Re: [PATCH 2/6] mm: swap: use correct step in loop to wait all clusters in wait_for_allocation()

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Kairui Song <ryncsn@gmail.com>
To: Kemeng Shi <shikemeng@huaweicloud.com>
Cc: akpm@linux-foundation.org, linux-mm@kvack.org,
	 linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/6] mm: swap: use correct step in loop to wait all clusters in wait_for_allocation()
Date: Sun, 23 Feb 2025 01:32:46 +0800	[thread overview]
Message-ID: <CAMgjq7ATkczfS5axBwcZaht1SzZ5TtYXg=P7jvn-EKhNKWmoOw@mail.gmail.com> (raw)
In-Reply-To: <20250222160850.505274-3-shikemeng@huaweicloud.com>

On Sat, Feb 22, 2025 at 3:12 PM Kemeng Shi <shikemeng@huaweicloud.com> wrote:
>
> Use correct step in loop to wait all clusters in wait_for_allocation().
> If we miss some cluster in wait_for_allocation(), use after free may
> occurs as following:
> shmem_writepage                  swapoff
>  folio_alloc_swap
>   get_swap_pages
>    scan_swap_map_slots
>     cluster_alloc_swap_entry
>      alloc_swap_scan_cluster
>       cluster_alloc_range
>        /* SWP_WRITEOK is valid */
>        if (!(si->flags & SWP_WRITEOK))
>
>                                   ...
>                                   del_from_avail_list(p, true);
>                                   ...
>                                   /* miss the cluster in shmem_writepage */
>                                   wait_for_allocation()
>                                   ...
>                                   try_to_unuse()
>
>        memset(si->swap_map + start, usage, nr_pages);
>        swap_range_alloc(si, nr_pages);
>        ci->count += nr_pages;
>        /* return a valid entry */
>
>                                   ...
>                                   exit_swap_address_space(p->type);
>                                   ...
>
>  ...
>  add_to_swap_cache
>   /* dereference swap_address_space(entry) which is NULL */
>   xas_lock_irq(&xas);
>
> Fixes: e47bd46eab97e ("mm, swap: hold a reference during scan and cleanup flag usage")
> Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
> ---
>  mm/swapfile.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/mm/swapfile.c b/mm/swapfile.c
> index e5f58ab86329..425126c0a07d 100644
> --- a/mm/swapfile.c
> +++ b/mm/swapfile.c
> @@ -2627,7 +2627,6 @@ static void wait_for_allocation(struct swap_info_struct *si)
>         for (offset = 0; offset < end; offset += SWAPFILE_CLUSTER) {
>                 ci = lock_cluster(si, offset);
>                 unlock_cluster(ci);
> -               offset += SWAPFILE_CLUSTER;
>         }
>  }
>

Thanks, good catch.

Reviewed-by: Kairui Song <kasong@tencent.com>

next prev parent reply	other threads:[~2025-02-22 17:33 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-22 16:08 [PATCH 0/6] Some random fixes and cleanups to mm/swapfile.c Kemeng Shi
2025-02-22 16:08 ` [PATCH 1/6] mm: swap: avoid losting cluster in swap_reclaim_full_clusters() Kemeng Shi
2025-02-22 17:19   ` Kairui Song
2025-02-24  1:17     ` Kemeng Shi
2025-02-22 16:08 ` [PATCH 2/6] mm: swap: use correct step in loop to wait all clusters in wait_for_allocation() Kemeng Shi
2025-02-22 17:32   ` Kairui Song [this message]
2025-02-22 16:08 ` [PATCH 3/6] mm, swap: avoid BUG_ON in relocate_cluster() Kemeng Shi
2025-02-22 18:43   ` Kairui Song
2025-02-22 16:08 ` [PATCH 4/6] mm, swap: remove setting SWAP_MAP_BAD for discard cluster Kemeng Shi
2025-02-24  1:24   ` Kairui Song
2025-02-22 16:08 ` [PATCH 5/6] mm, swap: correct comment in swap_usage_sub() Kemeng Shi
2025-02-22 16:08 ` [PATCH 6/6] mm: swap: remove stale comment of swap_reclaim_full_clusters() Kemeng Shi
2025-02-23  1:44 ` [PATCH 0/6] Some random fixes and cleanups to mm/swapfile.c Andrew Morton
2025-02-24  1:27   ` Kemeng Shi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAMgjq7ATkczfS5axBwcZaht1SzZ5TtYXg=P7jvn-EKhNKWmoOw@mail.gmail.com' \
    --to=ryncsn@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=shikemeng@huaweicloud.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox