From patchwork Tue Feb 6 18:08:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nhat Pham X-Patchwork-Id: 13547685 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61FAEC4828D for ; Tue, 6 Feb 2024 18:09:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 706FB6B0075; Tue, 6 Feb 2024 13:09:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6B6C26B0078; Tue, 6 Feb 2024 13:09:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 559076B007D; Tue, 6 Feb 2024 13:09:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 40B316B0075 for ; Tue, 6 Feb 2024 13:09:00 -0500 (EST) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id D5C0F4063E for ; Tue, 6 Feb 2024 18:08:59 +0000 (UTC) X-FDA: 81762165198.03.A6D1834 Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) by imf27.hostedemail.com (Postfix) with ESMTP id EABED40019 for ; Tue, 6 Feb 2024 18:08:57 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=lBxtjwE+; spf=pass (imf27.hostedemail.com: domain of nphamcs@gmail.com designates 209.85.222.179 as permitted sender) smtp.mailfrom=nphamcs@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1707242938; a=rsa-sha256; cv=none; b=4rUHw/YNN+hywHFI/SViyZojVFKpc619VknKExE6nLwviY4DMVF2GJeSQjvKuDg3iWraNd 5kflYbHCB+grAsQA2dVBg51nRLLB/FtdKyKxSnWojfOCZ7SdBOtyeHSMrtUE0ZA7quZTj0 v7Oks4HHRPPoTrn2KIxq/fNAj8SoOd8= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=lBxtjwE+; spf=pass (imf27.hostedemail.com: domain of nphamcs@gmail.com designates 209.85.222.179 as permitted sender) smtp.mailfrom=nphamcs@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1707242937; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=GVfn3yVJysCN6urYRnVBYjglKBmxv1NsB7G+hjAd4ic=; b=bc/gqZ84TyOPf4AM6UI9ZLG5XNxaXN/cOHVUOBu/zSnPz/5w/pECjewGA/0ufMjMl3Z6MN MEb+RvZYf8mtQqw/KiG2xoYF7I7iFZjba9Srl+OAAjk8/V3GWdq6jcLnf6VWTIoeEtJguS Lc5svoTMWPqGbW68Qu4er7Z2qS6CvLg= Received: by mail-qk1-f179.google.com with SMTP id af79cd13be357-78562c1ca4dso120263785a.0 for ; Tue, 06 Feb 2024 10:08:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707242937; x=1707847737; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GVfn3yVJysCN6urYRnVBYjglKBmxv1NsB7G+hjAd4ic=; b=lBxtjwE+0oj0rrpknyStdSGtOZRKdfqYi1DZ1+wBQz+Sd10UexW27e+7cXsvQZz7/U uHaUe7eF686pnXd+ez5Rta6RGIy7E0Smbvkx82WDdTT8dnkcsSWEtfx+d2m18wjqkP57 Qrz5dbMd/H1QeA4iq4urTftStITnBafQJg7jxymHY05LNv6iV5BtNQF99E3gISostYeg Xq5Fc2z45qh82pE4X5nkaNJWv0360iPpEhhgzf5AEWQw+y3CdCzOS5FQVPoTml//w9DR MWbdQkTB2uLExR2klm2CPp/RXHrZcjxc7C6+AyOX4q3umTpoi07MZkt1RfPloF228gIg ej8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707242937; x=1707847737; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GVfn3yVJysCN6urYRnVBYjglKBmxv1NsB7G+hjAd4ic=; b=DAUqfYbhEXcQuZZFkSwF30aIaUv3mK0YiClqGPMoGaOaqfovTSF6t2/HrAzZEN5qVM LnFWah6S2OPrau9MynbHG5DcLuh08qiawTaUvYDMPQd5LwMyzpl/6+nzgY6LGBU+6uE2 DpJRG9Hc4fhlU3KDwNWcx9fel2QBpSpsy9FoSAMBwL/sL8oag/vAInMvp4Byi3f/K5ur FID7ZSssm0Tdiikbuazfwmo5syODOoM+w9OV90I2mJ+k3kCEkCKdCGRtffyYPooYnwWK dhQHWqbnUAV6Ppczmenq6ixYPN+zENVDntv7KpQ16LtaJ4qXf6/sgvcEC0XfXks/b/al tk/Q== X-Gm-Message-State: