From: Johannes Weiner <hannes@cmpxchg.org>
To: "Sridhar, Kanchana P" <kanchana.p.sridhar@intel.com>
Cc: Yosry Ahmed <yosryahmed@google.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"nphamcs@gmail.com" <nphamcs@gmail.com>,
"chengming.zhou@linux.dev" <chengming.zhou@linux.dev>,
"usamaarif642@gmail.com" <usamaarif642@gmail.com>,
"ryan.roberts@arm.com" <ryan.roberts@arm.com>,
"Huang, Ying" <ying.huang@intel.com>,
"21cnbao@gmail.com" <21cnbao@gmail.com>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"Feghali, Wajdi K" <wajdi.k.feghali@intel.com>,
"Gopal, Vinodh" <vinodh.gopal@intel.com>
Subject: Re: [PATCH v1] mm: zswap: Fix a potential memory leak in zswap_decompress().
Date: Wed, 13 Nov 2024 16:30:07 -0500 [thread overview]
Message-ID: <20241113213007.GB1564047@cmpxchg.org> (raw)
In-Reply-To: <SJ0PR11MB56781940E69ABE93FF9076F6C95A2@SJ0PR11MB5678.namprd11.prod.outlook.com>
On Wed, Nov 13, 2024 at 07:12:18PM +0000, Sridhar, Kanchana P wrote:
> I am still thinking moving the mutex_unlock() could help, or at least have
> no downside. The acomp_ctx is per-cpu and it's mutex_lock/unlock
> safeguards the interaction between the decompress operation, the
> sg_*() API calls inside zswap_decompress() and the shared zpool.
>
> If we release the per-cpu acomp_ctx's mutex lock before the
> zpool_unmap_handle(), is it possible that another cpu could acquire
> it's acomp_ctx's lock and map the same zpool handle (that the earlier
> cpu has yet to unmap or is concurrently unmapping) for a write?
> If this could happen, would it result in undefined state for both
> these zpool ops on different cpu's?
The code is fine as is.
Like you said, acomp_ctx->buffer (the pointer) doesn't change. It
points to whatever was kmalloced in zswap_cpu_comp_prepare(). The
handle points to backend memory. Neither of those addresses can change
under us. There is no confusing them, and they cannot coincide.
The mutex guards the *memory* behind the buffer, so that we don't have
multiple (de)compressors stepping on each others' toes. But it's fine
to drop the mutex once we're done working with the memory. We don't
need the mutex to check whether src holds the acomp buffer address.
That being said, I do think there is a UAF bug in CPU hotplugging.
There is an acomp_ctx for each cpu, but note that this is best effort
parallelism, not a guarantee that we always have the context of the
local CPU. Look closely: we pick the "local" CPU with preemption
enabled, then contend for the mutex. This may well put us to sleep and
get us migrated, so we could be using the context of a CPU we are no
longer running on. This is fine because we hold the mutex - if that
other CPU tries to use the acomp_ctx, it'll wait for us.
However, if we get migrated and vacate the CPU whose context we have
locked, the CPU might get offlined and zswap_cpu_comp_dead() can free
the context underneath us. I think we need to refcount the acomp_ctx.
next prev parent reply other threads:[~2024-11-13 21:30 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-13 5:24 Kanchana P Sridhar
2024-11-13 5:34 ` Yosry Ahmed
2024-11-13 5:58 ` Sridhar, Kanchana P
2024-11-13 6:21 ` Yosry Ahmed
2024-11-13 19:12 ` Sridhar, Kanchana P
2024-11-13 20:11 ` Yosry Ahmed
2024-11-13 20:59 ` Sridhar, Kanchana P
2024-11-13 20:59 ` Yosry Ahmed
2024-11-13 21:12 ` Sridhar, Kanchana P
2024-11-13 21:30 ` Johannes Weiner [this message]
2024-11-13 22:01 ` Yosry Ahmed
2024-11-13 22:13 ` Sridhar, Kanchana P
2024-11-14 0:28 ` Nhat Pham
2024-11-14 1:56 ` Sridhar, Kanchana P
2024-11-14 5:11 ` Johannes Weiner
2024-11-14 6:37 ` Sridhar, Kanchana P
2024-11-14 7:24 ` Chengming Zhou
2024-11-15 21:12 ` Sridhar, Kanchana P
2024-11-15 21:49 ` Yosry Ahmed
2024-11-19 19:22 ` Sridhar, Kanchana P
2024-11-19 19:27 ` Yosry Ahmed
2024-11-19 19:41 ` Sridhar, Kanchana P
2024-11-19 19:51 ` Yosry Ahmed
2024-11-19 22:35 ` Sridhar, Kanchana P
2024-11-19 23:44 ` Yosry Ahmed
2024-11-20 0:00 ` Sridhar, Kanchana P
2024-11-20 2:31 ` Chengming Zhou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241113213007.GB1564047@cmpxchg.org \
--to=hannes@cmpxchg.org \
--cc=21cnbao@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=chengming.zhou@linux.dev \
--cc=kanchana.p.sridhar@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=nphamcs@gmail.com \
--cc=ryan.roberts@arm.com \
--cc=usamaarif642@gmail.com \
--cc=vinodh.gopal@intel.com \
--cc=wajdi.k.feghali@intel.com \
--cc=ying.huang@intel.com \
--cc=yosryahmed@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox