From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F987E77184 for ; Fri, 20 Dec 2024 02:31:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C82206B0085; Thu, 19 Dec 2024 21:31:40 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C332F6B0088; Thu, 19 Dec 2024 21:31:40 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AF9E86B0089; Thu, 19 Dec 2024 21:31:40 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 884C76B0085 for ; Thu, 19 Dec 2024 21:31:40 -0500 (EST) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 18E1A1A0637 for ; Fri, 20 Dec 2024 02:31:40 +0000 (UTC) X-FDA: 82913759166.17.64963D4 Received: from out-175.mta0.migadu.com (out-175.mta0.migadu.com [91.218.175.175]) by imf04.hostedemail.com (Postfix) with ESMTP id E2B5440010 for ; Fri, 20 Dec 2024 02:31:02 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b="hNEilVb/"; spf=pass (imf04.hostedemail.com: domain of chengming.zhou@linux.dev designates 91.218.175.175 as permitted sender) smtp.mailfrom=chengming.zhou@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1734661860; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=IHH9blCLbbdRFm3g4acwlY7ei2GOyp4N/b4u5S7BEjE=; b=i8iKXt3kBl4MOs+yg5RQizEA6wU8OWajmIhkqMvUaDdlknp4tpMOAYyOzkpd9FhVRQe7xY u34qNgACZt3DQJy7fdgLh84UkDV//rx+pvvDL073u9MRVNofzipzhR8QuC+tWnhx1eEjKV cNuPbg7hTn/31+ymusF9GRWCx67afmU= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1734661860; a=rsa-sha256; cv=none; b=0FA1SOzNoRzk79KWUiFrqiCSNaMViIpYLuPtiZnBAxpIRx8NZmZmY91K4xSJQ4/YWnW1VQ ZPQc671kf55Kah31jQSI7dzkegZOGuPuhlTHViOh+l5Co3t6Q95CyVkwGEUFta6SWtLTWL ZKEZudEC3A6ywtsQB4JoXwO4pPOye2U= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b="hNEilVb/"; spf=pass (imf04.hostedemail.com: domain of chengming.zhou@linux.dev designates 91.218.175.175 as permitted sender) smtp.mailfrom=chengming.zhou@linux.dev; dmarc=pass (policy=none) header.from=linux.dev Message-ID: <5fd25908-8c1d-4caf-ab6d-9e2c578515db@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1734661896; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IHH9blCLbbdRFm3g4acwlY7ei2GOyp4N/b4u5S7BEjE=; b=hNEilVb/92pGfyAN2kGGp0Fs+sGZiQtKW1vgMc7XaiY3WwdHB/OkILRAYxAo94L2PX8SOq Lq9IBTVgMS8v9ZALJ1lbmsGrrGHc0cC2ZIMapuxhT4rQiO+OerjpbUOkRlvAukRyLbnwtl sUT4bgBeCC8/FpbdLqI9BfCo/5nTvX4= Date: Fri, 20 Dec 2024 10:31:27 +0800 MIME-Version: 1.0 Subject: Re: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug To: Yosry Ahmed , Andrew Morton Cc: Johannes Weiner , Nhat Pham , Vitaly Wool , Barry Song , Sam Sun , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20241219212437.2714151-1-yosryahmed@google.com> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Chengming Zhou In-Reply-To: <20241219212437.2714151-1-yosryahmed@google.