From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C812CE77188
	for <linux-mm@archiver.kernel.org>; Mon,  6 Jan 2025 23:54:59 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 2405B6B0093; Mon,  6 Jan 2025 18:54:59 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1F00B6B00C2; Mon,  6 Jan 2025 18:54:59 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0B7DA6B00C3; Mon,  6 Jan 2025 18:54:59 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id E26E76B0093
	for <linux-mm@kvack.org>; Mon,  6 Jan 2025 18:54:58 -0500 (EST)
Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id 9891DA0489
	for <linux-mm@kvack.org>; Mon,  6 Jan 2025 23:54:58 +0000 (UTC)
X-FDA: 82978685076.15.A3CC6F1
Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47])
	by imf04.hostedemail.com (Postfix) with ESMTP id C808440002
	for <linux-mm@kvack.org>; Mon,  6 Jan 2025 23:54:56 +0000 (UTC)
Authentication-Results: imf04.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=LWvA91wy;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf04.hostedemail.com: domain of yosryahmed@google.com designates 209.85.219.47 as permitted sender) smtp.mailfrom=yosryahmed@google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1736207696;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=lYtw4e3oxHoPH0Z8dSFP/LJXRhBJ8mN15kdc7Gvm6kM=;
	b=TxWCnpmXqgOpHZoF0/uZTDWkGcANPkUYvy0TG4HMFCy+p8gqJmicuzZUo30vLrXA5FDuiM
	4bgeIcADd12zM82Ikks1IQdc+X7gI7zvISxEMBGLeJYb/OxB96FpGkyYP+GyjDX5n/S99B
	f8+vhqixe7vRHpeUzlAYFmwLmz6qNXw=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736207696; a=rsa-sha256;
	cv=none;
	b=5Nvs5zsUEtmVvm+Rl+fT9dCCVH8VY8YwWaPVgw+btLh6d8ZUwZRUiU21K6+dKXtGiSWmSN
	hdZwvQrl6EYHBgvf1/efcSszd0i6lI3kkRI0CW22Ei7f7p7dhQGwM5Hdi4f6Q5Uc6w9IL3
	Qf2NGioibwObN5v9HOK1WFiyqYGuAa4=
ARC-Authentication-Results: i=1;
	imf04.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=LWvA91wy;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf04.hostedemail.com: domain of yosryahmed@google.com designates 209.85.219.47 as permitted sender) smtp.mailfrom=yosryahmed@google.com
Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-6dcf63155b0so66526546d6.1
        for <linux-mm@kvack.org>; Mon, 06 Jan 2025 15:54:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1736207696; x=1736812496; darn=kvack.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=lYtw4e3oxHoPH0Z8dSFP/LJXRhBJ8mN15kdc7Gvm6kM=;
        b=LWvA91wyTpHQSl7QrXroAMpvna92uC5xOznlYf8+mqva90M3Pv7SVkt/AdBWmkJLez
         2Yn68TmJknQdFm3W78ovNgVunzMFy4RuPp7A251eOnG3s5Jz8OVtqWhtPYXOPzUqByPA
         uVkcX5CIs4z4uyXvNhd9ia/cEBNesR3hMAXK05iBCVOb84Zq37a0aY4aqLvG5R17U4Lq
         ywzTg2bz6oX17M/GrKSNG/0UMfEIfe4JN57HWZwhmcIXY4HixLgdm270z3kJeFor8qUh
         E0tYlgVgUvDoHr6l6ElLStEPTAt7JPV9VnoEbOCFhBLXkbERreDrRx3jVNa4simhoEJ+
