From patchwork Mon Mar 18 23:47:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Barry Song <21cnbao@gmail.com> X-Patchwork-Id: 13596036 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D27CC54E58 for ; Mon, 18 Mar 2024 23:47:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 99E556B0083; Mon, 18 Mar 2024 19:47:24 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 94E3B6B0085; Mon, 18 Mar 2024 19:47:24 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7EE856B0087; Mon, 18 Mar 2024 19:47:24 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 702CB6B0083 for ; Mon, 18 Mar 2024 19:47:24 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id D9136A1537 for ; Mon, 18 Mar 2024 23:47:23 +0000 (UTC) X-FDA: 81911798766.28.9149981 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by imf27.hostedemail.com (Postfix) with ESMTP id 0CC8A40019 for ; Mon, 18 Mar 2024 23:47:21 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=V8Lyt5WE; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf27.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.214.175 as permitted sender) smtp.mailfrom=21cnbao@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710805642; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=b46t3m+Om2McMuf3OxsBOpQLJn68hsde+QwzsoCwudA=; b=AyVJvtjLtwaCsOG/uoIVRnGusupnEXNQp7RmxgMyEvP1QNRY/aleSq5cGNPNKjDDi1Y72n 0cXW21IlNBm/8bjxu3xZ0u8WQ7+gGxP27E7W+iajVGj2/0G9nTjHFPAQMRKisiNZH95bG3 KXP+xAJUSwECcNHeUpUgnDsKDRfZIoA= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=V8Lyt5WE; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf27.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.214.175 as permitted sender) smtp.mailfrom=21cnbao@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710805642; a=rsa-sha256; cv=none; b=IL2hxw1drhpa4LDXcOlU3zlJVr1Tyd0pU9SAgbUoL4ugVLoIDtbNV5MC27yCFzYhlvtdI0 0VD0nK0//1kksXiD1m3cRS8c/9xeqAhydsiZ35huLBDyKtgYW2n8B49YU7UYiHEpNgW0OX oNJ1qTMCqPgVrALtH2Uw/dUQBQAcWuY= Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-1e032fc60a0so9167105ad.1 for ; Mon, 18 Mar 2024 16:47:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710805641; x=1711410441; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=b46t3m+Om2McMuf3OxsBOpQLJn68hsde+QwzsoCwudA=; b=V8Lyt5WE2LfT4GdgWRfRNiDG0ZyfEFbc8oKLm4QjojMa3MewlV6aAthRHn2301lkeN JO5BT7gkxNiXQ1TcOiV03bBN7wt3rj+vQopPBbf2SoraqItG6jVGgRmi2gmknlOyJ3SR OAwoEUo2xQ7R3ml+B9/wZN3UeVQ+53Syn+xT+WYf8bOGzsKwiKoCd0pEBdyj+uXRb3eh YZIq3QL+KTEs+qQGJG+aUN1iSXX/P0Vn+Glv/qBWNiYOT3jx09KzZIYr+ruQ94yGwmi/ ep0HQG3eBINNrkec9kOgyB9qeOX6WcjZbKfZWn64goIgQp6XVvU3laXfbWZR2FNx0DMY ZlAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710805641; x=1711410441; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=b46t3m+Om2McMuf3OxsBOpQLJn68hsde+QwzsoCwudA=; b=SuVEUplrbdo5KXudGb+1yeDqjQNFRJJ5wZdinI7JA/xM8L8CTR2YAoTqxRALcK8moX 4YZgWdtSzjX2GaUfO3zSsX2TvS6ZcrEYMf7zod+bO2sWjY/G928sRfiBx1bfySuzopZz tcHSYdT1azyp1gYcZmZK86rXQY/1nVAFdtGIYz4lCYosSFT1bb+zSpFvlvz2iTkfihiV e/nNtm6eRc6eS4mCYm3k5etP0ChXUm7m7hcz2LgI8RytLgRp+x6qt6Ag8Wkfi0av/Eh8 Qpbad/Vgdgdc4OFiw8QyNz7T4i1sm93ls7hGNyL3dfbwU3+ZAS/CcYHvcos38lFhahTG p58Q== X-Forwarded-Encrypted: i=1; AJvYcCUuIu79Z00mK7ZXw3RNRF/o+4ejqFjnGqUS1zV7yToB/0uHRVusJ/YXN92kaNQIrh0ZcJ+EHxqGthQckbr3FEcPPXs= X-Gm-Message-State: AOJu0YwduoPg7dGcK8AMozZNLnuy6UZ/BHZIi7jk1fgC7ejYJH5hHxfu 1MCOFwH0cEiEjDPVHHQ9UPHXK56KWSDLiQvY8BkP2A9XB4cPSugG X-Google-Smtp-Source: AGHT+IGDQIxgBrXQaIe3vsXRe70mIiCJf2egWj462e/G5Z0VOlH3OtdnBE+5Ze+cvrQvqIiorZdqAA== X-Received: by 2002:a17:903:2291:b0:1dd:69bb:7f96 with SMTP id b17-20020a170903229100b001dd69bb7f96mr1456190plh.6.1710805640677; Mon, 18 Mar 2024 16:47:20 -0700 (PDT) Received: from localhost.localdomain ([2407:7000:8942:5500:aaa1:59ff:fe57:eb97]) by smtp.gmail.com with ESMTPSA id mh5-20020a17090309c500b001dd998927c6sm4961903plb.26.2024.03.18.16.47.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Mar 2024 16:47:20 -0700 (PDT) From: Barry Song <21cnbao@gmail.com> To: hannes@cmpxchg.org, yosryahmed@google.com, nphamcs@gmail.com, akpm@linux-foundation.org, chrisl@kernel.org, v-songbaohua@oppo.com, linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, ira.weiny@intel.com, syzbot+adbc983a1588b7805de3@syzkaller.appspotmail.com Subject: [PATCH v2] mm: zswap: fix kernel BUG in sg_init_one Date: Tue, 19 Mar 2024 12:47:06 +1300 Message-Id: <20240318234706.95347-1-21cnbao@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 0CC8A40019 X-Stat-Signature: s3q6dnmzpj7u6wamzp4jighpuszdfyw1 X-Rspam-User: X-HE-Tag: 1710805641-530360 X-HE-Meta: U2FsdGVkX19wvSiqB/Fcy+roeTj1Cz1F1MFBty1mg5XZxMFiFg6j7W1d1pftBBG/HYkvcGJbddXxGkVMNhIX2mtZU8dMwZvBkxvUTWtCwhw0O9P9UlLw14OADcgDQXwsihWTea4PvQHTwenVdxzFJjSD9z3orG7IwbaK5Voh7RkIU/YW4a9O/ufaUN77vj6pJEsIk3w1Xaw501/BaKwPFVnC+SJaDMOST+3pWXI70zrAZLsdfrnAXkeVeVzc6/y7JvIMNCxldqBm9KGR/pl3Vy32G/5YyIpcBBh6OKOVN2BzN2kIa/ABPbCKV2u8hjL/0vrWnQgWb0U64L4hsH0OSBXIRQGUE+FsuhmEzu4VwUzb83JL8Z5qQP6RrY3Kdhk6pdPEWCOlnYdmHdipJjXjLJb3kMY4C+Vj116Glu1q+dx9FT9RTERV7Dp50g5rxKSPMrxGkwrW/09B21vOdU1AfzSXmPXpqeRi4NQHD2/TIiFOvreFXrnc9n9t9IbuQPhq4UVxr44y2V5tKoeHuPCNFpSmzEwFQcGaDRwt2LrQbmb5dXWx2dthQofl+Pk/MIcTEsySBWRUB2EvMZ5d7oIrnnxNaK3+jN3ZV62bcXm2kfqHU167SJoCh2iliWHDCb/WSt11E0M52pJHINMxtIDuduE+pmLawwxEqVIoCZCXPi2q9NfqOSZYscnNv35RZU3foGuMGqH9p0DWm17ZTrfv9rUUVxCbsvngGduDTY2TuWMj6DaaoYmHBubqXppkG152l4NpnbrJ4jxSrUp070t8WrwW3kD14JwYwlrwK/smDkyTb+P1hpTeew25xNrx5J3pr5yuRn8AyXc21nq4VbQipS8zkfJRIAHVZiqTrNkPMslK8JTpu/34Wbf02NT4Z75U7tLcCToRO3GuvE9c697ALlj1TGiiBm86yFxajQ0+ZDeiyR+uZIQUWnCiREQ29x0rb2NgChiKKaaOP1CkutM o5INYnlE