From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 512E5C54E67 for ; Sat, 16 Mar 2024 02:41:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7B3CC80155; Fri, 15 Mar 2024 22:41:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7639C800B4; Fri, 15 Mar 2024 22:41:19 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6043B80155; Fri, 15 Mar 2024 22:41:19 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 50BA3800B4 for ; Fri, 15 Mar 2024 22:41:19 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id A593D1402C1 for ; Sat, 16 Mar 2024 02:41:18 +0000 (UTC) X-FDA: 81901350636.12.5FAD2F3 Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44]) by imf08.hostedemail.com (Postfix) with ESMTP id D326A160013 for ; Sat, 16 Mar 2024 02:41:16 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=OBaIC9dX; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf08.hostedemail.com: domain of nphamcs@gmail.com designates 209.85.219.44 as permitted sender) smtp.mailfrom=nphamcs@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710556876; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Xs/qHkwiAn1LVXTsqARJfQt1+fMTbCUVX2OKxRrwDh0=; b=K01lKuabim6gWAOxLlZFb8X9HAtsdbiyySvQcE0cfj7fJDUiB+rRdxQeKdiIbkAgwxYvqS t433lt40H/1QkxX7BvgucWMvc2CutWbhfV+gFmg9tB8BPQZBmPVO3tD6kITmzLVXsC9biI IqYMDJmMoYhreXH7sL04D1Z1Du++4Yg= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=OBaIC9dX; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf08.hostedemail.com: domain of nphamcs@gmail.com designates 209.85.219.44 as permitted sender) smtp.mailfrom=nphamcs@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710556876; a=rsa-sha256; cv=none; b=6gLQruhp0z8HYBsKzpOxcH04fwIp0zalCf2pcM+siCNYvOOw1FnqerITjBplUfOKYIQPD0 Q1/NspLdNKxJD7zjagvN+Bt36ICGIe2C9pFGeWZb3hVcCCEWz3H5fyRVJ2ZqXBVm+rzG3G yMtQr8SoWs725XfQhyE9ykIIt01xx4E= Received: by mail-qv1-f44.google.com with SMTP id 6a1803df08f44-690be110d0dso17056636d6.3 for ; Fri, 15 Mar 2024 19:41:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710556876; x=1711161676; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Xs/qHkwiAn1LVXTsqARJfQt1+fMTbCUVX2OKxRrwDh0=; b=OBaIC9dXpYhM1gjE7TsLy0s6qm00sCLvaTmgKUdiDqm/Xikk4Rj4RELVcn7j29KqmT 4lfbQUdN6QMzG9EttiCvuP9WgI6G8J0lb5UHvac69PCZCxFi1pJcws+Pz7C2eEq3f/+O bLeXQ3h8gb6hHLfuyTylwKdLBmX7uztQI7fKPsz9BhlJDcMrcf7saFJB3CfsAaTxrScu Ge125M+/tI1xz+HcQglEf56vYDe35mC0pS6SpxOVlZdNPHhwYs3enuYqK6wI2UY6qjtF BgLPmHzL3PiNHfoqWT9huIvUTEb5bHwaPCuC3aOoDyGSJnaTK/qTF+wLP78f/J2pE+pI OluQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710556876; x=1711161676; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Xs/qHkwiAn1LVXTsqARJfQt1+fMTbCUVX2OKxRrwDh0=; b=enbWIo01qOD+xmZr12W9gY4EY6g1t1D1lc5bneeRxpXE75MLnkjpapGXCV3vHnXOZx MfUAjcIhEUAh2m6p3vqTv0N3BGRgYfnzeDsR9bdtoEgoGdDMM50yzjmihOnuCXYWIQar