From patchwork Mon Jan  6 23:52:48 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yosry Ahmed <yosryahmed@google.com>
X-Patchwork-Id: 13927903
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 820A9E77188
	for <linux-mm@archiver.kernel.org>; Mon,  6 Jan 2025 23:52:59 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 463A76B00BF; Mon,  6 Jan 2025 18:52:58 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 375D26B00C1; Mon,  6 Jan 2025 18:52:58 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 1F0AD6B00C2; Mon,  6 Jan 2025 18:52:58 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id E88906B00BF
	for <linux-mm@kvack.org>; Mon,  6 Jan 2025 18:52:57 -0500 (EST)
Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 988861204D8
	for <linux-mm@kvack.org>; Mon,  6 Jan 2025 23:52:57 +0000 (UTC)
X-FDA: 82978679994.25.ACE0007
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com
 [209.85.216.74])
	by imf21.hostedemail.com (Postfix) with ESMTP id BF0141C000C
	for <linux-mm@kvack.org>; Mon,  6 Jan 2025 23:52:55 +0000 (UTC)
Authentication-Results: imf21.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=MS4M8Axd;
	spf=pass (imf21.hostedemail.com: domain of
 31mx8ZwoKCOMdTXWdFMRJILTTLQJ.HTRQNSZc-RRPaFHP.TWL@flex--yosryahmed.bounces.google.com
 designates 209.85.216.74 as permitted sender)
 smtp.mailfrom=31mx8ZwoKCOMdTXWdFMRJILTTLQJ.HTRQNSZc-RRPaFHP.TWL@flex--yosryahmed.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736207575; a=rsa-sha256;
	cv=none;
	b=SimSmr4fOwIe38D/FERQNJiXqM3F/WaHMCJYbEbm5LCzUZdZrGvwFPu6H+O2f+F7fx1wSx
	VVL59C/V83AXFwXzx++o5DAbXCfdSWSPcsXtX/nu8v8IqZ6gvqvrlukY0Rx6sE4IkxY4Ph
	xoEGBTcC3tbW0rlBlu17k4GVs7FrMvI=
ARC-Authentication-Results: i=1;
	imf21.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=MS4M8Axd;
	spf=pass (imf21.hostedemail.com: domain of
 31mx8ZwoKCOMdTXWdFMRJILTTLQJ.HTRQNSZc-RRPaFHP.TWL@flex--yosryahmed.bounces.google.com
 designates 209.85.216.74 as permitted sender)
 smtp.mailfrom=31mx8ZwoKCOMdTXWdFMRJILTTLQJ.HTRQNSZc-RRPaFHP.TWL@flex--yosryahmed.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1736207575;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=3yFOLSL2TfUAEzSx+UOo2WhAKWhm5ykdPtl21TGuHcs=;
	b=HTGmNXndkF62jnR/jmtCR4mKAYsyLmw/Xt3nhfXglNLraO1zm6TP8DrRL1mILq/Nw8GAg6
	M3WilwSBHwtg+DtBCSFCjCbSy60gi8tmaONU7oRCt7RTjopYKuVSgHWqQkFhLZK3OhXDv3
	eorX/aX4z6ZtESckdT/5OGLNidZHXOE=
Received: by mail-pj1-f74.google.com with SMTP id
