From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1C12AC54E58 for ; Tue, 19 Mar 2024 00:01:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 848A26B0085; Mon, 18 Mar 2024 20:01:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7F8286B0087; Mon, 18 Mar 2024 20:01:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6BF9A6B0089; Mon, 18 Mar 2024 20:01:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 5C5EB6B0085 for ; Mon, 18 Mar 2024 20:01:47 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id E777B120FEC for ; Tue, 19 Mar 2024 00:01:46 +0000 (UTC) X-FDA: 81911835012.21.32F60B7 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) by imf15.hostedemail.com (Postfix) with ESMTP id C6621A001B for ; Tue, 19 Mar 2024 00:01:44 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=ni45YJyV; spf=pass (imf15.hostedemail.com: domain of 359X4ZQoKCKwkaedkMTYQPSaaSXQ.OaYXUZgj-YYWhMOW.adS@flex--yosryahmed.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=359X4ZQoKCKwkaedkMTYQPSaaSXQ.OaYXUZgj-YYWhMOW.adS@flex--yosryahmed.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710806504; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Txb/UPy1hXnjUdJP6etJpIDGhx4pfOtkLCZUw/zlPF0=; b=B4IEc8/75FGZ9BLBKfOj7mFTDn8hgr6MsRYeXdtaeXQ/yqYo9i/G5TNC7udpnZC39DbTWS VnSLvDTYP5SAKLOlA+jIobKVJfNsDYduHjrERDaatNskhyW6aS9qggT/EL0raNPjHGkhLC dAGa6tQkKs8MYMaD++w06b6uMgbx28I= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710806504; a=rsa-sha256; cv=none; b=0nYJ9etVzJQg4Ug338MTb6Ar07IKYYGnED8ULYJbzHdj5M95XAMhTFN7AlB0zuvNHV2aq5 VPNqDKmXkh/WmG0vwA90VRILJRTSLQGtiglcS+9EvubuNHcEXctNwB+tRW0TNV1DJijcL8 LVgBODMfsBvlONdurfDi+chpW3uAcnE= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=ni45YJyV; spf=pass (imf15.hostedemail.com: domain of 359X4ZQoKCKwkaedkMTYQPSaaSXQ.OaYXUZgj-YYWhMOW.adS@flex--yosryahmed.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=359X4ZQoKCKwkaedkMTYQPSaaSXQ.OaYXUZgj-YYWhMOW.adS@flex--yosryahmed.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-29de982f09aso3387543a91.1 for ; Mon, 18 Mar 2024 17:01:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1710806503; x=1711411303; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Txb/UPy1hXnjUdJP6etJpIDGhx4pfOtkLCZUw/zlPF0=; b=ni45YJyVxBDeEHeHUgNjTxvs9N1+/c230erRTeTXsAcVk7bZNTiHqUokD14mFAqfUX te6X98uOkRo75qvZvrdmJ8SsOejOFNNkdMwRk1orFWGRczJVVpxfqkEuCHDX2qrVx3Bo bbZ93pb4qn+BQ6kurK4GO8V84Vy03OUVJORi2DvwhzQzxqFg0hFG80ZOlDDK9y43JR2W KYrBPW6Xmeu+y4Rm9eagwkXL0ZiHNiVNC4ajoepTPSRCFdiEjA7EofE/izbC2r0fROgo BmpwVDLp38o+QxZS/SY9x/UfOLJhmYjU2F3CqFb8wb+S8QC1qitNC1DuwXAIuQYK2CnX ANHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710806503; x=1711411303; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Txb/UPy1hXnjUdJP6etJpIDGhx4pfOtkLCZUw/zlPF0=; b=OfpAlueLA/Lg1G2oZDr9chA5ObrsuVmmsyvtRtpvoBTkptDf+odE8rG8Uwq+3nST4i +XMFdzK9Q9yxvvYH/0HWHurOrDS2G6rbIei2qheQdLZE0qn0cHAKf+4ZmBdfOMXNWROG 9mQSiNH1uXD9f+KcqhCzd4JUD+omEmgV8+GPiF7V/i5yDneDwC8Gq4G9aH2riRgGuKtF