         /Yag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1736207696; x=1736812496;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=lYtw4e3oxHoPH0Z8dSFP/LJXRhBJ8mN15kdc7Gvm6kM=;
        b=wdq2SepyVvz+s3/frpcrMVp5h0VJH/UheH6GzL4fNjyNdw4d8OvMp7zbMrEE8r9TqM
         I7Moy4AQglMzX6YQIYjmt2SbhrQ/2vxedgi6LIM8N3z2Cly90sglX7Ga3BjOPLaRJ0o1
         DnN+Fqkgz2+SzVtENzBBl0YKMcD9fAub3sCKPpUQRIWElIwHLugEKx9BzWHYApftdovu
         aXplJFzhHo6alwhtbWE935q8ESDIRBE1KkMGLZyHBCLYKeEYKyAmA7o4qRv8iANPJdjC
         qGQG9CJP1z3FppZfDBbuX1n2P2p2VpPa+j07O+ylIXxyoJufxcImFGcW5KXnePB/VGhf
         3uDg==
X-Forwarded-Encrypted: i=1; AJvYcCVKdSoibjR81WJ076+LelgqjEpLjmFZ/F2FvW+wSD9dh28I8nPorTMwzE/1FoyHKh0lPG8NMHPhSg==@kvack.org
X-Gm-Message-State: AOJu0Yy7pj4HJXj4Svza1MF+dSnE6jPNNVuZoM2xUlSTZxT++P3sywLX
	p3JlcWu/GWhke2k+qE7Sr7xts7H8fdkC2isnmRvWZXGRoE+gwtdHuWB9N4UgHZ9oZ5bxry/0NAL
	gjp3zqh6JtBWjQNgo7xHKfumMDP+2WVPWOb/u
X-Gm-Gg: ASbGncvGLWd5qjRjnIwU73gz3mf63/WnnugHIW96L86Fx0EqMiTnKCU8pvBCjuj7ETY
	ZZblHn319eUZ+4JD7ZhYwFK7W4F3BOrmJENw=
X-Google-Smtp-Source: AGHT+IH9OXJXVERGLy76PvOv8RawCzz76EhtU9S/RviMSJSTen6h1jrO7F+9EzljZJzL+BcoAqzat7r2nJADucFuS4Q=
X-Received: by 2002:a05:6214:509e:b0:6d8:9815:92e2 with SMTP id
 6a1803df08f44-6dd2332c084mr886951456d6.15.1736207695619; Mon, 06 Jan 2025
 15:54:55 -0800 (PST)
MIME-Version: 1.0
References: <20250106235248.1501064-1-yosryahmed@google.com>
In-Reply-To: <20250106235248.1501064-1-yosryahmed@google.com>
From: Yosry Ahmed <yosryahmed@google.com>
Date: Mon, 6 Jan 2025 15:54:19 -0800
X-Gm-Features: AbW1kvblckIr7Dc_6HIgtQvzHnRRe1pEWEzG3zESYzeCBOWvVh0z-meS4iZM5Lo
Message-ID: <CAJD7tkaeLYWENDqt0UQWNNgbi7qf-tBkfJFUY-ofC4-q1wvrxg@mail.gmail.com>
Subject: Re: [PATCH] mm: zswap: fix race between [de]compression and CPU hotunplug
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>, Nhat Pham <nphamcs@gmail.com>, 
	Chengming Zhou <chengming.zhou@linux.dev>, Vitaly Wool <vitalywool@gmail.com>, 
	Barry Song <baohua@kernel.org>, Sam Sun <samsun1006219@gmail.com>, linux-mm@kvack.org, 
	linux-kernel@vger.kernel.org, stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Stat-Signature: xt8xtt8yazgrjrmmms13pa9gba7qhcnn
X-Rspamd-Queue-Id: C808440002
X-Rspam-User: 
X-Rspamd-Server: rspam01
X-HE-Tag: 1736207696-937285
X-HE-Meta: U2FsdGVkX19BPhdaaSBLKxtMfhuDwTejCT35VgP1/Nk8PfjJVbXRBnHdZcql9730Rr3xnA12P94VjgnwG6ekeWo4dgPN0sNu5vXR6cF7oGtxhm9v6mrB5WcK5UdjDElV2bFI2ToX+wsLshGb+iUgGOipviXtMYVNVLB9Azrj6XWpyMCpv+NLv4AODN3gPMGEbaI5JnH1rDGLLP3H9bQJYdFUEFMhUOHtwcKMCSigUOX0t8ExzpxyE9WMqJySmqAdr6bP4L3fQBve0TYVhbEQiPwNcKBgw8R/H5y/AQr2X5MQR6qLjhiNg84GbmCR1/rsssIbPwWWGTBdxWA72yuPtqfah3G6/cIadt+SqT/tVmsxVx+dVeJy2ZToB9LZxe/ahzMELZmyOnJCMyXQWZpJQGlyhAsq8U6d3v25yRdjAySzuzc0BTY9Yxg50u6xWOxS2e+2BFzK/akk9ow3IYgTV/FrTOQNR6kkx24+/ddpwi92tCQef1ngwPLqppkhlxzxdK0Kgph9SYxRG2+JPYlpVr7kZoWXYNUqbpMx/eFvOU9zhOpEJncfTZWw16NuqS19OrxwfCBOUGlluzew0PjaafjdKDdqUpKg6/m7etW23KspnKxqS/BaQ7MDvxDmVg4Alev+CHkGtcRWFP5OETlLqHAHT5DAAuessXGoBXLoOgxDCiM4QGzNEQKDCYw6EBvlda17ce7o/xIVo1LRiQ2MLWNsoeXRJzLMBypGzlVPw5t4K1y/6sFE9wREToTaO9s9OsSo2H8ccmzcgZb7LUFtJRSVOVZ+vgM6i4IJBJDG8zcEwrLMB4GKaJezBr6oGcJpn+j5UOfdZ44FEC0JkmyNpSaxAqbs1OjmywMeBl+zeOHN2WqSUpRxCHyE1DhFryIHahaKS7KU9GUe1xqj8lc1HpWBa9vkc8ZE0uPL2bmjWxlD/HJ+BK2AZulSO7JIh5elECTl1OF/G528Nl/Xeb7
