From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Yongchen Yin <wb-yyc939293@alibaba-inc.com>,
Rongwei Wang <rongwei.wang@linux.alibaba.com>,
Bagas Sanjaya <bagasdotme@gmail.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Aaron Lu <aaron.lu@intel.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 5.4 40/92] mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()
Date: Tue, 18 Apr 2023 14:21:15 +0200 [thread overview]
Message-ID: <20230418120306.239168205@linuxfoundation.org> (raw)
In-Reply-To: <20230418120304.658273364@linuxfoundation.org>
From: Rongwei Wang <rongwei.wang@linux.alibaba.com>
commit 6fe7d6b992113719e96744d974212df3fcddc76c upstream.
The si->lock must be held when deleting the si from the available list.
Otherwise, another thread can re-add the si to the available list, which
can lead to memory corruption. The only place we have found where this
happens is in the swapoff path. This case can be described as below:
core 0 core 1
swapoff
del_from_avail_list(si) waiting
try lock si->lock acquire swap_avail_lock
and re-add si into
swap_avail_head
acquire si->lock but missing si already being added again, and continuing
to clear SWP_WRITEOK, etc.
It can be easily found that a massive warning messages can be triggered
inside get_swap_pages() by some special cases, for example, we call
madvise(MADV_PAGEOUT) on blocks of touched memory concurrently, meanwhile,
run much swapon-swapoff operations (e.g. stress-ng-swap).
However, in the worst case, panic can be caused by the above scene. In
swapoff(), the memory used by si could be kept in swap_info[] after
turning off a swap. This means memory corruption will not be caused
immediately until allocated and reset for a new swap in the swapon path.
A panic message caused: (with CONFIG_PLIST_DEBUG enabled)
------------[ cut here ]------------
top: 00000000e58a3003, n: 0000000013e75cda, p: 000000008cd4451a
prev: 0000000035b1e58a, n: 000000008cd4451a, p: 000000002150ee8d
next: 000000008cd4451a, n: 000000008cd4451a, p: 000000008cd4451a
WARNING: CPU: 21 PID: 1843 at lib/plist.c:60 plist_check_prev_next_node+0x50/0x70
Modules linked in: rfkill(E) crct10dif_ce(E)...
CPU: 21 PID: 1843 Comm: stress-ng Kdump: ... 5.10.134+
Hardware name: Alibaba Cloud ECS, BIOS 0.0.0 02/06/2015
pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
pc : plist_check_prev_next_node+0x50/0x70
lr : plist_check_prev_next_node+0x50/0x70
sp : ffff0018009d3c30
x29: ffff0018009d3c40 x28: ffff800011b32a98
x27: 0000000000000000 x26: ffff001803908000
x25: ffff8000128ea088 x24: ffff800011b32a48
x23: 0000000000000028 x22: ffff001800875c00
x21: ffff800010f9e520 x20: ffff001800875c00
x19: ffff001800fdc6e0 x18: 0000000000000030
x17: 0000000000000000 x16: 0000000000000000
x15: 0736076307640766 x14: 0730073007380731
x13: 0736076307640766 x12: 0730073007380731
x11: 000000000004058d x10: 0000000085a85b76
x9 : ffff8000101436e4 x8 : ffff800011c8ce08
x7 : 0000000000000000 x6 : 0000000000000001
x5 : ffff0017df9ed338 x4 : 0000000000000001
x3 : ffff8017ce62a000 x2 : ffff0017df9ed340
x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
plist_check_prev_next_node+0x50/0x70
plist_check_head+0x80/0xf0
plist_add+0x28/0x140
add_to_avail_list+0x9c/0xf0
_enable_swap_info+0x78/0xb4
__do_sys_swapon+0x918/0xa10
__arm64_sys_swapon+0x20/0x30
el0_svc_common+0x8c/0x220
do_el0_svc+0x2c/0x90
el0_svc+0x1c/0x30
el0_sync_handler+0xa8/0xb0
el0_sync+0x148/0x180
irq event stamp: 2082270
Now, si->lock locked before calling 'del_from_avail_list()' to make sure
other thread see the si had been deleted and SWP_WRITEOK cleared together,
will not reinsert again.
