S2vP9j77QFcCYWhvb5T0+tSj2zeLaItzzCN67sTUFqIfJBCqCbuGbfCOfjnZl8MwYE6BNoUHxeeei6Rd9CnqPSjDyz2RGUTBAx0XML5lw19zF6LC14/EJfjybjElhP5NigRlLWjywR3zownk0CFGQ7IMhBsbg4s4EAwY0F0Zj2wWK241dSxPy+IGF4cbU0pnSXU3RKDMtQhOXyf6t+cqmqdZYTEdg0sNPnddAzsb3109tV5qf4Yosz9C+lBZgH1iCb3IWNNNDhzcLvmVDJjgu8QY+bIhuG8qUeFPqwwZzZvSzBlxQ7BsL1n5aE/wQMQV7dS6VbaoJRBFb0ytlZQ++PYSR6DvZnLMPoh8L7vhCn9zoT18F8f10rdCmAdZ79V6lEQyswO/djIslhupn+EfALzUbdkOdHWSF5mas/erY5RBPI7X9vh/Pv24jKccAMIsRUeheGKang5xGqAQvvRs5/EftkxBvRxxwk7rYBuikawA8eSHXcU1nXBgeQk31kDYWKHofIL1GgD/0oMIWOyvAWsHXv7BWT4USkEtRO/x7Y71jGx1Tyem5OQfQXt1+ogYuasQOcWc70GxTlzVHEjDGWQwhQw/FQ6k/QTZXJQeUmwJ3WKzkee0Azt2q7TywBhvGUKXI5C8Mzr8FicqWb13mbkqflR WxVEqPLr UJGrKSgHTNz4OgiDv3RGyQ35fPkBoTIXA3fLKXAIgFtiiCbzyhM/i1f5a0uQ7yTgIa95fbpqvTQGP8LANemwJKylQd2GhxuRgo6WlN7pYg1VZLtwkHzqCH+17kKLyRP14YRzzu+45fgMPlroF/R7+r+IQsFl8Rp1+4ht0kVOrfzMiC3g46zmubRbLTdSKJ4Nbv3rQOHbXrQAWfNfUEFDjzRZWXdEd35z/EDfbC8gz7V2L6BsMkOxHTeMGk9cZC1RsFC/srUpgeGNK8Kn+wUNXXe09AaSQ1QY4rALBRZidjsPDIw/PveSgnufj0g39XaPf2EQx67ZAp/yqOajNsEDp1NQcw+o620Tcbb8/RbeYx7/4haw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Chengming Zhou We may encounter duplicate entry in the zswap_store(): 1. swap slot that freed to per-cpu swap cache, doesn't invalidate the zswap entry, then got reused. This has been fixed. 2. !exclusive load mode, swapin folio will leave its zswap entry on the tree, then swapout again. This has been removed. 3. one folio can be dirtied again after zswap_store(), so need to zswap_store() again. This should be handled correctly. So we must invalidate the old duplicate entry before insert the new one, which actually doesn't have to be done at the beginning of zswap_store(). And this is a normal situation, we shouldn't WARN_ON(1) in this case, so delete it. (The WARN_ON(1) seems want to detect swap entry UAF problem? But not very necessary here.) The good point is that we don't need to lock tree twice in the store success path. Note we still need to invalidate the old duplicate entry in the store failure path, otherwise the new data in swapfile could be overwrite by the old data in zswap pool when lru writeback. We have to do this even when !zswap_enabled since zswap can be disabled anytime. If the folio store success before, then got dirtied again but zswap disabled, we won't invalidate the old duplicate entry in the zswap_store(). So later lru writeback may overwrite the new data in swapfile. Fixes: 42c06a0e8ebe ("mm: kill frontswap") Cc: Acked-by: Johannes Weiner Acked-by: Yosry Ahmed Acked-by: Chris Li Signed-off-by: Chengming Zhou --- v4: - VM_WARN_ON generate no code when !CONFIG_DEBUG_VM, change to use WARN_ON. v3: - Fix a few grammatical problems in comments, per Yosry. v2: - Change the duplicate entry invalidation loop to if, since we hold the lock, we won't find it once we invalidate it, per Yosry. - Add Fixes tag. --- mm/zswap.c | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index cd67f7f6b302..62fe307521c9 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -1518,18 +1518,8 @@ bool zswap_store(struct folio *folio) return false; if (!zswap_enabled) - return false; + goto check_old; - /* - * If this is a duplicate, it must be removed before attempting to store - * it, otherwise, if the store fails the old page won't be removed from - * the tree, and it might be written back overriding the new data. - */ - spin_lock(&tree->lock); - entry = zswap_rb_search(&tree->rbroot, offset); - if (entry) - zswap_invalidate_entry(tree, entry); - spin_unlock(&tree->lock); objcg = get_obj_cgroup_from_folio(folio); if (objcg && !obj_cgroup_may_zswap(objcg)) { memcg = get_mem_cgroup_from_objcg(objcg); @@ -1608,14 +1598,12 @@ bool zswap_store(struct folio *folio) /* map */ spin_lock(&tree->lock); /* - * A duplicate entry should have been removed at the beginning of this - * function. Since the swap entry should be pinned, if a duplicate is - * found again here it means that something went wrong in the swap - * cache. + * The folio may have been dirtied again, invalidate the + * possibly stale entry before inserting the new entry. */ - while (zswap_rb_insert(&tree->rbroot, entry, &dupentry) == -EEXIST) { - WARN_ON(1); + if (zswap_rb_insert(&tree->rbroot, entry, &dupentry) == -EEXIST) { zswap_invalidate_entry(tree, dupentry); + WARN_ON(zswap_rb_insert(&tree->rbroot, entry, &dupentry)); } if (entry->length) { INIT_LIST_HEAD(&entry->lru); @@ -1638,6 +1626,17 @@ bool zswap_store(struct folio *folio) reject: if (objcg) obj_cgroup_put(objcg); +check_old: + /* + * If the zswap store fails or zswap is disabled, we must invalidate the + * possibly stale entry which was previously stored at this offset. + * Otherwise, writeback could overwrite the new data in the swapfile. + */ + spin_lock(&tree->lock); + entry = zswap_rb_search(&tree->rbroot, offset); + if (entry) + zswap_invalidate_entry(tree, entry); + spin_unlock(&tree->lock); return false; shrink: -- 2.40.1