From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6132C47DD9 for ; Fri, 22 Mar 2024 23:04:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 151456B007B; Fri, 22 Mar 2024 19:04:54 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 101F76B0082; Fri, 22 Mar 2024 19:04:54 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F0B686B0085; Fri, 22 Mar 2024 19:04:53 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id DD7CE6B007B for ; Fri, 22 Mar 2024 19:04:53 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 808A3120445 for ; Fri, 22 Mar 2024 23:04:53 +0000 (UTC) X-FDA: 81926206866.09.F844B84 Received: from mail-yb1-f173.google.com (mail-yb1-f173.google.com [209.85.219.173]) by imf20.hostedemail.com (Postfix) with ESMTP id BC0E71C0009 for ; Fri, 22 Mar 2024 23:04:50 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=BZm2gu8y; spf=pass (imf20.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.219.173 as permitted sender) smtp.mailfrom=21cnbao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1711148690; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=KXajpgr5ThGBaSGnZfJRyX8FCpxJwIDm9EKyLgKw/Z4=; b=Y0BQaDJF4xn+uv4PKEVthP7hn3em8pJVyxQgtp/uvc+gtKOftEQvwB54Bbcp2u8MwuaTtV X6Jy1yOvJ7hSumkPPMUxO8R2rQ7EiO+ywB9eKGWL7U9bRazcfnnePqIzcp6O+cU5RoY2tI MD+D3aozA/jGaiuo3Uuq68gebBGTm28= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1711148690; a=rsa-sha256; cv=none; b=4BL/Z+bCYgadrOkxUMiQ2aL0EPLskjheqwTtWScDAojqICx3JAIMDym6NYzS7DXyTNbZyi nX/VMiNb/GXde0oMCtO/0hXNTDcdfKlY62bRl521sPj3A94TLiMaKGXcUrFQqPjBObjFQE +OlkexsnZtcuobZZjx2JQMTlHXywaoU= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=BZm2gu8y; spf=pass (imf20.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.219.173 as permitted sender) smtp.mailfrom=21cnbao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-yb1-f173.google.com with SMTP id 3f1490d57ef6-dc74e33fe1bso2762327276.0 for ; Fri, 22 Mar 2024 16:04:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711148690; x=1711753490; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=KXajpgr5ThGBaSGnZfJRyX8FCpxJwIDm9EKyLgKw/Z4=; b=BZm2gu8yMu2k+GhDVh4ovUkzGRehl6eg6Y23TZ6aipKSpRIL0/gcoKAdzFLoYXTG+V TZ9GzHgmouBZMBRqHndpws9TEWZ+4tw8+K5kQ2Kqgh3DAIHaOjSXTxyBGf0j1517V+x+ VNv+W4PZSKUgrbytror3lHaiTCZGSy7ar3e9U3Qu4Hajo3XQ7f82Q9fJDcXf8sHfhVO3 S59gLWuN0TJTgXGMbpm82Lxg8kp3C7dxx6D4sPnfJmVKavUCbBXT3A/tt+p4fD/i6bwp J/VREcvkYPP7P+EeVgH6pMEVujvTk2mNNtkHHocNCRP49BZR0T3JDkpjMxJpHCXug73P t+Rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711148690; x=1711753490; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KXajpgr5ThGBaSGnZfJRyX8FCpxJwIDm9EKyLgKw/Z4=; b=wcUs0YH6sRYiYoVBGdnWdxkBlhM2gVonSxMxQImSXfyHBmy2niWkV3e4OeRxucTDSs PtfS7khvBvj6dCh0f0J6R5cE8JahfSGdRPKY56Q2dXgTteol4I+8e7xEjvhzUtpIczss vJvl18uBP9HWa8+Upp/WOgt0m8Zl16KkI6U0Rr+Bybc8eUKOSUTqRUXwAaoT/Tq3fweR zIw/QRBKlVI8MoFuffd5/CZEqUGyXHE4tuLM5nB7sSKyHQntilsONJZQXrGMas9wzt4p m6V5MvIgcS9Y9uWICF4mZDbNokKrtit87jDitLVBe0yAu2ncHcCRpGoTtZPh3Pg66o9/ eADg== X-Forwarded-Encrypted: i=1; AJvYcCW4vxHEcGSzmXr4LZA/TaJ7VHH/Pkth5a3xJqvy393Ei/TTNsebML4N/bq5x3Fb4XtQ9DHjliup+IGDeKdFdbZ70vs= X-Gm-Message-State: AOJu0YzJYxqxssbK+bhllJXA+//Yokt9FZF43RtIMlOFTaZIpKj7AJ67 ZgFOa8oAepSoa+2oFwdqZLXZ2LnO4cQH16/28eFoa82T5x6Xc4IHFo5+4DB3WxW5IoSnu1eAnbk WzlBIj8p1SPP1qV9IuueCEudb6Rc= X-Google-Smtp-Source: AGHT+IE+fEQgiCbQk2QLYiCegWCmE1YuiG9Fdz1fOIHP7w20zCLYy+2Yq2It/QP9mSyc1HT/TIwKR+KMUdUYu/b3O/Y= X-Received: by 2002:a5b:b86:0:b0:dc6:b779:7887 with SMTP id l6-20020a5b0b86000000b00dc6b7797887mr749785ybq.20.1711148689725; Fri, 22 Mar 2024 