AOJu0Yyvd7Hp6mQ4v1IPOILMbI1mKyV90A44vW3b1VIwtnUmG/YuR2Nk 7BgzHG0edHQRW2M4JRi0dUNBeyS4GmHXUH/FS12N6IAGLAg8KS6r X-Google-Smtp-Source: AGHT+IGL0WmHhYtgOpTaS5LrzQhDiax3sgFnCfWdJYij4bZqe7hOr9v4rEs98j5t0MqBd4pusEJz9w== X-Received: by 2002:a05:620a:3956:b0:785:53ab:9d07 with SMTP id qs22-20020a05620a395600b0078553ab9d07mr3821813qkn.58.1707242936748; Tue, 06 Feb 2024 10:08:56 -0800 (PST) X-Forwarded-Encrypted: i=0; AJvYcCUTBdxwgDZtkc1xm7cEiIvYQT4+U0qYkwHHctgvx4pBrsQfWSjOeJFE6Wbqq0vXR1VQsv3NGmsx2sqLqPoNjG/rAbIKCvCHqDmwUEPByImfRkpiDb5KA17tvpFTxAKFvEzFEIlLbM8SYRN/3G0a9sjIw7hAR97MTUyuvjqaAO9vO6NurtQOIbPt/T4S0a+NvXBiMkqJypU4uNjY8qrt8SBygS/0tR2BbA== Received: from localhost (fwdproxy-nao-002.fbsv.net. [2a03:2880:23ff:2::face:b00c]) by smtp.gmail.com with ESMTPSA id q27-20020a05620a0c9b00b00783ddf9b9d5sm1118937qki.91.2024.02.06.10.08.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Feb 2024 10:08:56 -0800 (PST) From: Nhat Pham To: akpm@linux-foundation.org Cc: hannes@cmpxchg.org, chengming.zhou@linux.dev, yosryahmed@google.com, linux-mm@kvack.org, kernel-team@meta.com, linux-kernel@vger.kernel.org Subject: [PATCH v2] mm/swap_state: update zswap LRU's protection range with the folio locked Date: Tue, 6 Feb 2024 10:08:55 -0800 Message-Id: <20240206180855.3987204-1-nphamcs@gmail.com> X-Mailer: git-send-email 2.39.3 MIME-Version: 1.0 X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: EABED40019 X-Stat-Signature: rq7r94zppp8oqfqwi5oohn354xmdxqmg X-Rspam-User: X-HE-Tag: 1707242937-917313 X-HE-Meta: U2FsdGVkX1+6f63JVPvFshlygPdzKH79tfWOvsJ9l7FRLqQliDlRBYIltThYiqTfNCFpF/XUfeS2ZCTKkoGFP4XKVW7MHA4S+yirZi06lX0EbATESArjxfC8KXSQUHhcw78sNtQGbje+AL5VzMnn0P5t7pWX5Y9LFDv9bZa5sBbmF7PTQzkJPL+u3WEYavIIy6rGaEnyk2q4XsfiqlBvoUPS9/Clq/f7eSmxP2wqdak1UCbdShSSZnYpX5DgpY38jpCLFfbAQ/wri25imSFRqmmZ4T+ys3J0lS/YmpakpKEAhXXx0NXxPxDVXHnz5IDVZIcVxQfGNSrn/ZbeRtcrqYtFmO3XKrb0Q9VpDde9qE37k6RNRnVZvpkXhXBhnjTwczTnTQ3Pp6kq3w0O/VmhpiRpYNf/GzOiei0cUPIaVbIayo0bxaJulXn20sS72edHUdDWKCjah/2buiOB4RXTUseesPSZgUupWOT380Cnbiqtspq7AVm8RqNTjgdLUGt4EjHERZ6OaGXJ9LndKZfo/Wfsg6Yys+qlAKbuF9aH41AL0NZhyGTnPjOEZl/X0vxWxr3uUJvFbICQA1iiA+x2sQq7InyrwGB9ORPAEdrb52A+7Fk7RAlrooJm8l+tx298hCCOqTgNonUdavRtMxeS0ZbGlWenU2LbqqZarsOf2aoMWjSVb1Wm49+YoNet8wg9Mly1773yvaLt7LGnICbRsYGj4fjG0zURs6d6RFLppkhEzXHirbeflFY8KmOQOHKN+HfOoyz3nCtTJy/SXyLDjF5kB4490z2+ig1/61ume0LWlUHCa1Ehkbj5uhDk0Fp9xO8Gl1aflOnY9CYrCFV2HhpdOpfF/XFmzW+rlupWqYU0YBwqkt4tCo/fzGPNFO8K5AY5L3Fr+4ZkIgUgm4iJxpNJU1lOTOUZVjoyv0MY6Ah5ASZa7t0GsLzs5IaV6ZA1Nz3/YTZMrdWLxIt+1nQ U6lDtrx1 BOAImLIIxUke6yN65HyXxoT3/Oj753cjFzCDUEjOjG2CYDujKicHvdtX8neG59SRmRK97Br95mgzVyy1xgUgbFTUy1iwG9+C7w3QBg71EwkHT9/2aa113p6Fcp1de5rzSF2NYbYTHxSQl8b5CyMTTx8sMu64d/uVafk4wyVQsSHPBUzu9KzoqekNocuK+WvoDwGpr4Nae9I97AgWSgtG3iiU2NdJm1hIataSYjjHBtOI4iuKyhjPi3WCnx73wHV94BhoqAikWOQJpI4/D4oKSAgE1vQoIXAynqC4FtInM21NHCI+avnmu86hSfCS3dradDrD2bj2IyKcpwsdtNZ6o745+P2ldnMG5y6r0C57yfRCnjnwxlkYF9LszWJs15OaipyHo48H7ukkuE5u9T97zq1FvfI6ZFYPcs9ftCSEx5zTzbl5N3B0KVKU1Ewp3TR9NFVdEWOoq8bezCoPLH0FDH8jbOAxgT8nNg9GdZHbA7JbC13AzF8dYQypfhuRloGpEyjdXSMR6GZdytFVnysUl48uh2XLSs6leDhkbcjtnuatWxgaZDQxYT5bWTmRuKOqLyXZUSLj4smQVDpTgOKcSHyLtYXQHTYfzFC7eGPXYGMqyTUE= X-Bogosity: