From: Baolin Wang <baolin.wang@linux.alibaba.com>
To: Kemeng Shi <shikemeng@huaweicloud.com>,
hughd@google.com, akpm@linux-foundation.org
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/5] mm/shmem: Fix potential dead loop in shmem_unuse()
Date: Thu, 15 May 2025 11:59:13 +0800 [thread overview]
Message-ID: <453015aa-e18f-4e37-86b1-001ec4e994d1@linux.alibaba.com> (raw)
In-Reply-To: <634a73ce-a24e-01d4-1d00-86272bc78860@huaweicloud.com>
On 2025/5/15 09:05, Kemeng Shi wrote:
>
>
> on 5/14/2025 5:24 PM, Baolin Wang wrote:
>>
>>
>> On 2025/5/15 00:50, Kemeng Shi wrote:
>>> If multi shmem_unuse() for different swap type is called concurrently,
>>> a dead loop could occur as following:
>>> shmem_unuse(typeA) shmem_unuse(typeB)
>>> mutex_lock(&shmem_swaplist_mutex)
>>> list_for_each_entry_safe(info, next, ...)
>>> ...
>>> mutex_unlock(&shmem_swaplist_mutex)
>>> /* info->swapped may drop to 0 */
>>> shmem_unuse_inode(&info->vfs_inode, type)
>>>
>>> mutex_lock(&shmem_swaplist_mutex)
>>> list_for_each_entry(info, next, ...)
>>> if (!info->swapped)
>>> list_del_init(&info->swaplist)
>>>
>>> ...
>>> mutex_unlock(&shmem_swaplist_mutex)
>>>
>>> mutex_lock(&shmem_swaplist_mutex)
>>> /* iterate with offlist entry and encounter a dead loop */
>>> next = list_next_entry(info, swaplist);
>>> ...
>>>
>>> Restart the iteration if the inode is already off shmem_swaplist list
>>> to fix the issue.
>>>
>>> Fixes: b56a2d8af9147 ("mm: rid swapoff of quadratic complexity")
>>> Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
>>> ---
>>> mm/shmem.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/mm/shmem.c b/mm/shmem.c
>>> index 495e661eb8bb..0fed94c2bc09 100644
>>> --- a/mm/shmem.c
>>> +++ b/mm/shmem.c
>>> @@ -1505,6 +1505,7 @@ int shmem_unuse(unsigned int type)
>>> return 0;
>>> mutex_lock(&shmem_swaplist_mutex);
>>> +start_over:
>>> list_for_each_entry_safe(info, next, &shmem_swaplist, swaplist) {
>>> if (!info->swapped) {
>>> list_del_init(&info->swaplist);
>>> @@ -1530,6 +1531,8 @@ int shmem_unuse(unsigned int type)
>>
>> next = list_next_entry(info, swaplist);
>> if (!info->swapped)
>> list_del_init(&info->swaplist);
>> if (atomic_dec_and_test(&info->stop_eviction))
>> wake_up_var(&info->stop_eviction);
>>
>> We may still hit the list warning when calling list_del_init() for the off-list info->swaplist? So I hope we can add a check for the possible off-list:
> Hello,
> When entry is taken off list, it will be initialized to a valid empty entry
> with INIT_LIST_HEAD(). So it should be fine to call list_del_init() for
> off-list entry.
> Please correct me if I miss anything. Thanks!
Ah, yes. I got confused with list_del(), but I still think we should not
continue to operate on an off-list entry.
>> diff --git a/mm/shmem.c b/mm/shmem.c
>> index 99327c30507c..f5ae5e2d6fb4 100644
>> --- a/mm/shmem.c
>> +++ b/mm/shmem.c
>> @@ -1523,9 +1523,11 @@ int shmem_unuse(unsigned int type)
>> cond_resched();
>>
>> mutex_lock(&shmem_swaplist_mutex);
>> - next = list_next_entry(info, swaplist);
>> - if (!info->swapped)
>> - list_del_init(&info->swaplist);
>> + if (!list_empty(&info->swaplist)) {
>> + next = list_next_entry(info, swaplist);
>> + if (!info->swapped)
>> + list_del_init(&info->swaplist);
>> + }
>> if (atomic_dec_and_test(&info->stop_eviction))
>> wake_up_var(&info->stop_eviction);
>> if (error)
>>
>>> wake_up_var(&info->stop_eviction);
>>> if (error)
>>> break;
>>> + if (list_empty(&info->swaplist))
>>> + goto start_over;
>>> }
>>> mutex_unlock(&shmem_swaplist_mutex);
>>>
>>
next prev parent reply other threads:[~2025-05-15 3:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 16:50 [PATCH 0/5] Some random fixes and cleanup to shmem Kemeng Shi
2025-05-14 16:50 ` [PATCH 1/5] mm: shmem: avoid unpaired folio_unlock() in shmem_swapin_folio() Kemeng Shi
2025-05-14 8:51 ` Baolin Wang
2025-05-14 16:50 ` [PATCH 2/5] mm: shmem: add missing shmem_unacct_size() in __shmem_file_setup() Kemeng Shi
2025-05-14 8:53 ` Baolin Wang
2025-05-14 16:50 ` [PATCH 3/5] mm/shmem: Fix potential dead loop in shmem_unuse() Kemeng Shi
2025-05-14 9:24 ` Baolin Wang
2025-05-15 1:05 ` Kemeng Shi
2025-05-15 3:59 ` Baolin Wang [this message]
2025-05-14 16:50 ` [PATCH 4/5] mm: shmem: keep inode in swaplist when failed to allocate swap entry in shmem_writepage() Kemeng Shi
2025-05-14 9:31 ` Baolin Wang
2025-05-15 1:09 ` Kemeng Shi
2025-05-14 16:50 ` [PATCH 5/5] mm/shmem: remove unneeded xa_is_value() check in shmem_unuse_swap_entries() Kemeng Shi
2025-05-14 9:31 ` Baolin Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=453015aa-e18f-4e37-86b1-001ec4e994d1@linux.alibaba.com \
--to=baolin.wang@linux.alibaba.com \
--cc=akpm@linux-foundation.org \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=shikemeng@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.