From patchwork Fri Mar 15 09:55:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Weiner X-Patchwork-Id: 13593206 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9395C54E58 for ; Fri, 15 Mar 2024 09:56:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id ECB4880110; Fri, 15 Mar 2024 05:56:01 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E7B91800B4; Fri, 15 Mar 2024 05:56:01 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D1C6F80110; Fri, 15 Mar 2024 05:56:01 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id BF95B800B4 for ; Fri, 15 Mar 2024 05:56:01 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 874001A0218 for ; Fri, 15 Mar 2024 09:56:01 +0000 (UTC) X-FDA: 81898817322.30.D7DDF48 Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) by imf07.hostedemail.com (Postfix) with ESMTP id A5A5B40014 for ; Fri, 15 Mar 2024 09:55:59 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b=F5lIhI2P; dmarc=pass (policy=none) header.from=cmpxchg.org; spf=pass (imf07.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.222.181 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710496559; a=rsa-sha256; cv=none; b=XHFN8YV6nyjb3OpeUQD7LPOdsNOmhyObHcDrm9fGI8eY+HZWfpLOwULupuoVxfUFRD+5W3 PgSGfF2zbS8j8USjMq/x4cnhTLo2CBpCwTzzwgT92yAc0aBij6gsvvxiuZO/8HILgYq+bE 3kZMuJ0WJHbi0pPVU+nDy2cOL7TYxLc= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b=F5lIhI2P; dmarc=pass (policy=none) header.from=cmpxchg.org; spf=pass (imf07.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.222.181 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710496559; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=k8DLBLZhMwvsJMasT6dA48of753EzUhCWq2nn2xC2I8=; b=i2QBHwTzE24JWjE5ASR9UDRm8jRnivXpVlKthDwEs2amK5iAAmCmX6w/1IL15gsCJD+wa9 5CL4ZOkdmQmeQqggB8X9ThV4aN+qCJHzNNmIVftxiFXJxsBL0a6FZB3HjNTlJ2xb7wFPlU zjuAcTw1EprgtedheV0LxsRIIjZBYfg= Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-789e4a4d3a5so32015085a.1 for ; Fri, 15 Mar 2024 02:55:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmpxchg-org.20230601.gappssmtp.com; s=20230601; t=1710496558; x=1711101358; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=k8DLBLZhMwvsJMasT6dA48of753EzUhCWq2nn2xC2I8=; b=F5lIhI2PzWIWsfQwpLosHodhFMMlA61kEAxwTLhySd2mR5rASL9ZBLwZ9epRwGnejM pNxMuDKgC8/DAlZJohPcW9QY093H+vo3r3WWh3H6sXpK1q4raAk21+xgtgzVWS/aK6me fOJGbQu/K9KpHXKo0GKZQa4229qV/Fl+Cjh/aOCGC9svKS5WEFb4LjSt2uX62QoxLKCY ONLKggaltPk8/qCo1HHrUowSszdyCE4z+p8W7fQtdf8JaMoIITTY7CBQWjB1rlcPq0II zEx2dKCysE7NrbMoqtd+qW78gdbp/gJWjIJC1WGy1u3AFTFPRb7BBpdjZ3EqXEgbvci9 Lbew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710496558; x=1711101358; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=k8DLBLZhMwvsJMasT6dA48of753EzUhCWq2nn2xC2I8=; b=rMZ7jaerArrOl9hdcvidilukgPN0faIbIzPSJ34LpSccHeIOtCiNZ/b9l2Gb62P/qr /4Tv78SpAfwejbjrEFCecSEjwqq7C5LzQeLDOILQ/nua9IZ0BHBhQ9HZrbge5o6+Eh1C 04yM1+kgO7Qa+ghJVM+zgoAkmlN8V8gK6V3TxNhJadmwCIx6FJu++HSmDW1gvY5W+QqS U4KBi5dYqRB1bt9JQTNe+P4Ky9iTuB5An1x1q0Y1u5WTWdsP/edtstihw1YzZh5VqdN9 JXf9K42y9WVg2S3oCj5LnBBBeb4BsfV4oWW+K3XnhomozkLWiuPPCL3/XV+bx9+ijmym efqg== X-Forwarded-Encrypted: i=1; AJvYcCWMZw02afmPBZc/Wz26t8wFTTOU5WecL7q04zN3r5QSx3pM8M/RMhkcPdC2nrKZyzmJ+6xPIilML8pxJs5ycuOYT9s= X-Gm-Message-State: AOJu0Yw/sJsmDdnEbccWbJNriyHcdkBLKkTQx4YUU4blAOENlcWN4CsY Fn+ferPnYUA9uUUaAcox+7NtDZCJJvj4Hwv/tp/isB1QtHtrslTfGklxH9or2Fk= X-Google-Smtp-Source: AGHT+IGqdyVJcHEqMFL6dzsYvM35wxkwqkDcYmiyATzk0Yp3/lLfa1fMIPNUlRZ6h6Xw3PeJ/dCR7w== X-Received: by 2002:a05:620a:1490:b0:789:d553:9233 with SMTP id w16-20020a05620a149000b00789d5539233mr4227652qkj.30.1710496558668; Fri, 15 Mar 2024 02:55:58 -0700 (PDT) Received: from localhost (2603-7000-0c01-2716-da5e-d3ff-fee7-26e7.res6.spectrum.com. [2603:7000:c01:2716:da5e:d3ff:fee7:26e7]) by smtp.gmail.com with ESMTPSA id qr3-20020a05620a390300b00789e220b7b0sm921448qkn.0.2024.03.15.02.55.