This problem exists in versions after stable 5.10.y.
Link: https://lkml.kernel.org/r/20230404154716.23058-1-rongwei.wang@linux.alibaba.com
Fixes: a2468cc9bfdff ("swap: choose swap device according to numa node")
Tested-by: Yongchen Yin <wb-yyc939293@alibaba-inc.com>
Signed-off-by: Rongwei Wang <rongwei.wang@linux.alibaba.com>
Cc: Bagas Sanjaya <bagasdotme@gmail.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Aaron Lu <aaron.lu@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/swapfile.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -672,6 +672,7 @@ static void __del_from_avail_list(struct
{
int nid;
+ assert_spin_locked(&p->lock);
for_each_node(nid)
plist_del(&p->avail_lists[nid], &swap_avail_heads[nid]);
}
@@ -2579,8 +2580,8 @@ SYSCALL_DEFINE1(swapoff, const char __us
spin_unlock(&swap_lock);
goto out_dput;
}
- del_from_avail_list(p);
spin_lock(&p->lock);
+ del_from_avail_list(p);
if (p->prio < 0) {
struct swap_info_struct *si = p;
int nid;
next prev parent reply other threads:[~2023-04-18 12:31 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 12:20 [PATCH 5.4 00/92] 5.4.241-rc1 review Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 01/92] scsi: ses: Handle enclosure with just a primary component gracefully Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 02/92] x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 03/92] cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 04/92] Revert "treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()" Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 05/92] treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 06/92] smb3: fix problem with null cifs super block with previous patch Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 07/92] pinctrl: amd: Use irqchip template Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 08/92] pinctrl: amd: disable and mask interrupts on probe Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 09/92] pinctrl: amd: Disable and mask interrupts on resume Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 10/92] pwm: cros-ec: Explicitly set .polarity in .get_state() Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 11/92] pwm: sprd: " Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 12/92] wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 13/92] icmp: guard against too small mtu Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 14/92] net: dont let netpoll invoke NAPI if in xmit context Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 15/92] sctp: check send stream number after wait_for_sndbuf Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 16/92] ipv6: Fix an uninit variable access bug in __ip6_make_skb() Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 17/92] gpio: davinci: Add irq chip flag to skip set wake Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 18/92] sunrpc: only free unix grouplist after RCU settles Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 19/92] NFSD: callback request does not use correct credential for AUTH_SYS Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 20/92] xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 21/92] USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 22/92] usb: typec: altmodes/displayport: Fix configure initial pin assignment Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 23/92] USB: serial: option: add Telit FE990 compositions Greg Kroah-Hartman
2023-04-18 12:20 ` [PATCH 5.4 24/92] USB: serial: option: add Quectel RM500U-CN modem Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 25/92] iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 26/92] iio: dac: cio-dac: Fix max DAC write value check for 12-bit Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 27/92] tty: serial: sh-sci: Fix transmit end interrupt handler Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 28/92] tty: serial: sh-sci: Fix Rx on RZ/G2L SCI Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 29/92] tty: serial: fsl_lpuart: avoid checking for transfer complete when UARTCTRL_SBK is asserted in lpuart32_tx_empty Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 30/92] nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 31/92] nilfs2: fix sysfs interface lifetime Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 32/92] ALSA: hda/realtek: Add quirk for Clevo X370SNW Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 33/92] perf/core: Fix the same task check in perf_event_set_output Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 34/92] ftrace: Mark get_lock_parent_ip() __always_inline Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 35/92] can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 36/92] tracing: Free error logs of tracing instances Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 37/92] net_sched: prevent NULL dereference if default qdisc setup failed Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 38/92] drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 39/92] ring-buffer: Fix race while reader and writer are on the same page Greg Kroah-Hartman
2023-04-18 12:21 ` Greg Kroah-Hartman [this message]