YoTh2gKzS141gholjxFOffXIXc7s8rElK/VxFOVH9SCyS/PuftXonebvIT4vkumavM9A higXFwWRxxJKwg7j80v7o68LMzhwbjl3vrKmUEqt5/G0FXRZXNeORirZRY8RhNTMUNRi b78A== X-Forwarded-Encrypted: i=1; AJvYcCVytrJvp2HBrr1REhkOe/fEPdI2XjRypmEiUbuv/RjrBAU/wRoP9+sjQ14CQ7wJrR6eKhlqPFkYFGMSXNQV7dLQd80= X-Gm-Message-State: AOJu0Ywe+HlpjdbFHIlNqzVh/JZ3yui8cSirXbqss0UqT9Vu57+ZW/GC BCtR+B9gObpf9cKkrPzMExbRi4Omq1rqEiCK7ELsdNYgUXOcCFql0Mwu5TR8VGt3Xo0YM7M0P1E +mYV8RhEzN6WSQkPW1Q== X-Google-Smtp-Source: AGHT+IEuyB/pN7r/hoBoB9sWbdhawK5kkFd4d+2Eek427GpioGkF25Wi/1QzzXnPSQhXQaMvj1i2RW9mTRyUKV0i X-Received: from yosry.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:29b4]) (user=yosryahmed job=sendgmr) by 2002:a17:90a:fd93:b0:29c:5fcb:447a with SMTP id cx19-20020a17090afd9300b0029c5fcb447amr2568pjb.6.1710806503429; Mon, 18 Mar 2024 17:01:43 -0700 (PDT) Date: Tue, 19 Mar 2024 00:01:41 +0000 In-Reply-To: <20240318234706.95347-1-21cnbao@gmail.com> Mime-Version: 1.0 References: <20240318234706.95347-1-21cnbao@gmail.com> Message-ID: Subject: Re: [PATCH v2] mm: zswap: fix kernel BUG in sg_init_one From: Yosry Ahmed To: Barry Song <21cnbao@gmail.com> Cc: hannes@cmpxchg.org, nphamcs@gmail.com, akpm@linux-foundation.org, chrisl@kernel.org, v-songbaohua@oppo.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, ira.weiny@intel.com, syzbot+adbc983a1588b7805de3@syzkaller.appspotmail.com Content-Type: text/plain; charset="us-ascii" X-Rspamd-Queue-Id: C6621A001B X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: 56digq1cb5rar8po48xm7w37n7e4n3id X-HE-Tag: 1710806504-625159 X-HE-Meta: U2FsdGVkX19cBPO2EXhvgy64EG+ITIxuYNAr/dEls45+dSLN4YFOamCYLBr7H6C8PfkszhKwxOm9lTqF7aSyVrUJj1VIDTYUQIExEm5rcoBLuHq4NNNNfwj9EGpRC3HJcxFjozmtc3xX7zWm3l4kLVlxDBeyw6dcceJOzPHW5BQvr7d7fOPitrQzMLarGefzF4JvO3S+oS3UUVrWGz99Q5RnOgmCq7XbBNO1FcwT7N5Ne1UjTOSjZdZU3wfEWCRLdkROgHqduawHG3Z3Va+8YyR7BMkwu0w/g4o/iCLpXDE4kN6sMP1eRKbZGGmNuCFEBhcPa6aIzxvA+qVd2qEkUiUIyha3aqh1c4nlFElwJ+lWBw4xZTRZ0VhjIAVGIq7g3tieendMmtVZAK66zEWUCizFe77nbWgIgLRZ1WHgau4jrZ4tK00P2YhGUD+cFfDArEMqYh3Xa7klmZQ1N8IZNiDWuko5eE/1nfLO61FmSeJyEOuKN2EpdkoVukvw5TMvqkPIZhbQfKxR8GfZTYAhMN8HnO2ufnExhiUILI+ZLt/VANMYeYrcIS4Z8Rph/ZjqX8Y93CJMPl3m2MGysasY2HZ03k586+wN5lcUbwvdO47NGaFIyAt478x48zgOINT048ogzKjuiocIObEqrt54j5A0P/XvGSQW0vUBwijQeMC9lKnVTYMYOHkyTT/lYiA2A25jH0dD/uCGNWynewEBYlxdIgD+zBeWI9IbzaCqdxxev9F9ZpV5o8WW7kGY0bXc9sob3v2N8OHQE+/v+lDjLzUZV1R2RZDYdhcMaWvfhkhJGsy10mIN2DjGyCvgSG53qnD8VaeoCAfBZGYjVb8Np8ktSbttLXD/mglibbbt/s1xcmhMpOqW5bSYtAPPC0NVozEtwvEOb5hpr0gLVq9iWqpAQE3GZQ1OmHLZLWegUNWQVCrQokZLz02Un+YTOdQ7kQBdRHZqNIGYZnCAqel 4tIIyqnF