Sbxm5D6T2OVsmo66bwlFnZo0h9o7EZGTM7T47UlCnY5h7PmpC22QanAk5kFGi6zOmby2PD9bJ7P4tlo1/sJmHUZj3UT22aWNfMg9UcjclQ8XEP55O3XnPKqqg3yOqhPlnc8od+uZbvjcgkkhVeCGUcDZylTCyrDY13lQkupnGSo92GMyrMbgErNUAy2Q0VKM2V9CprygyRB+abVPtLxK9VnkoDcHK3s9bTCzC4y8tiyWRNAMsHyU4zey9VcoiA+nawL6A6wDHS5hYdMoU3U0EELVdfrLL2d9bORNw6heLBlMmmkL618Xoe7EIOgro7K+c8mgkF09HscXkqee/Y+vdkza2A4B8B+kCm0LVNq4X45GF/GvY1QSOAWbbOD+DTspn519zwtZXkanReOqoBOstVf8NghNCrAXX3FYMw90yhi5+Ov5riUwjTtG5bb3hIyFRb2CNqggyOB1316iIc7Oux6k72K94NW6ZBSvdpRuVwxE+NoLEDpJwzd7XSAm65zohExF6jCSobNrtyWwFwcviJwJNZR99JzO+rOc1QGwq3HpYRcrAtqa32n4CLQc4UWgu4cYDK9Tx/JqLcF+UA/Wb1+8OYPXvXRkfvJq3OwvPatHWaLSFb3tn2TpiENtNlh50XedmwLiSfhQcwwjc+H7KyFWXwtw5nc5KcPuKjjn/IEaN6kwBY/D2m/iixX+C+f/1Wpuhfd1bisJY3tVX8uxC+VNMDPRiqp5uLfGEInqeyXuAVe4Zf2TcWFVRHiNGZcrApXFbrq70r/mW1zA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Barry Song sg_init_one() relies on linearly mapped low memory for the safe utilization of virt_to_page(). Otherwise, we trigger a kernel BUG, kernel BUG at include/linux/scatterlist.h:187! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 2997 Comm: syz-executor198 Not tainted 6.8.0-syzkaller #0 Hardware name: ARM-Versatile Express PC is at sg_set_buf include/linux/scatterlist.h:187 [inline] PC is at sg_init_one+0x9c/0xa8 lib/scatterlist.c:143 LR is at sg_init_table+0x2c/0x40 lib/scatterlist.c:128 Backtrace: [<807e16ac>] (sg_init_one) from [<804c1824>] (zswap_decompress+0xbc/0x208 mm/zswap.c:1089) r7:83471c80 r6:def6d08c r5:844847d0 r4:ff7e7ef4 [<804c1768>] (zswap_decompress) from [<804c4468>] (zswap_load+0x15c/0x198 mm/zswap.c:1637) r9:8446eb80 r8:8446eb80 r7:8446eb84 r6:def6d08c r5:00000001 r4:844847d0 [<804c430c>] (zswap_load) from [<804b9644>] (swap_read_folio+0xa8/0x498 mm/page_io.c:518) r9:844ac800 r8:835e6c00 r7:00000000 r6:df955d4c r5:00000001 r4:def6d08c [<804b959c>] (swap_read_folio) from [<804bb064>] (swap_cluster_readahead+0x1c4/0x34c mm/swap_state.c:684) r10:00000000 r9:00000007 r8:df955d4b r7:00000000 r6:00000000 r5:00100cca r4:00000001 [<804baea0>] (swap_cluster_readahead) from [<804bb3b8>] (swapin_readahead+0x68/0x4a8 mm/swap_state.c:904) r10:df955eb8 r9:00000000 r8:00100cca r7:84476480 r6:00000001 r5:00000000 r4:00000001 [<804bb350>] (swapin_readahead) from [<8047cde0>] (do_swap_page+0x200/0xcc4 mm/memory.c:4046) r10:00000040 r9:00000000 r8:844ac800 r7:84476480 r6:00000001 r5:00000000 r4:df955eb8 [<8047cbe0>] (do_swap_page) from [<8047e6c4>] (handle_pte_fault mm/memory.c:5301 [inline]) [<8047cbe0>] (do_swap_page) from [<8047e6c4>] (__handle_mm_fault mm/memory.c:5439 [inline]) [<8047cbe0>] (do_swap_page) from [<8047e6c4>] (handle_mm_fault+0x3d8/0x12b8 mm/memory.c:5604) r10:00000040 r9:842b3900 r8:7eb0d000 r7:84476480 r6:7eb0d000 r5:835e6c00 r4:00000254 [<8047e2ec>] (handle_mm_fault) from [<80215d28>] (do_page_fault+0x148/0x3a8 arch/arm/mm/fault.c:326) r10:00000007 r9:842b3900 r8:7eb0d000 r7:00000207 r6:00000254 r5:7eb0d9b4 r4:df955fb0 [<80215be0>] (do_page_fault) from [<80216170>] (do_DataAbort+0x38/0xa8 arch/arm/mm/fault.c:558) r10:7eb0da7c r9:00000000 r8:80215be0 r7:df955fb0 r6:7eb0d9b4 r5:00000207 r4:8261d0e0 [<80216138>] (do_DataAbort) from [<80200e3c>] (__dabt_usr+0x5c/0x60 arch/arm/kernel/entry-armv.S:427) Exception stack(0xdf955fb0 to 0xdf955ff8) 5fa0: 00000000 00000000 22d5f800 0008d158 5fc0: 00000000 7eb0d9a4 00000000 00000109 00000000 00000000 7eb0da7c 7eb0da3c 5fe0: 00000000 7eb0d9a0 00000001 00066bd4 00000010 ffffffff r8:824a9044 r7:835e6c00 r6:ffffffff r5:00000010 r4:00066bd4 Code: 1a000004 e1822003 e8860094 e89da8f0 (e7f001f2) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 1a000004 bne 0x18 4: e1822003 orr r2, r2, r3 8: e8860094 stm r6, {r2, r4, r7} c: e89da8f0 ldm sp, {r4, r5, r6, r7, fp, sp, pc} * 10: e7f001f2 udf #18 <-- trapping instruction Consequently, we have two choices: either employ kmap_to_page() alongside sg_set_page(), or resort to copying high memory contents to a temporary buffer residing in low memory. However, considering the introduction of the WARN_ON_ONCE in commit ef6e06b2ef870 ("highmem: fix kmap_to_page() for kmap_local_page() addresses"), which specifically addresses high memory concerns, it appears that memcpy remains the sole viable option. Reported-and-tested-by: syzbot+adbc983a1588b7805de3@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000bbb3d80613f243a6@google.com/ Fixes: 270700dd06ca ("mm/zswap: remove the memcpy if acomp is not sleepable") Signed-off-by: Barry Song Acked-by: Yosry Ahmed Reviewed-by: Nhat Pham Acked-by: Johannes Weiner --- -v2: add comments according to Yosry mm/zswap.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index 9dec853647c8..dbd9f745fa8f 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -1080,7 +1080,17 @@ static void zswap_decompress(struct zswap_entry *entry, struct page *page) mutex_lock(&acomp_ctx->mutex); src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); - if (acomp_ctx->is_sleepable && !zpool_can_sleep_mapped(zpool)) { + /* + * If zpool_map_handle is atomic, we cannot reliably utilize its mapped buffer + * to do crypto_acomp_decompress() which might sleep. In such cases, we must + * resort to copying the buffer to a temporary one. + * Meanwhile, zpool_map_handle() might return a non-linearly mapped buffer, + * such as a kmap address of high memory or even ever a vmap address. + * However, sg_init_one is only equipped to handle linearly mapped low memory. + * In such cases, we also must copy the buffer to a temporary and lowmem one. + */ + if ((acomp_ctx->is_sleepable && !zpool_can_sleep_mapped(zpool)) || + !virt_addr_valid(src)) { memcpy(acomp_ctx->buffer, src, entry->length); src = acomp_ctx->buffer; zpool_unmap_handle(zpool, entry->handle); @@ -1094,7 +1104,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct page *page) BUG_ON(acomp_ctx->req->dlen != PAGE_SIZE); mutex_unlock(&acomp_ctx->mutex); - if (!acomp_ctx->is_sleepable || zpool_can_sleep_mapped(zpool)) + if (src != acomp_ctx->buffer) zpool_unmap_handle(zpool, entry->handle); }