2023-04-18 12:21 ` [PATCH 5.4 41/92] irqdomain: Look for existing mapping only once Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 42/92] irqdomain: Refactor __irq_domain_alloc_irqs() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 43/92] irqdomain: Fix mapping-creation race Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 44/92] Revert "pinctrl: amd: Disable and mask interrupts on resume" Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 45/92] ALSA: emu10k1: fix capture interrupt handler unlinking Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 46/92] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 47/92] ALSA: i2c/cs8427: fix iec958 mixer control deactivation Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 48/92] ALSA: firewire-tascam: add missing unwind goto in snd_tscm_stream_start_duplex() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 49/92] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 50/92] Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 51/92] Bluetooth: Fix race condition in hidp_session_thread Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 52/92] btrfs: print checksum type and implementation at mount time Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 53/92] btrfs: fix fast csum implementation detection Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 54/92] mtdblock: tolerate corrected bit-flips Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 55/92] mtd: rawnand: meson: fix bitmask for length in command word Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 56/92] mtd: rawnand: stm32_fmc2: remove unsupported EDO mode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 57/92] 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 58/92] niu: Fix missing unwind goto in niu_alloc_channels() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 59/92] qlcnic: check pci_reset_function result Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 60/92] sctp: fix a potential overflow in sctp_ifwdtsn_skip Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 61/92] RDMA/core: Fix GID entry ref leak when create_ah fails Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 62/92] udp6: fix potential access to stale information Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 63/92] net: macb: fix a memory corruption in extended buffer descriptor mode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 64/92] power: supply: cros_usbpd: reclassify "default case!" as debug Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 65/92] i2c: imx-lpi2c: clean rx/tx buffers upon new message Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 66/92] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 67/92] drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 68/92] verify_pefile: relax wrapper length check Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 69/92] asymmetric_keys: log on fatal failures in PE/pkcs7 Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 70/92] ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 71/92] mtd: ubi: wl: Fix a couple of kernel-doc issues Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 72/92] ubi: Fix deadlock caused by recursively holding work_sem Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 73/92] i2c: ocores: generate stop condition after timeout in polling mode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 74/92] watchdog: sbsa_wdog: Make sure the timeout programming is within the limits Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 75/92] coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 76/92] xfs: show the proper user quota options Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 77/92] xfs: merge the projid fields in struct xfs_icdinode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 78/92] xfs: ensure that the inode uid/gid match values match the icdinode ones Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 79/92] xfs: remove the icdinode di_uid/di_gid members Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 80/92] xfs: remove the kuid/kgid conversion wrappers Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 81/92] xfs: add a new xfs_sb_version_has_v3inode helper Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 82/92] xfs: only check the superblock version for dinode size calculation Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 83/92] xfs: simplify di_flags2 inheritance in xfs_ialloc Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.4 84/92] xfs: simplify a check in xfs_ioctl_setattr_check_cowextsize Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.4 85/92] xfs: remove the di_version field from struct icdinode Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.4 86/92] xfs: fix up non-directory creation in SGID directories Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.4 87/92] xfs: set inode size after creating symlink Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.4 88/92] xfs: report corruption only as a regular error Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.4 89/92] xfs: shut down the filesystem if we screw up quota reservation Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.4 90/92] xfs: consider shutdown in bmapbt cursor delete assert Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.4 91/92] xfs: dont reuse busy extents on extent trim Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.4 92/92] xfs: force log and push AIL to clear pinned inodes when aborting mount Greg Kroah-Hartman
2023-04-18 14:12 ` [PATCH 5.4 00/92] 5.4.241-rc1 review Chris Paterson
2023-04-18 16:36 ` Florian Fainelli
2023-04-18 21:28 ` Shuah Khan
2023-04-19 3:34 ` Guenter Roeck
2023-04-19 7:41 ` Naresh Kamboju
2023-04-19 7:58 ` Cyril Hrubis
2023-04-21 8:04 ` Petr Vorel
2023-04-24 6:36 ` Yang Xu (Fujitsu)
2023-04-19 12:37 ` Harshit Mogalapalli
2023-04-19 13:30 ` zhouzhixiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230418120306.239168205@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aaron.lu@intel.com \
--cc=akpm@linux-foundation.org \
--cc=bagasdotme@gmail.com \
--cc=patches@lists.linux.dev \
--cc=rongwei.wang@linux.alibaba.com \
--cc=stable@vger.kernel.org \
--cc=wb-yyc939293@alibaba-inc.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).