From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A49D9C4828D for ; Tue, 6 Feb 2024 20:26:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 409FC6B0080; Tue, 6 Feb 2024 15:26:30 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3BABA6B0081; Tue, 6 Feb 2024 15:26:30 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 282746B0082; Tue, 6 Feb 2024 15:26:30 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 180076B0080 for ; Tue, 6 Feb 2024 15:26:30 -0500 (EST) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id B60971401CD for ; Tue, 6 Feb 2024 20:26:29 +0000 (UTC) X-FDA: 81762511698.15.24CFF98 Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com [209.85.218.43]) by imf17.hostedemail.com (Postfix) with ESMTP id C61844000F for ; Tue, 6 Feb 2024 20:26:27 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b="BXE5t/aO"; spf=pass (imf17.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.218.43 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org; dmarc=pass (policy=none) header.from=cmpxchg.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1707251187; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=v/0RXbqJk3p+Iy+ZevOvYx7kyIE4q+v2z/wExgGiYBE=; b=L9FlGd0LTZEuHOwygo+FM3CjV+P4Cwi87tT30C5uTZXEmm9KQvzh0SUz4NTZDaVvPiNUKB mW1b8KqH0clWJQhWScYN5PleRyGnnr80ZG+ZI9CqUFCemi5m1PRgARE30m0ahDQS+YVKI9 uiFnyhF14GrrhfcJ8u2LM06tHEFsLZE= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1707251187; a=rsa-sha256; cv=none; b=sxpItl5CbrOMrrdYU1mrmJ0ZtZ0pdm5UB+WSGDk2pYwlGPSw07RKLy3UHRaTzl0NQwhKM/ LKCj51g5GvGPoiRuv9J+1tyuofkk9z2o0+euGoXS8ZGMT08Q/K2Y5/IpivYz7bFC9lqsXf gWJFwoFu4H4duzpE3qJOCNRoEkYUMlM= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b="BXE5t/aO"; spf=pass (imf17.hostedemail.com: domain of hannes@cmpxchg.org designates 209.85.218.43 as permitted sender) smtp.mailfrom=hannes@cmpxchg.org; dmarc=pass (policy=none) header.from=cmpxchg.org Received: by mail-ej1-f43.google.com with SMTP id a640c23a62f3a-a3832ef7726so115363066b.0 for ; Tue, 06 Feb 2024 12:26:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmpxchg-org.20230601.gappssmtp.com; s=20230601; t=1707251186; x=1707855986; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=v/0RXbqJk3p+Iy+ZevOvYx7kyIE4q+v2z/wExgGiYBE=; b=BXE5t/aOMBL0/T+lo+95VVFBblXhAZIpiR8qOtdh4+ad5tmyJskY+mYqpO34oD4CEE 5oYK8YBtiHmugW1BaUMK3aZeWqMQA1svJ7VHra0d/eg6bNsvNpdkQeVebbMe0hRvKHL3 G8E7cNSily3xQvJ7GH5AZe8Q6psR/E5aCCtzg1vGiYb3WcKRLox+yd3jtzz6S/aCmgQ5 xiBmDqnbPi4C1KZFyTsowADsfieumGhgKb2bqyGTpdUfvnEIwPZu7OlA1xoWcvT6sUvX m7jwYakadohPO419Msqbwy1mMICZHj+Ey238xCEj7EFN/hRiICJDz4/tUr4DcDmWZRTl