F8gLGtP/lbJmShv2nSp9McD9F+S/0Jz2kOTxTMX+rEb+qp7esvFrC8HP31/GrIEE2k05oAtfhZAchP/fwX2EEP0CDQ1RK5ZVju7U3W5kX3h155BpMtTdW97MjuEygM42MEuYrvUkymrIh0kqnR511SMaYlbZgmH9MyySQgc3feAjqyNvCdbr0YnYnEaPEj7r1/OEqUgD7WOKqlmJ7CD9jc1bwMtjJIrGTQCR8E7qu9/KXEFu0WzhdpZkfMCViXtrevCGcGEEh6UtPN7Hg76aZCvrrrC6p8ZR6CVNudUfzNL/nq8CPcu58B6tGC8Tgaqv4PwEh+t/A2eKoz1iqN535JhvXjVnVnfmqP1pm+u6nhbjgi64Z/XCwE32iR0cMfp3L8DeuH3sTgvyxzbGlY39mmKujKQuvXZhkhLZ7zNnzu0LoiIcuRkKy36l4EjJF3AoN+QQO5fs8p9SSTwP9/gfNFC7a8BTZMlIrZZIc8VzTZY1bBv/SBsQRv/F3BKF+ArblMCV0y4WVXCwDVsG+HA8gQ/ZR4q5gcxlbmheTp2q3eDoSBa9EL4TAeLlG1ZP08mW0suFS25qkIqwB9FbKc+nuXJSzcYB+KiIqerBXbqTeT+HzXalizWwixLOxuENi8GRnkZycYjRjNiR1xgnz9kKTG5xZHv1O5C4jn8q7T3cA6xLkRb/Q3orCg+TqN7Nv3X0a2vgeiJQQ03FiLhODw+otLAe/t4TwAZvtiui0fgTIG6YQN0zMbsqZ8r8Quz6bXm56VuzJnsRlv8NNHoTXCkSk62qnTvp1tFXUyH43bi57u9L0Hwlr+wvW2QUhcR/VayYMvB4/Zr2nJiJlXMh4RmYWynggN8Qz0oB8qPOBd0GJpBW4TAVZhOjGcFliSelX28TpOE6TMv9COtDHWkPpICwzhL3DZEGV46nAkNt9IOl6w2gbsmxychdABJ+HGONMSQEdNF4aHDJ+b/a3udI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Mar 19, 2024 at 12:47:06PM +1300, Barry Song wrote: > From: Barry Song > > sg_init_one() relies on linearly mapped low memory for the safe > utilization of virt_to_page(). Otherwise, we trigger a kernel > BUG, > > kernel BUG at include/linux/scatterlist.h:187! > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM > Modules linked in: > CPU: 0 PID: 2997 Comm: syz-executor198 Not tainted 6.8.0-syzkaller #0 > Hardware name: ARM-Versatile Express > PC is at sg_set_buf include/linux/scatterlist.h:187 [inline] > PC is at sg_init_one+0x9c/0xa8 lib/scatterlist.c:143 > LR is at sg_init_table+0x2c/0x40 lib/scatterlist.c:128 > Backtrace: > [<807e16ac>] (sg_init_one) from [<804c1824>] (zswap_decompress+0xbc/0x208 mm/zswap.c:1089) > r7:83471c80 r6:def6d08c r5:844847d0 r4:ff7e7ef4 > [<804c1768>] (zswap_decompress) from [<804c4468>] (zswap_load+0x15c/0x198 mm/zswap.c:1637) > r9:8446eb80 r8:8446eb80 r7:8446eb84 r6:def6d08c r5:00000001 r4:844847d0 > [<804c430c>] (zswap_load) from [<804b9644>] (swap_read_folio+0xa8/0x498 mm/page_io.c:518) > r9:844ac800 r8:835e6c00 r7:00000000 r6:df955d4c r5:00000001 r4:def6d08c > [<804b959c>] (swap_read_folio) from [<804bb064>] (swap_cluster_readahead+0x1c4/0x34c mm/swap_state.c:684) > r10:00000000 r9:00000007 r8:df955d4b r7:00000000 r6:00000000 r5:00100cca > r4:00000001 > [<804baea0>] (swap_cluster_readahead) from [<804bb3b8>] (swapin_readahead+0x68/0x4a8 mm/swap_state.c:904) > r10:df955eb8 r9:00000000 r8:00100cca r7:84476480 r6:00000001 r5:00000000 > r4:00000001 > [<804bb350>] (swapin_readahead) from [<8047cde0>] (do_swap_page+0x200/0xcc4 mm/memory.c:4046) > r10:00000040 r9:00000000 r8:844ac800 r7:84476480 r6:00000001 r5:00000000 > r4:df955eb8 > [<8047cbe0>] (do_swap_page) from [<8047e6c4>] (handle_pte_fault mm/memory.c:5301 [inline]) > [<8047cbe0>] (do_swap_page) from [<8047e6c4>] (__handle_mm_fault mm/memory.c:5439 [inline]) > [<8047cbe0>] (do_swap_page) from [<8047e6c4>] (handle_mm_fault+0x3d8/0x12b8 mm/memory.c:5604) > r10:00000040 r9:842b3900 r8:7eb0d000 r7:84476480 r6:7eb0d000 r5:835e6c00 > r4:00000254 > [<8047e2ec>] (handle_mm_fault) from [<80215d28>] (do_page_fault+0x148/0x3a8 arch/arm/mm/fault.c:326) > r10:00000007 r9:842b3900 r8:7eb0d000 r7:00000207 r6:00000254 r5:7eb0d9b4 > r4:df955fb0 > [<80215be0>] (do_page_fault) from [<80216170>] (do_DataAbort+0x38/0xa8 arch/arm/mm/fault.c:558) > r10:7eb0da7c