 98e67ed59e1d1-2ef8c7ef51dso20683818a91.1
        for <linux-mm@kvack.org>; Mon, 06 Jan 2025 15:52:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1736207574; x=1736812374; darn=kvack.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=3yFOLSL2TfUAEzSx+UOo2WhAKWhm5ykdPtl21TGuHcs=;
        b=MS4M8AxdtqrQCtACq51b9smtDGlrik/KLqQz7tHkXKFfHT1+EzmaVGkVWl8aP/iqas
         5w+7y4nbw+FoCi6BTYB0QS8P0dE7OQp/5Px0XXIDNu3qA/NT+9XaipOXCq9u4gXYvCxq
         B7f8mq2082fjQMus5lQb4dnZc68dQrE9l33jj5zJZumAhgJXavnbTE7vJgVnKl+uui0C
         N03EyCpPxIpAP6lSPp4PT09WK7gzvaDrhU4uf5p+rt60iHcYaRzs1NXsFgytOmbvMr86
         YQG+rkDXlzHuwp0WV6dz3nvA2lnKfi1OSyAWI5FmQgoxCtXbWieOyEQFA5VInZ2MMu2q
         GkHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1736207574; x=1736812374;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=3yFOLSL2TfUAEzSx+UOo2WhAKWhm5ykdPtl21TGuHcs=;
        b=tkUeCjLXlPsGkmycUhKP8dSFDxpfZ5y01lQxu3IXWkIpVdBgFNEGLPjKW7mxypuYtd
         EiF7kklzflT64hufI/7Lp315Cr7sLMzHqx91Tc0tGm7DHfPBhpKWAmEIcYPvzKCnoHPm
         0txKUBKJj2y+kgPmMOOlqmlnBaaVB5bU3jiQM32mFhouX9cFoEcY531wmwkWpHpfaYy+
         vP4AMb/4uhaRHqgWuL1YGzAxhfuTN+CTxjtAaoK5wm7fUOh7SrvEGGecbUqsi9tQ456M
         sKA2hlzyAjPHIA8p8H2zKxtfv9dsbEbHZnbIiGoHRHFKMRLuKdG5Umvhr90hDVsmeK48
         BEtg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXeAD3dsBpR8jrevcXUE2aPVJLE0jcmVaIzbCVj2S9s7PGMavu97UAYx9KwdXJ6nmJt0smmQSBmdg==@kvack.org
X-Gm-Message-State: AOJu0YyxKrchllFw6GJeRWbtO4BZ5+ZUBd10unaeSb+gz2mFD7e5IqqW
	42euRjHzrNmD3KGd1uf9DqkHQHUA7UuyueXMvZjzSHv97pDrxrsIr7H36ckn4mgXkch732el/Fj
	4sm+PnmGJSOBsEns4Hw==
X-Google-Smtp-Source: 
 AGHT+IGilXiaseFzPJ00sXdJf707iT7mF26G6sF1EJrcgRW5+vr98rGffrV/iHlAzcUoOCMMkmX/KukWcNQrKuW/
X-Received: from pjbsh15.prod.google.com
 ([2002:a17:90b:524f:b0:2ea:29de:af10])
 (user=yosryahmed job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:90b:2e4b:b0:2ee:463d:8e8d with SMTP id
 98e67ed59e1d1-2f53cc6e272mr1702697a91.14.1736207574602;
 Mon, 06 Jan 2025 15:52:54 -0800 (PST)
Date: Mon,  6 Jan 2025 23:52:48 +0000
In-Reply-To: <20250106235248.1501064-1-yosryahmed@google.com>
Mime-Version: 1.0
References: <20250106235248.1501064-1-yosryahmed@google.com>
X-Mailer: git-send-email 2.47.1.613.gc27f4b7a9f-goog
Message-ID: <20250106235248.1501064-3-yosryahmed@google.com>
Subject: [PATCH 2/2] mm: zswap: use SRCU to synchronize with CPU hotunplug