uolg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707251186; x=1707855986; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=v/0RXbqJk3p+Iy+ZevOvYx7kyIE4q+v2z/wExgGiYBE=; b=ew2vc2kRUQA8OrYTqJSGxYssd4Kx6r3qni5HQkPxt25mb7K4NdGII8G6HIrZVFoSeN 93FfOl1YHKz/6PjTWUfP5hJXfdJooqhnhhPTyX+SKV11c5V3o0VKKfLR1R3G3DdPK5pT bkkIHhAuqsa/A/iZWIGZbs85JXJcHJV0Awqnpc9qyBdav18CQ4V39Wr2/AifG1lVlG2r gX9/OmxSivWRafaW/Ka+3r4s9DESvvQxoPeIfW+Fe9YUjOFpAO3HmVG+aCP7mzyxP/+E jO3yDGfA4fItvrEIxR4qBlzOtwriOh04zq54HFIEl3fLW9++fys7bkK/ngeZKv2KQ84I VHuQ== X-Gm-Message-State: AOJu0Yx4iIAizcXviuR+n/LrDBBhwEhw+G6ve4dPo482iPWszcE5DF2Q TuG79h9yInUOJKgyVLdFhwCCPpPxsw6saqYR4CTsuJ6k7tGE/V7gbhT0KPr1jbQ= X-Google-Smtp-Source: AGHT+IGlf0h5hR3ebwa84oWSt4Vyp+yJlpHBqVgGpofDyr/NtnwI0wtjMu24VolDm8r9zz67dOyedg== X-Received: by 2002:a17:906:f0cc:b0:a36:696f:3e20 with SMTP id dk12-20020a170906f0cc00b00a36696f3e20mr2839376ejb.66.1707251186226; Tue, 06 Feb 2024 12:26:26 -0800 (PST) X-Forwarded-Encrypted: i=0; AJvYcCU1bzhouKHDP+zXjwff86wa4JNDF8ywWc/udqyxFsOWza+5byAnBTqZ8wqNrJBmOpBRHDhuofCYj7q4xnG6dthHYLoS6CilTEQBMRtoTS3lkydMBqasqg8H33ARs3bb9QnoFy/VrCnHFpdnHahrWR7ndr9SY/71NABiNNKogGZp0CDBmkYzL/spU1MuRVe/7lE1SCr+XdiraFtlARnPdUKeB4U/KPQ0iQ== Received: from localhost ([2a02:8071:6401:180:f8f5:527f:9670:eba8]) by smtp.gmail.com with ESMTPSA id hu15-20020a170907a08f00b00a38103bfa29sm1373785ejc.174.2024.02.06.12.26.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Feb 2024 12:26:25 -0800 (PST) Date: Tue, 6 Feb 2024 21:26:24 +0100 From: Johannes Weiner To: Nhat Pham Cc: akpm@linux-foundation.org, chengming.zhou@linux.dev, yosryahmed@google.com, linux-mm@kvack.org, kernel-team@meta.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] mm/swap_state: update zswap LRU's protection range with the folio locked Message-ID: <20240206202624.GC97483@cmpxchg.org> References: <20240206180855.3987204-1-nphamcs@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240206180855.3987204-1-nphamcs@gmail.com> X-Stat-Signature: 94jx1nowmj3kapr5w1toxbk7kobeyi69 X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: C61844000F X-Rspam-User: X-HE-Tag: 1707251187-267581 X-HE-Meta: U2FsdGVkX19R2tnqGrdsZ1mPHovsgI8Lpgk68lvdBoBUxyx9Ed4OMS23oQf10WwAuiglDck4pna6EjmONLOFR2RdJBqTNMFN1YATA352cZngtBVHMJxvjwpq5cD7yd0q2n4ppj/N5k2wrcaEodqTKPdqcFD4f0Er+Cnvj1k+ZYJmn5hy4dtWUp8tGjsDL5vExNRb8sa3qBj8vyv4A5o10eTz3dxB7wjOJtq8aUAMyUrQ3vGA44+5NbPFrfaWk339AjSxiBAOpTzRRN0UuOwkXAxDXXyRDklresWw8AtrqCL59eDJh+cf4YEs7c40OPs9Djc2/cOCmhGReIcgfTl0wNt6y3j/kKu2KDzCTN4eG0vD6EYGb7bBPszk9E6bRaUCz+YToZ5fZfj+RyGhWYFOB1OkY/pu+Orq2TgWFMKCg7UEfPsXJZhXB52nCtBR2I8eyOprxplyCEydAJTp9WlQb2kVIw73mDNjmMZL7WqSHdGp/Q1gXZVu+G2hjNs6NXhfqSh8V7lwZpiBvyGXcuqAkPKMQUyE2KL/Oz+t817TLXduOpOTHKqXbJccRbO7AnJCFVWisW344B5MqokTQrPB61hwiKT7aWljQV8Ys3YCHAQIy94kS5+ev2e3b3tPioNpWQldSCW/NO1ELzz27tLbTBKtqfZwijFGXqnc8+eKg3OYr5aIb6lnBdeZ8vNTsHSG02HDdOTqVNbjE0SushJ1yRwjaQsIfBmdSc+Pj9ZVFVroBWcg3m55hmxfd43hdIZ4dm+BxnTQtH4Acc2cW+l8VNR6N7brK1ptLlGsNQyUGMV7RC6CVneRs1Lb5/5YFLWx+IcyxgB0/G2Uybv4QZ8P6uxFRZDHB5B+y819hUBSCI2H+41Nzu4b2PmIHO2HNbwG8V4cnqhZZE3VWUGTyZbG6MbkDTRnLY6TgS/++GvUdNTCDZ2w7sLTrDL8cZuQAfn3d0fUEG5rrAWMN9PEm+P