Ifb7aNftk3pYsV9FTInuNJZcDcjq5Mjd3+D+V76eLUyVuvRgcdivNDTjYqwHYfvNvvGX Eac7KQHoO2qqVNJCG/nZfZp+r28XzLnJiT855OdKtURkS7XnRXnro59ZHwSAh86DXWJ5 859ZJUNjeloQGz/e6ZlMVqwVg2xEINT2MfMbbxMSFbtz92Wf1vGD/qM/4mlbrzizC+PA HTGA== X-Forwarded-Encrypted: i=1; AJvYcCXJEmg5mmf0fXmVutwowMygLiusIYnZGm3fCfH7zGG6xT1qMyQ/Vbj98TFsqpDnVo9Unly6835eSHBSxgH0+F18zlM= X-Gm-Message-State: AOJu0YxuXZ0q31OyMygt3L441M4PEJdEiqtU9vasqbgvvHAmOQOIYFlu r/PQHHSdIISIKENB1TJazcG2etf/ITrKd9uR0tLIRsah2456jK6vTkZu7a0XRwM+2YTm8oQ8i+o ebG90yXlM9tDoQTDPnp+oArdTTl8= X-Google-Smtp-Source: AGHT+IF5tONZB4WFghFyRw0b/5i6NrX1pN/BkvK3odjKYKS+CpaF/PdomnXTS4SOt7YODWcXGP/woySosc89VsvPe/c= X-Received: by 2002:a05:6214:947:b0:691:6122:68b2 with SMTP id dn7-20020a056214094700b00691612268b2mr4987586qvb.27.1710556875878; Fri, 15 Mar 2024 19:41:15 -0700 (PDT) MIME-Version: 1.0 References: <20240314164941.580454-1-hannes@cmpxchg.org> <1551fa14-2a95-49fd-ab1a-11c38ae29486@linux.dev> <20240315093010.GB581298@cmpxchg.org> <20240315095556.GC581298@cmpxchg.org> In-Reply-To: <20240315095556.GC581298@cmpxchg.org> From: Nhat Pham Date: Sat, 16 Mar 2024 09:41:04 +0700 Message-ID: Subject: Re: [PATCH] mm: cachestat: fix two shmem bugs To: Johannes Weiner Cc: Chengming Zhou , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Jann Horn Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: D326A160013 X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: hd1nturabj8wrumaf7ufyemdd384d68t X-HE-Tag: 1710556876-485609 X-HE-Meta: U2FsdGVkX1888d3W7CtDvwYbv5L3xQrtaeBeSI4W3wl6lJCLdP1SBNyvsyQGSkaaGJlgenhVzyK4oC2KdfeDzSemSU6dy8IWo5jnO/AhuLMSJ5E0KhnrDWmaPyGxCL/qJR3s60yltcFaBnF3ppgH4xIamh3LLHstpFVgAc5r+cQQldnBV0FsfK7YUAAoxDkvYu0VhMEfqskFFHOozpyF40SIM0YAIN0IBrvJdsxU7z9BiZ+WuG91Eam0pAgKt/VwmfqJiWCSlhADR533xkiDVa9tCif/lUcsQQziVU6lYENfBXY8WLtLZWYptbY3U/au8bgQi/9Ry+9ZCe33h562WliBUvihuaF8dhTQdNHTKMfUcljlJlp2LqqJrvcsr5dpfhn1W+ddZDvRSdAEVe8cqjG7pHUILXT0FLqN7kMfMeTw/559fEVB/FpSj1VCX8WEoYaOZjlzckjkgAu3nwIXtfYYIpUbWUs0wPEsjbE3hj+E0uYAmQHEJp9QVZMvvZqKRKSeuZAmxurnWcjduHCLjIuyezEvl9ZeyCOe/4CuHh3+NweyFAiJhQbEqQ6vMW1PMqhibZJT1ncOV/M/hpqgssVMsSsbjDG3pN7tUiIrCClQkr+dvjuJULpQbA5z5QohvftUxRg2bgnf4XsbskSDxaUppNum294IxB+/UPgnIUA0cP1/f+OG6fpw5lSlRkVZ6wNA20MDpa4yRbdu5dG2eGBYTQK/UnwIsKfJbOmJnPhwDtp9hfEk4MHueeUJxpzWaM7MIhljlpcHdu80Y1Kssuj726Hm+dv/mzXofFmAOyJO+Ib5sqw8mu8tRM6eIDgyLwFd5dLbRCfUqfZaBkV74FdUC7MGD0UloWqUGJHxV4k2CXDHWGx5Y2vuxw5U92AoOolsqqN82aY05mXvgmkTSsJ7a5SBHXwOAJwed5HWwoI/UG+stadlmbC2Wo4Bi/jXIF/6lWnQDsSdWob9wHJ ewhXVq8K l/CxVxJCFcPM+6hHG6MvpWlZ4X1Px7ubiNnVo3knqVGhk9DR3qoFUli/Xo0kyPKzeNUjpBQWG8EeZ/X/rt3DT9gYRQQUogbOq05NHlEzKesYUwWRfs9CsKPnGTAvFIGzIZvGG9riGiCe3e7vu21DvztOokRYj8iU9y+tKJc/Eyz1pXn5FElV4iABfCEWMUAFGlbV1aaYFNCW/2xxvtOfat7ButF1xea/lW/iH7tej68LoQnPuUMDo+YF0USS2HZxGvzPzI1lCs799Wk8HIDOkxoZdEvuQZ3FEz/scgJM+MH9znTzLhP2+LfIM5s5iOiaF5Lu1rOb+EB6An7SPrJbdBKzivKQC/bBynZh9o29JnKgwotR5JulZ0lExwZwLmRl9H3GAeFjID603sYEYk+GeI506vaiefwSu9d0NMfEO5/5WBHPhc+gKx4B5JVSbzvxxblBc3mdrZL3ekW4ShtrWQvXedwGbBKTeVz2haJx31uaiXC40DFEvCrpu4F37RaVZfh2g