From: Yosry Ahmed <yosryahmed@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>, Nhat Pham <nphamcs@gmail.com>,
	Chengming Zhou <chengming.zhou@linux.dev>,
 Vitaly Wool <vitalywool@gmail.com>,
	Barry Song <baohua@kernel.org>, Sam Sun <samsun1006219@gmail.com>,
 linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, Yosry Ahmed <yosryahmed@google.com>
X-Rspamd-Queue-Id: BF0141C000C
X-Stat-Signature: 9axnk5uajxna79fp6shcf9ge7fahyi1x
X-Rspam-User: 
X-Rspamd-Server: rspam09
X-HE-Tag: 1736207575-793115
X-HE-Meta: 
 U2FsdGVkX1/+jVTKaMmIXs9t6j3CbO/rVnsNfKZV8TLSSRlGTI7yLWJZpDwJqumt7qEPuLMbFg7xmyt5+U67dY5W1RfrvPlGTUkk7qhNK355NMeT15u0gCx5vnQdMjjSEIhpmgCfbT32CYYQrwPU+OEXwZA8NkPlD2IDcZOY+ghbZQbou4j835TaEYMY6WZQmjCGYjpUEThRZlNOkJmEmVyTw/oP6czCqNxkXx+mYgxjGFqSnO/Pf+lYsjV7WF+CYOLYkOPD/7YxcHPe93Qr3y7AyKfEu+w7q3pFjXctIU0lydsswadUVzrZykdXiEhrhsiogNlele+nDnZhvfZO5Gj8cCTj5cCNNOOyRovoxVXvVCY0+vDZ+h8FxJ+nXbg7T0E6LoSRWANgYIv2ffIiw1wdAGJhPZVAs7ashLWdTgiJigT++uWHp0Ww9enb/QjByxQeAG7dPHBJ7SjXBRO7toMcU1CSeU/X8//D+RKz3utzaGjJS7eqC9Ka66jZ7Iwo3PeG7tfq8kYefUUgve6mixUDc2IBT2IzZXWYLckhemSaoCF9PrhMoS4Qu93LaY8lDjnFatRMNsgpZLCKLyn0APMwIvvo90qTmWEVxwy9GUuNMYdvqYjQIfVrdGf/7FCcwQbWUYGj+nQ+7z3y+2XchHNTWaulgRRzLrHFlyHHIjQdyJpndYvCMfNasOwJIzdB3fnF97y4NWYedzDSd2ikqrPKfsViwy534aDhlv2yKsdvR335yWJe0N3ERYsPxh01nti0g4jbHuru5l+hBJiuE3C3OWzp5wp1jtJNQvuvTQhzBJ8eTDYs/ysbvwLIJysOu0jPvbDUu33bzDYVUeCbGuK4dEeyPJeaReN3qKit11+ezBjxf0ktS+4Yx+8FfmsLo3ZU+zuKPFitioiMuUa199KKiwfMJOaximvlIEWM4WsmhmOSxiAjXLRGjeYiUge3lsMTsPOHC+M8g6wOIsC
 6XgAVzku
 t1SsqZRnWs7Swl5T0dDvdxDohpDpdK+mfbtj9S83FQ/JN9uDfDeUNQqO2M6r/B5C/tfAiHT+PNj9Y7YIiLQt8tND3WGQSoy1qg/R3iJJLh6RbgvpPW1abfKDAK6P/Fhy5SC0il+YqpaLuYTye00rZPeYEJKdqNxtqNiWc4UBFuXzKvQVj/IIvtNKzksAlDsEGFAVKRJBoB5HU1K5Nhccrx3TaEJphKyYXNPIEYkiiYBiVPqRxdsIjPZChzFfP78z9ZcDTMCawNGncowt5OIlXecZp5dFZeI3OqxGXgHjTNaiIiq6M9VlXlvcj54qzQDTay5Cna7nG6Hv3W38H3ZeXl4fRSOU4rxkvetDvIuS7mM7Ka6/xgOhUYN2Qzlh02eYXBi60k+sf/FA1IohLsSjD59DzXCofCr4cEVWWIoZ3Ep5Mi+1F7cTGAnXtKTAnOf6D5miO3Ba+cWZviWBn3u64CGvjIRIyzn0HrN9wjUw4+eu7BPjH26F8QZ/wuYJpYKrkABKXD3YdVwMGbhZijmBoDSGwSitUv7oy3CBihMYgrLzgMan9s8zbzCyt+G/ambEf7R5d93ZCa7482Hv0xeeDBfygBFYFsQ6NjTgQu5c+fTfsnh1ilT+lCuov82p4UhLR9d45McwTzLxVYOG5i3eqk5Tmw2ICfrWDMaU1dR0hWPhThIki5ibbuYwTWQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the
current CPU at the beginning of the operation is retrieved and used
throughout.  However, since neither preemption nor migration are disabled,
it is possible that the operation continues on a different CPU.