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT X-Rspamd-Queue-Id: E2B5440010 X-Rspam-User: X-Rspamd-Server: rspam07 X-Stat-Signature: mqohrgnbw9efb6ncye151rmcdfuinbmt X-HE-Tag: 1734661862-991300 X-HE-Meta: U2FsdGVkX18Sr3hyvcWxpT2ymJD5FivfTCzBDuKSnWNRvBvdwVTwAiqJbdnrxoQ46Z2KrAvm/aqrwSfOR4tO2g3gmcVUl/d2NgSdVF8k+JWzp5T9yAk4fVFXS1J24cOQ+streoEA2dscRB6s8yc6dYNbXa/aOIieSyHOpi5jROUsbLCHS6YIkcau012XFheAppKXODsWWAnN7Tgex79T3kLMXiKUqUHYkAUUcvquha30g8RPiX5S34MLbTnUJby5RVQc19arh6FBQkTR7ULU13+VJYEqwrhbN/bVxzM78u6TgO3DtJ5+QQA5Wboi916+CwdzpQRjQPPc5/U3uajyjiZ80PrZtJQaN+RjFLIKNQFD3bnv01YU8IoWIgQyFPEWQhj6zHrMB+Dudwd39o6nNMOqtOjE1H68GwCjJbH6Dvh7ipS1ZsXDjfmq9DZYyOrAfsn/bZt1imN8d9bJ4zYQg2IIy5VgJVFFb3FOEk6pmmw6SM9A4T36jkOCYD8iWVuPQdhGAgKOv5Xaja89HJuKrTqrXUyz1+rWaDP/Kp3OkzdrPG6E3Vi1xOoWsUwX+oq4rne7vnRQDwsce28wa72hb8MlV/oLexnirGEOWuAm6W/mYjaF11vJ1zIoNsM9xYL+Pv/qo7mkBXtBT5de3+D3czNQPvk/hJs2DqKGOu3DTIJOMqBmij6RKJFPejoONUt43bjZW1gdZ/O02mti6FTBfY+Q64SE0bfF2cqtAlUyz5nMeMyjdmaAWhD1zXpL6mknrUolRVHeT0oub4BeQqznA1sztya7rB0v1rZkggW+/m///HSDhM7uykR65YvzRPxkOeeE7cXY8BTNbgFAWBpHcILBbb4AG9yVnoIVAKtNreXmG3WgIy5pSAxKJm94IO6MPLG+ZMYEDTkBg/D3zxpx7n7vrrj0lK7T1/URDjTPDqcdOJHyDnvKycy+txkNZHlOY9877Hfscb/Z/FfpUCn Gp/VNi7E SK71c1fXU8cVBINRE0Tf33GUbJFKEXr6/clyz80PxazhvJ6hkYddgcxnIO3rGGrrrbvU+N9nlbpyYXhyH9xSdVXS7iv0cKF80KqdwTnaD626wG3FvT0cEQjl3hApAbG5t9HHn7JESAHw6Gk8mHBv9/gCiQZMBw4qrvgMudvh/vxRZ9UOhSi0RHgTjxnMdaAFMPkWy5JS94JPqydy/Jf1KOt4VwJVtsdy0DQHpWw2bKheEtv/dA0V6C/NY8yuI8fTncASvW4r+eVKrAe7NTD3xIVmblg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/12/20 05:24, Yosry Ahmed wrote: > In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the > current CPU at the beginning of the operation is retrieved and used > throughout. However, since neither preemption nor migration are > disabled, it is possible that the operation continues on a different > CPU. > > If the original CPU is hotunplugged while the acomp_ctx is still in use, > we run into a UAF bug as the resources attached to the acomp_ctx are > freed during hotunplug in zswap_cpu_comp_dead(). > > The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to > use crypto_acomp API for hardware acceleration") when the switch to the > crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was > retrieved using get_cpu_ptr() which disables preemption and makes sure > the CPU cannot go away from under us. Preemption cannot be disabled with > the crypto_acomp API as a sleepable context is needed. > > Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to > per-acomp_ctx") increased the UAF surface area by making the per-CPU > buffers dynamic, adding yet another resource that can be freed from > under zswap compression/decompression by CPU hotunplug. > > There are a few ways to fix this: > (a) Add a refcount for acomp_ctx. > (b) Disable migration while using the per-CPU acomp_ctx. > (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding > the CPUs read lock. > > Implement (c) since it's simpler than (a), and (b) involves using > migrate_disable() which is apparently undesired (see huge comment in > include/linux/preempt.h). > > Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") > Reported-by: Johannes Weiner > Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ > Reported-by: Sam Sun > Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tPg6OaQ@mail.gmail.com/ > Cc: > Signed-off-by: Yosry Ahmed > --- Good analysis and solution! Reviewed-by: Chengming Zhou Thanks.