X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Mar 15, 2024 at 4:55=E2=80=AFPM Johannes Weiner wrote: > > When cachestat on shmem races with swapping and invalidation, there > are two possible bugs: > > 1) A swapin error can have resulted in a poisoned swap entry in the > shmem inode's xarray. Calling get_shadow_from_swap_cache() on it > will result in an out-of-bounds access to swapper_spaces[]. > > Validate the entry with non_swap_entry() before going further. > > 2) When we find a valid swap entry in the shmem's inode, the shadow > entry in the swapcache might not exist yet: swap IO is still in > progress and we're before __remove_mapping; swapin, invalidation, > or swapoff have removed the shadow from swapcache after we saw the > shmem swap entry. > > This will send a NULL to workingset_test_recent(). The latter > purely operates on pointer bits, so it won't crash - node 0, memcg > ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a > bogus test. In theory that could result in a false "recently > evicted" count. > > Such a false positive wouldn't be the end of the world. But for > code clarity and (future) robustness, be explicit about this case. > > Bail on get_shadow_from_swap_cache() returning NULL. > > Fixes: cf264e1329fb ("cachestat: implement cachestat syscall") > Cc: stable@vger.kernel.org [v6.5+] > Reported-by: Chengming Zhou [Bug #1] > Reported-by: Jann Horn [Bug #2] > Signed-off-by: Johannes Weiner Nice catch! Thanks for the report, Chengming and Jann, and thanks for the fix, Johannes! Reviewed-by: Nhat Pham > --- > mm/filemap.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/mm/filemap.c b/mm/filemap.c > index 222adac7c9c5..0aa91bf6c1f7 100644 > --- a/mm/filemap.c > +++ b/mm/filemap.c > @@ -4198,7 +4198,23 @@ static void filemap_cachestat(struct address_space= *mapping, > /* shmem file - in swap cache */ > swp_entry_t swp =3D radix_to_swp_entry(fo= lio); > > + /* swapin error results in poisoned entry= */ > + if (non_swap_entry(swp)) > + goto resched; > + > + /* > + * Getting a swap entry from the shmem > + * inode means we beat > + * shmem_unuse(). rcu_read_lock() > + * ensures swapoff waits for us before > + * freeing the swapper space. However, > + * we can race with swapping and > + * invalidation, so there might not be > + * a shadow in the swapcache (yet). > + */ > shadow =3D get_shadow_from_swap_cache(swp= ); > + if (!shadow) > + goto resched; > } > #endif > if (workingset_test_recent(shadow, true, &working= set)) > -- > 2.44.0 >