Ham, tests=bogofilter, spamicity=0.008747, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: When a folio is swapped in, the protection size of the corresponding zswap LRU is incremented, so that the zswap shrinker is more conservative with its reclaiming action. This field is embedded within the struct lruvec, so updating it requires looking up the folio's memcg and lruvec. However, currently this lookup can happen after the folio is unlocked, for instance if a new folio is allocated, and swap_read_folio() unlocks the folio before returning. In this scenario, there is no stability guarantee for the binding between a folio and its memcg and lruvec: * A folio's memcg and lruvec can be freed between the lookup and the update, leading to a UAF. * Folio migration can clear the now-unlocked folio's memcg_data, which directs the zswap LRU protection size update towards the root memcg instead of the original memcg. This was recently picked up by the syzbot thanks to a warning in the inlined folio_lruvec() call. Move the zswap LRU protection range update above the swap_read_folio() call, and only when a new page is allocated, to prevent this. Reported-by: syzbot+17a611d10af7d18a7092@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000ae47f90610803260@google.com/ Fixes: b5ba474f3f51 ("zswap: shrink zswap pool based on memory pressure") Signed-off-by: Nhat Pham Acked-by: Johannes Weiner Reviewed-by: Chengming Zhou --- mm/swap_state.c | 10 ++++++---- mm/zswap.c | 1 + 2 files changed, 7 insertions(+), 4 deletions(-) base-commit: 91f3daa1765ee4e0c89987dc25f72c40f07af34d diff --git a/mm/swap_state.c b/mm/swap_state.c index e671266ad772..7255c01a1e4e 100644 --- a/mm/swap_state.c +++ b/mm/swap_state.c @@ -680,9 +680,10 @@ struct folio *swap_cluster_readahead(swp_entry_t entry, gfp_t gfp_mask, /* The page was likely read above, so no need for plugging here */ folio = __read_swap_cache_async(entry, gfp_mask, mpol, ilx, &page_allocated, false); - if (unlikely(page_allocated)) + if (unlikely(page_allocated)) { + zswap_folio_swapin(folio); swap_read_folio(folio, false, NULL); - zswap_folio_swapin(folio); + } return folio; } @@ -855,9 +856,10 @@ static struct folio *swap_vma_readahead(swp_entry_t targ_entry, gfp_t gfp_mask, /* The folio was likely read above, so no need for plugging here */ folio = __read_swap_cache_async(targ_entry, gfp_mask, mpol, targ_ilx, &page_allocated, false); - if (unlikely(page_allocated)) + if (unlikely(page_allocated)) { + zswap_folio_swapin(folio); swap_read_folio(folio, false, NULL); - zswap_folio_swapin(folio); + } return folio; } diff --git a/mm/zswap.c b/mm/zswap.c index 4aea03285532..8c548f73d52e 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -827,6 +827,7 @@ void zswap_folio_swapin(struct folio *folio) struct lruvec *lruvec; if (folio) { + VM_WARN_ON_ONCE(!folio_test_locked(folio)); lruvec = folio_lruvec(folio); atomic_long_inc(&lruvec->zswap_lruvec_state.nr_zswap_protected); }