If the original CPU is hotunplugged while the acomp_ctx is still in use,
we run into a UAF bug as the resources attached to the acomp_ctx are freed
during hotunplug in zswap_cpu_comp_dead().

The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use
crypto_acomp API for hardware acceleration") when the switch to the
crypto_acomp API was made.  Prior to that, the per-CPU crypto_comp was
retrieved using get_cpu_ptr() which disables preemption and makes sure the
CPU cannot go away from under us.  Preemption cannot be disabled with the
crypto_acomp API as a sleepable context is needed.

Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to
per-acomp_ctx") increased the UAF surface area by making the per-CPU
buffers dynamic, adding yet another resource that can be freed from under
zswap compression/decompression by CPU hotunplug.

There are a few ways to fix this:
(a) Add a refcount for acomp_ctx.
(b) Disable migration while using the per-CPU acomp_ctx.
(c) Use SRCU to wait for other CPUs using the acomp_ctx of the CPU being
hotunplugged. Normal RCU cannot be used as a sleepable context is
required.

Implement (c) since it's simpler than (a), and (b) involves using
migrate_disable() which is apparently undesired (see huge comment in
include/linux/preempt.h).

Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration")
Signed-off-by: Yosry Ahmed <yosryahmed@google.com>
Reported-by: Johannes Weiner <hannes@cmpxchg.org>
Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/
Reported-by: Sam Sun <samsun1006219@gmail.com>
Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tPg6OaQ@mail.gmail.com/
---
 mm/zswap.c | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/mm/zswap.c b/mm/zswap.c
index f6316b66fb236..4b0eb370823e8 100644
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -864,12 +864,22 @@ static int zswap_cpu_comp_prepare(unsigned int cpu, struct hlist_node *node)
 	return ret;
 }
 
+DEFINE_STATIC_SRCU(acomp_srcu);
+
 static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
 {
 	struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node);
 	struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu);
 
 	if (!IS_ERR_OR_NULL(acomp_ctx)) {
+		/*
+		 * Even though the acomp_ctx should not be currently in use on
+		 * @cpu, it may still be used by compress/decompress operations
+		 * that started on @cpu and migrated to a different CPU. Wait
+		 * for such usages to complete, any news usages would be a bug.
+		 */
+		synchronize_srcu(&acomp_srcu);
+
 		if (!IS_ERR_OR_NULL(acomp_ctx->req))
 			acomp_request_free(acomp_ctx->req);
 		if (!IS_ERR_OR_NULL(acomp_ctx->acomp))
@@ -880,6 +890,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
 	return 0;
 }
 
+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx,
+						  int *idx)
+{
+	*idx = srcu_read_lock(&acomp_srcu);
+	return raw_cpu_ptr(acomp_ctx);
+}
+
+static void acomp_ctx_put_cpu(int idx)
+{
+	srcu_read_unlock(&acomp_srcu, idx);
+}
+
 static bool zswap_compress(struct page *page, struct zswap_entry *entry,
 			   struct zswap_pool *pool)
 {
@@ -892,9 +914,9 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
 	char *buf;
 	gfp_t gfp;
 	u8 *dst;
+	int idx;
 
-	acomp_ctx = raw_cpu_ptr(pool->acomp_ctx);
-
+	acomp_ctx = acomp_ctx_get_cpu(pool->acomp_ctx, &idx);
 	mutex_lock(&acomp_ctx->mutex);
 
 	dst = acomp_ctx->buffer;
@@ -950,6 +972,7 @@ static bool zswap_compress(struct page *page, struct zswap_entry *entry,
 		zswap_reject_alloc_fail++;
 
 	mutex_unlock(&acomp_ctx->mutex);
+	acomp_ctx_put_cpu(idx);
 	return comp_ret == 0 && alloc_ret == 0;
 }
 
@@ -959,8 +982,9 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
 	struct scatterlist input, output;
 	struct crypto_acomp_ctx *acomp_ctx;
 	u8 *src;
+	int idx;
 
-	acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
+	acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx, &idx);
 	mutex_lock(&acomp_ctx->mutex);
 
 	src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO);
@@ -990,6 +1014,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio)
 
 	if (src != acomp_ctx->buffer)
 		zpool_unmap_handle(zpool, entry->handle);
+	acomp_ctx_put_cpu(idx);
 }
 
 /*********************************