r9:00000000 r8:80215be0 r7:df955fb0 r6:7eb0d9b4 r5:00000207 > r4:8261d0e0 > [<80216138>] (do_DataAbort) from [<80200e3c>] (__dabt_usr+0x5c/0x60 arch/arm/kernel/entry-armv.S:427) > Exception stack(0xdf955fb0 to 0xdf955ff8) > 5fa0: 00000000 00000000 22d5f800 0008d158 > 5fc0: 00000000 7eb0d9a4 00000000 00000109 00000000 00000000 7eb0da7c 7eb0da3c > 5fe0: 00000000 7eb0d9a0 00000001 00066bd4 00000010 ffffffff > r8:824a9044 r7:835e6c00 r6:ffffffff r5:00000010 r4:00066bd4 > Code: 1a000004 e1822003 e8860094 e89da8f0 (e7f001f2) > ---[ end trace 0000000000000000 ]--- > ---------------- > Code disassembly (best guess): > 0: 1a000004 bne 0x18 > 4: e1822003 orr r2, r2, r3 > 8: e8860094 stm r6, {r2, r4, r7} > c: e89da8f0 ldm sp, {r4, r5, r6, r7, fp, sp, pc} > * 10: e7f001f2 udf #18 <-- trapping instruction > > Consequently, we have two choices: either employ kmap_to_page() alongside > sg_set_page(), or resort to copying high memory contents to a temporary > buffer residing in low memory. However, considering the introduction > of the WARN_ON_ONCE in commit ef6e06b2ef870 ("highmem: fix kmap_to_page() > for kmap_local_page() addresses"), which specifically addresses high > memory concerns, it appears that memcpy remains the sole viable > option. > > Reported-and-tested-by: syzbot+adbc983a1588b7805de3@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/000000000000bbb3d80613f243a6@google.com/ > Fixes: 270700dd06ca ("mm/zswap: remove the memcpy if acomp is not sleepable") > Signed-off-by: Barry Song > --- > -v2: > add comments according to Yosry > > mm/zswap.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/mm/zswap.c b/mm/zswap.c > index 9dec853647c8..dbd9f745fa8f 100644 > --- a/mm/zswap.c > +++ b/mm/zswap.c > @@ -1080,7 +1080,17 @@ static void zswap_decompress(struct zswap_entry *entry, struct page *page) > mutex_lock(&acomp_ctx->mutex); > > src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); > - if (acomp_ctx->is_sleepable && !zpool_can_sleep_mapped(zpool)) { > + /* > + * If zpool_map_handle is atomic, we cannot reliably utilize its mapped buffer > + * to do crypto_acomp_decompress() which might sleep. In such cases, we must > + * resort to copying the buffer to a temporary one. > + * Meanwhile, zpool_map_handle() might return a non-linearly mapped buffer, > + * such as a kmap address of high memory or even ever a vmap address. > + * However, sg_init_one is only equipped to handle linearly mapped low memory. > + * In such cases, we also must copy the buffer to a temporary and lowmem one. > + */ Can I interest you in something simpler? :) /* * There are two cases where we cannot directly use the pointer returned * by zpool_map_handle() during decompression and use a buffer instead: * 1. zpool_map_handle() is atomic but crypto_acomp_decompress() is not. * 2. The pointer is not in the direct map, so it cannot be used by * sg_init_one(). */ Whether you take it or not, feel free to add: Acked-by: Yosry Ahmed