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Mar 2024 02:55:58 -0700 (PDT) Date: Fri, 15 Mar 2024 05:55:56 -0400 From: Johannes Weiner To: Chengming Zhou Cc: Andrew Morton , Nhat Pham , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Jann Horn Subject: [PATCH] mm: cachestat: fix two shmem bugs Message-ID: <20240315095556.GC581298@cmpxchg.org> References: <20240314164941.580454-1-hannes@cmpxchg.org> <1551fa14-2a95-49fd-ab1a-11c38ae29486@linux.dev> <20240315093010.GB581298@cmpxchg.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: A5A5B40014 X-Stat-Signature: a8iahizoa5xxbupmygcj53kea48okax6 X-HE-Tag: 1710496559-601919 X-HE-Meta: U2FsdGVkX1+A8n7OTxiMdqwP9BBo+hogEmz+ic41DJ0uF9edo3BZTWoFn0RowNburL5EPaUuUzr4xrISOkYFkktxJDBSmFyme3c4aOY9KEiBiVQzDGr5nmM6ui7h4ZLqxhgfDum6Fm09Q7f3osyUE4qoBoecEwN3QWH9E1+3TVEeinQ++lvkmIQQ8yUtHpWhx5+WPhI4AKl8XcrpftmkZZV5Vm1jCJyUtt3olzuj+xwdXTnD2MzCLXPgL9PSL+ZNkeUKiaQMOZSrWQXavvVF7kfGxXYgK+mHpzDhmhydrQyF9ouysSGEcGmM6mFr1yLTxX64Je3IA2w501ecK9koOUp6umWjS9GVpx83Xa2MdLF7E1rrAVZH8IHS+GparCNCua9PFPUGUA7VMhfFopfuT6VmxapPkpowGwr6rICkaUYKHHaC1/XMnDz9HvOIYiEOu+NYmvbQUKwWHvIxei0yXSJU5CMZlvheIQfBo562+3IbxP1rsVUs2y6ZFvyBAXYFJcn3BbkF6yCvCYZXH+Sm7Mhm3B1xr8upVw1iCvnAue9HqWknvWRAt9KZRB2+0g1ewhS9BDu6LHGUBOUdrvdvD+S/xa82jJghlorgGSyx0ngYAtRlGFBiFRXV6xiUJt2eVY6RBTh+mlUUWWbTMgcHK9wAeGle6vfhjz7g7seHx0WXzHVA30jSsZGluVPAQWyWgWLEfjjsURBNCEJh2ejh1QrSaKrroAAIuR2bONPHDaSCACZuguUakwfNdVOqak+OPGo4NoplXIUJsQy58CBZ9rD0lN4NzWin/uD/EBzoONGHr0/rMqiEV6gs/3iauPRWE2b1yjyJvtG9LZBCC/NBpyuLsoV5AqiM2ijeAtGS9Tsb0mYGnzy4zQoIeEjymqsw+B3rLWvTwQXji5zoieBxxyswJ3RKDiXM+hAq185DRkxrd2Mvisce29XWJebZWFwSOByLnYDMG+1cnaZYx6p maN58gBl jBTKOLeSoybxghQfRqWlOeRs7LjEwMZKPlyXfgD7JtrtV/hVQ5Kwsv8bAqo/f9zfVAyEAkT1+NySYhqQxIWtcJ1rtqbVqyfHHM+Hc5W4dX6pov9mEk2ReQF7yYjICHOti2I+S3pPda2oHvoI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: When cachestat on shmem races with swapping and invalidation, there are two possible bugs: 1) A swapin error can have resulted in a poisoned swap entry in the shmem inode's xarray. Calling get_shadow_from_swap_cache() on it will result in an out-of-bounds access to swapper_spaces[]. Validate the entry with non_swap_entry() before going further. 2) When we find a valid swap entry in the shmem's inode, the shadow entry in the swapcache might not exist yet: swap IO is still in progress and we're before __remove_mapping; swapin, invalidation, or swapoff have removed the shadow from swapcache after we saw the shmem swap entry. This will send a NULL to workingset_test_recent(). The latter purely operates on pointer bits, so it won't crash - node 0, memcg ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a bogus test. In theory that could result in a false "recently evicted" count. Such a false positive wouldn't be the end of the world. But for code clarity and (future) robustness, be explicit about this case. Bail on get_shadow_from_swap_cache() returning NULL. Fixes: cf264e1329fb ("cachestat: implement cachestat syscall") Cc: stable@vger.kernel.org [v6.5+] Reported-by: Chengming Zhou [Bug #1] Reported-by: Jann Horn [Bug #2] Signed-off-by: Johannes Weiner Reviewed-by: Chengming Zhou Reviewed-by: Nhat Pham --- mm/filemap.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/mm/filemap.c b/mm/filemap.c index 222adac7c9c5..0aa91bf6c1f7 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -4198,7 +4198,23 @@ static void filemap_cachestat(struct address_space *mapping, /* shmem file - in swap cache */ swp_entry_t swp = radix_to_swp_entry(folio); + /* swapin error results in poisoned entry */ + if (non_swap_entry(swp)) + goto resched; + + /* + * Getting a swap entry from the shmem + * inode means we beat + * shmem_unuse(). rcu_read_lock() + * ensures swapoff waits for us before + * freeing the swapper space. However, + * we can race with swapping and + * invalidation, so there might not be + * a shadow in the swapcache (yet). + */ shadow = get_shadow_from_swap_cache(swp); + if (!shadow) + goto resched; } #endif if (workingset_test_recent(shadow, true, &workingset))