UHk/jpfc ngq/7KWNXawaIag+AhepDtZwnPrEkPvk56eOv3Jq4lIl75qZ6fL9vp6iJ/BdmGiSVVBfaRFWV9hPCLTvciJpYLqwYQlexoMSRG6qFQEbJ8GVHSn++oSvsPT4Ln0e7ouW76Z5GHO4VvYZ2E/WzMRebFnVKDtCqEVJw6G4Atz4zHTxzDO5fa2hiaFcNARHVWt9Bh2MjJ0N1kh6H/KbO6Eg3Hu7tyXlKyPUEWQRuRUolFY5PQGOn34najajS2OS26mOSZ4miwvy1wolCQw3aCC9VO0o3T31NjsCnDY1KxtUSJm7gu1Wcei3Wz75WBPSwqfgLbOJIjPkyMhujzecIUdZshRcok+7c1RsxgP/3hc9FBUGSOFlBXjebuOpeuePJg1voi8SVUsGekzg8y95asd+ltkVJOFq1/nAHowX909M3I3CP24whm7AEI0dS8/v00G6f/SLoeIuXmEaksHKA5sEnSK+gplJi8Q7oVaETfDgGA7bS54sbrSrg2Q4Su9mCMYWLNOBAeY2bQ8QcyF/4982TDDBDcruUIs8Putzo8y4ADizyKOMIjYdAtUmXocFrZX5Y+jMAwNBfdyIPDGUClHzpXJMt3cBtNKomUj3TIMC4BOfEcEZQYC0RJmkuMRinFw5WqDtQWsPXOY2iMpy5HtYvXNI8YPGt4tDL8qt9mKJRkos6rMIO0MhoswiMEARhzge1U8W2Nf+XyN1K949MBNgHFUqXpQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.004130, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Feb 06, 2024 at 10:08:55AM -0800, Nhat Pham wrote: > When a folio is swapped in, the protection size of the corresponding > zswap LRU is incremented, so that the zswap shrinker is more > conservative with its reclaiming action. This field is embedded within > the struct lruvec, so updating it requires looking up the folio's memcg > and lruvec. However, currently this lookup can happen after the folio is > unlocked, for instance if a new folio is allocated, and > swap_read_folio() unlocks the folio before returning. In this scenario, > there is no stability guarantee for the binding between a folio and its > memcg and lruvec: > > * A folio's memcg and lruvec can be freed between the lookup and the > update, leading to a UAF. > * Folio migration can clear the now-unlocked folio's memcg_data, which > directs the zswap LRU protection size update towards the root memcg > instead of the original memcg. This was recently picked up by the > syzbot thanks to a warning in the inlined folio_lruvec() call. > > Move the zswap LRU protection range update above the swap_read_folio() > call, and only when a new page is allocated, to prevent this. > > Reported-by: syzbot+17a611d10af7d18a7092@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/000000000000ae47f90610803260@google.com/ > Fixes: b5ba474f3f51 ("zswap: shrink zswap pool based on memory pressure") > Signed-off-by: Nhat Pham With the fixlet applied, Acked-by: Johannes Weiner