16:04:49 -0700 (PDT) MIME-Version: 1.0 References: <01b0b8e8-af1d-4fbe-951e-278e882283fd@linux.dev> In-Reply-To: From: Barry Song <21cnbao@gmail.com> Date: Sat, 23 Mar 2024 12:04:38 +1300 Message-ID: Subject: Re: [External] Re: [bug report] mm/zswap :memory corruption after zswap_load(). To: Yosry Ahmed Cc: Zhongkun He , Chengming Zhou , Johannes Weiner , Andrew Morton , linux-mm , wuyun.abel@bytedance.com, zhouchengming@bytedance.com, Nhat Pham , Kairui Song , Minchan Kim , David Hildenbrand , Chris Li , Ying Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: BC0E71C0009 X-Rspam-User: X-Stat-Signature: om8handcyw3c3m6gcqu4acy1qxwuqbio X-Rspamd-Server: rspam03 X-HE-Tag: 1711148690-774293 X-HE-Meta: U2FsdGVkX18jV+Ez3JEycxQdUsWzBRcUpWnjwM3QxsMeFbAv9PShc7DauEEaB19Idau2e2/SYPzm/Mx/nYmkcGWeRLfsx+ADf6CEiroQjbldVPxAgDxsRU+H3wu2L4TLj8VwCsBvAROvRhbcBhEuU+KmnAYC8BlY36avfC7EsmxDc7RdqLbw1u20ChWuSakV2O9+Vk5QKZ31/nfeEVIj/B6N+Lpkd+oWW2S5GFeApauqglwMrA4YgRERiR7g2sUmA/A+nOveYOvonD1SATUCyfJ6frzNNAjq3IDqkzsKvY8MlKh6c6vy0xRI1gVPfewCD79NGI+OYV0mUQ5ezHJZzTyF+t7gGa8hedaOOl9znh6WvClcmnoDRYHkVAmCLLSulLc5DFXdoGNXuOv7U7/TqtHWPaK8JaEnx8+oDtjytF20pAAfW8g19yzodjLjoCcheLE7/45GOiTQkDOm5gw5kNvKz5TRQGug1saAeDx6oWrwLNksEkxiNnFbg6LjUbZzSBmHU7QO94nfRkWXSOXoHgY8i9QI7Vsw7szW/NOY0NrsObpv26sM9buU6qcECZ5Gh7JZDYHnDxvp2lr9KsUyb/EdkDE7qgtmj3+llfxiO1o/1JLxhc7cpBKEg2Uk+STZ+5cRmfZJ5g2B9arUXx/RDdsodeShZKVbUaapz3RxuHbRP174pZ3CsUnVko8x+PN7NCO15+TqpwrYKaApyBW4sRoXj1DXwFMFSV13V/3/gfHrm9oz4ZKtfZDIXqyNd8rscXUIjTDLkhWoVRbzLcWDm0N4jCq0iaag/vXzecI6mFp0m/CzojJizkDLA3IZsZCNVGmDh0/ieYmm+28rYT5zZbmbrAvmsKhou//PapprX2FiYZZa73vGYSzUzBvuA8WUA9UuCpCo1E5dcoQ55+7It/a3CywV+K5luywdCKGAFXz01QnclthXkHPYDNm5omWYjNGuaZky733hPKUkE2Q cChMMM9q JCQOviXx07jzeZxDbzFfcUGp76QOh9udcM2S9NWQ5nFAGJEfNLvFDEdybDZXn9PPHu4v7rMxmgDHTXkuEscvRnEcdNOks9hB92abRSMHkHGtTrQfkkU/KlgWRd8D7m99/X/KpQelEj+hQ1r6XdKi9bFMN+P4aElYVZ8dyLHayY7pFYRUdXctfi2YFDT90y5TvQUM9NZ2/er94JFpYWS/ctbO3WPL8kTjEx2hqMNJkhewJ/pP5tBztsQr7YikYPCxxXCybKNUngavpV/rZfYOuY1gkuTey6GAp7GBLyVrEvExjv0GWEUrVwjQNJg0/Zj8TfEqOJco7I0yP0DoMmZIjZdw60KZ5X1jEeifEaDamTd5rj8mehEn6BQkq3RaVH1iBinvP1c//V1Fdo/0sTJYJKuuI/wEs1GiKRXdGUnWHSHlXzw+AjBhpseaSrSV7H8dxumuEQVq6vYzrgcerT2qpkt4aty10HZc2N/HilZavu/13kWM= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sat, Mar 23, 2024 at 8:35=E2=80=AFAM Yosry Ahmed = wrote: > > On Thu, Mar 21, 2024 at 8:04=E2=80=AFPM Zhongkun He > wrote: > > > > On Thu, Mar 21, 2024 at 5:29=E2=80=AFPM Chengming Zhou wrote: > > > > > > On 2024/3/21 14:36, Zhongkun He wrote: > > > > On Thu, Mar 21, 2024 at 1:24=E2=80=AFPM Chengming Zhou wrote: > > > >> > > > >> On 2024/3/21 13:09, Zhongkun He wrote: > > > >>> On Thu, Mar 21, 2024 at 12:42=E2=80=AFPM Chengming Zhou > > > >>> wrote: > > > >>>> > > > >>>> On 2024/3/21 12:34, Zhongkun He wrote: > > > >>>>> Hey folks, > > > >>>>> > > > >>>>> Recently, I tested the zswap with memory reclaiming in the main= line > > > >>>>> (6.8) and found a memory corruption issue related to exclusive = loads. > > > >>>> > > > >>>> Is this fix included? 13ddaf26be32 ("mm/swap: fix race when skip= ping swapcache") > > > >>>> This fix avoids concurrent swapin using the same swap entry. > > > >>>> > > > >>> > > > >>> Yes, This fix avoids concurrent swapin from different cpu, but th= e > > > >>> reported issue occurs > > > >>> on the same cpu. > > > >> > > > >> I think you may misunderstand the race description in this fix cha= ngelog, > > > >> the CPU0 and CPU1 just mean two concurrent threads, not real two C= PUs. > > > >> > > > >> Could you verify if the problem still exists with this fix? > > > > > > > > Yes=EF=BC=8CI'm sure the problem still exists with this patch. > > > > There is some debug info, not mainline. > > > > > > > > bpftrace -e'k:swap_readpage {printf("%lld, %lld,%ld,%ld,%ld\n%s", > > > > ((struct page *)arg0)->private,nsecs,tid,pid,cpu,kstack)}' --includ= e > > > > linux/mm_types.h > > > > > > Ok, this problem seems only happen on SWP_SYNCHRONOUS_IO swap backend= s, > > > which now include zram, ramdisk, pmem, nvdimm. > > > > Yes. > > > > > > > > It maybe not good to use zswap on these swap backends? > > > > > > The problem here is the page fault handler tries to skip swapcache to > > > swapin the folio (swap entry count =3D=3D 1), but then it can't insta= ll folio > > > to pte entry since some changes happened such as concurrent fork of e= ntry. > > > > > > > The first page fault returned VM_FAULT_RETRY because > > folio_lock_or_retry() failed. > > How so? The folio is newly allocated and not visible to any other > threads or CPUs. swap_read_folio() unlocks it and then returns and we > immediately try to lock it again with folio_lock_or_retry(). How does > this fail? > > Let's go over what happens after swap_read_folio(): > - The 'if (!folio)' code block will be skipped. > - folio_lock_or_retry() should succeed as I mentioned earlier. > - The 'if (swapcache)' code block will be skipped. > - The pte_same() check should succeed on first look because other > concurrent faulting threads should be held off by the newly introduced > swapcache_prepare() logic. But looking deeper I think this one may > fail due to a concurrent MADV_WILLNEED. > - The 'if (unlikely(!folio_test_uptodate(folio)))` part will be > skipped because swap_read_folio() marks the folio up-to-date. > - After that point there is no possible failure until we install the > pte, at which point concurrent faults will fail on !pte_same() and > retry. > > So the only failure I think is possible is the pte_same() check. I see > how a concurrent MADV_WILLNEED could cause that check to fail. A > concurrent MADV_WILLNEED will block on swapcache_prepare(), but once > the fault resolves it will go ahead and read the folio again into the > swapcache. It seems like we will end up with two copies of the same but zswap has freed the object when the do_swap_page finishes swap_read_fol= io due to exclusive load feature of zswap? so WILLNEED will get corrupted data and put it into swapcache. some other concurrent new forked process might get the new data from the swapcache WILLNEED puts when the new-forked process goes into do_swap_page. so very likely a new process is forked right after do_swap_page finishes swap_read_folio and before swapcache_clear. > folio? Maybe this is harmless because the folio in the swacache will > never be used, but it is essentially leaked at that point, right? > > I feel like I am missing something. Adding other folks that were > involved in the recent swapcache_prepare() synchronization thread. > > Anyway, I agree that at least in theory the data corruption could > happen because of exclusive loads when skipping the swapcache, and we > should fix that. > > Perhaps the right thing to do may be to write the folio again to zswap > before unlocking it and before calling swapcache_clear(). The need for > the write can be detected by checking if the folio is dirty, I think > this will only be true if the folio was loaded from zswap. we only need to write when we know swap_read_folio() gets data from zswap but not swapfile. is there a quick way to do this?