From: Sergey Senozhatsky <senozhatsky@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: mm-commits@vger.kernel.org, vitaly.wool@konsulko.com,
sjenning@redhat.com, senozhatsky@chromium.org, ngupta@vflare.org,
minchan@kernel.org, hannes@cmpxchg.org, ddstreet@ieee.org,
arnd@arndb.de, nphamcs@gmail.com
Subject: Re: [merged mm-hotfixes-stable] zsmalloc-fix-a-race-with-deferred_handles-storing.patch removed from -mm tree
Date: Wed, 1 Feb 2023 12:50:05 +0900 [thread overview]
Message-ID: <Y9nhbXqxs12QPNfT@google.com> (raw)
In-Reply-To: <20230201004455.D78F2C433D2@smtp.kernel.org>
On (23/01/31 16:44), Andrew Morton wrote:
> Currently, there is a race between zs_free() and zs_reclaim_page():
> zs_reclaim_page() finds a handle to an allocated object, but before the
> eviction happens, an independent zs_free() call to the same handle could
> come in and overwrite the object value stored at the handle with the last
> deferred handle. When zs_reclaim_page() finally gets to call the eviction
> handler, it will see an invalid object value (i.e the previous deferred
> handle instead of the original object value).
>
> This race happens quite infrequently. We only managed to produce it with
> out-of-tree developmental code that triggers zsmalloc writeback with a
> much higher frequency than usual.
>
> This patch fixes this race by storing the deferred handle in the object
> header instead. We differentiate the deferred handle from the other two
> cases (handle for allocated object, and linkage for free object) with a
> new tag. If zspage reclamation succeeds, we will free these deferred
> handles by walking through the zspage objects. On the other hand, if
> zspage reclamation fails, we reconstruct the zspage freelist (with the
> deferred handle tag and allocated tag) before trying again with the
> reclamation.
>
> [arnd@arndb.de: avoid unused-function warning]
> Link: https://lkml.kernel.org/r/20230117170507.2651972-1-arnd@kernel.org
> Link: https://lkml.kernel.org/r/20230110231701.326724-1-nphamcs@gmail.com
> Fixes: 9997bc017549 ("zsmalloc: implement writeback mechanism for zsmalloc")
> Signed-off-by: Nhat Pham <nphamcs@gmail.com>
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> Suggested-by: Johannes Weiner <hannes@cmpxchg.org>
> Cc: Dan Streetman <ddstreet@ieee.org>
> Cc: Minchan Kim <minchan@kernel.org>
> Cc: Nitin Gupta <ngupta@vflare.org>
> Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
> Cc: Seth Jennings <sjenning@redhat.com>
> Cc: Vitaly Wool <vitaly.wool@konsulko.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
prev parent reply other threads:[~2023-02-01 3:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-01 0:44 [merged mm-hotfixes-stable] zsmalloc-fix-a-race-with-deferred_handles-storing.patch removed from -mm tree Andrew Morton
2023-02-01 3:50 ` Sergey Senozhatsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9nhbXqxs12QPNfT@google.com \
--to=senozhatsky@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=ddstreet@ieee.org \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minchan@kernel.org \
--cc=mm-commits@vger.kernel.org \
--cc=ngupta@vflare.org \
--cc=nphamcs@gmail.com \
--cc=sjenning@redhat.com \
--cc=vitaly.wool@konsulko.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.