 ffKiM89Q
 QyuVCcb/el3SS4WCylKvEBPr2TXH8DmGMP5ECU/3rXw4UEkf+qi2HgvJChrcXxq9NcQ5Za+uKgSyxsDWHDYk+aBTu1WpHGEgpy9KMHUoYOkmMhaw+LYBeqTHsf9l8zdXIl9NyY+Q3S7P7Ar5MxXyh4oDfyRB8IaJinFAyJp0fAaN+1f3dyYTm2DRfX7vJu8xhnd6FNgK8en5O/wwBP6rvb6ApAHG35Ewan9ES2rR1gvjWf7pY9Z+ChuxFRxSrJJqtZnmATaNKF7PDUpj98latTvk8oaZ7krRSx0dKFuzsONPzz/KFAfBU0uz4qB8KAxhMiFKj
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Mon, Jan 6, 2025 at 3:52=E2=80=AFPM Yosry Ahmed <yosryahmed@google.com> =
wrote:
>
> In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
> current CPU at the beginning of the operation is retrieved and used
> throughout. However, since neither preemption nor migration are
> disabled, it is possible that the operation continues on a different
> CPU.
>
> If the original CPU is hotunplugged while the acomp_ctx is still in use,
> we run into a UAF bug as the resources attached to the acomp_ctx are
> freed during hotunplug in zswap_cpu_comp_dead().
>
> The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to
> use crypto_acomp API for hardware acceleration") when the switch to the
> crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was
> retrieved using get_cpu_ptr() which disables preemption and makes sure
> the CPU cannot go away from under us. Preemption cannot be disabled with
> the crypto_acomp API as a sleepable context is needed.
>
> Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
> per-acomp_ctx") increased the UAF surface area by making the per-CPU
> buffers dynamic, adding yet another resource that can be freed from
> under zswap compression/decompression by CPU hotunplug.
>
> There are a few ways to fix this:
> (a) Add a refcount for acomp_ctx.
> (b) Disable migration while using the per-CPU acomp_ctx.
> (c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding
> the CPUs read lock.
>
> Implement (c) since it's simpler than (a), and (b) involves using
> migrate_disable() which is apparently undesired (see huge comment in
> include/linux/preempt.h).
>
> Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware=
 acceleration")
> Reported-by: Johannes Weiner <hannes@cmpxchg.org>
> Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org=
/
> Reported-by: Sam Sun <samsun1006219@gmail.com>
> Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv=
4OcuruL4tPg6OaQ@mail.gmail.com/
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Yosry Ahmed <yosryahmed@google.com>

This email was sent out by mistake, this patch is already merged,
please ignore it.