From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CDA81C54E71 for ; Fri, 22 Mar 2024 19:35:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4FB046B0087; Fri, 22 Mar 2024 15:35:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4AAA26B0088; Fri, 22 Mar 2024 15:35:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 373486B008A; Fri, 22 Mar 2024 15:35:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 2403D6B0087 for ; Fri, 22 Mar 2024 15:35:18 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id B5EEE1C1A6F for ; Fri, 22 Mar 2024 19:35:17 +0000 (UTC) X-FDA: 81925678674.25.21FF056 Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com [209.85.218.41]) by imf15.hostedemail.com (Postfix) with ESMTP id DA829A0005 for ; Fri, 22 Mar 2024 19:35:15 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=gSfPshka; spf=pass (imf15.hostedemail.com: domain of yosryahmed@google.com designates 209.85.218.41 as permitted sender) smtp.mailfrom=yosryahmed@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1711136116; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=rXqOQnNFRwMLeAFwVnfS1d69pjTN9VKzYQaXxC0ZHsQ=; b=nr/vPa+Z7JSyZI5yehNvMwpSa5d3X+tx6K5Vs8x79EuirsMiDDpK+jXE5v8S2JMZci0+Ye xH8CJsbkFVwkYNjrWd2XaPOJaC6/wdG4UwoOhiEt6/cRETNNEFyGCfOGan9EQ/+CyiIsRU H1Cv0Eos8HwF8Qrr4PKOEwcNh+BEWiQ= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1711136116; a=rsa-sha256; cv=none; b=v/rDgD9+Ppl8fXnptXGmTgY5KCQgaiim6Rq3FbvVLdObg+Y37NWhpC0+LKbS40urOdJCXV iINmp6ogTyTt2m0EI/pnnkyhqeXUvluJV79YI+Yz7CvsAAXVQ1NhzRvrKzk+hcCvZ7yaEy QbXEVXOZ2EeRQIRqtUygWzNRsk/Wzmw= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=gSfPshka; spf=pass (imf15.hostedemail.com: domain of yosryahmed@google.com designates 209.85.218.41 as permitted sender) smtp.mailfrom=yosryahmed@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-ej1-f41.google.com with SMTP id a640c23a62f3a-a46ba938de0so350215366b.3 for ; Fri, 22 Mar 2024 12:35:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1711136114; x=1711740914; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=rXqOQnNFRwMLeAFwVnfS1d69pjTN9VKzYQaXxC0ZHsQ=; b=gSfPshkaOxTXgEEVHkJkdxeKt0Xu+/cZsqsAuTJNGy0kqRlskh2FV10GDGJSVE+Sjp M2IfDlvXqzFcp/hNhQUpQ545UHm8MTC4It2c33fyYw6eOjPLVJ563FfgiMKYuwkPUwzF zEKRvZEq+dRTsEIT2uV8JClEVzflk5uL4hBI6gQ9nViVuIUDA+SH+LpWAxksYKB9NkEM 9DHcoO4FDGDXrVof41Hw9mtvkzpXXExEUmDMrg9q8smBaNmraAp0kK1gOO3BwahCqWms soQJRBCXdTKEiI59nAQrrlFrRDSDsUYEHan9JnG9aSCSCBnTHb3Hrxf4cRRn7gWSSnw+ OG9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711136114; x=1711740914; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rXqOQnNFRwMLeAFwVnfS1d69pjTN9VKzYQaXxC0ZHsQ=; b=OA1zEmpexy5VCPpZ7rR0AJgfX9HGb2dWODUAdIuIhhPsXTjhksMxqbEYJ3GdPBNlTO iuN10oq7WHwCWjqQznS48LXWO36OVnszfbTVI1OjfBCC6CfpiIw38gyjyLzoOO0MYQzo 4AdYWDzc8vsUTOrh+Ctu5OWl5Ik5ElM5vtixtISsAGcwYGzTIdGu8eg++mMP2WW/IW6V vUnGaTnQ3ey8r/TurlHglUEHuBhKqzRvgNgCr9u906WNfbp0U49B73pwsLPlzCllzNgT jubazvDwO6Nzxb94nInknrYLI3keTuuGzA4Il0FIZbeToD0v7qGG8Yt0cODV+4i9jO4z MLsQ== X-Forwarded-Encrypted: i=1; AJvYcCUeXSU4Ql9IAP3/muMjeRomnbc9st4Bs1mq0ej9dX55NlC8bURlctJsdduY48GpWK5QIayKsXVFpXRTj4puqw3iTs0= X-Gm-Message-State: AOJu0YyJq+F10/P3ygj/9DRCZ7CLC9GUWB1R5v40mIzLCMY6aMFbnZa3 rUnv4uEHsJ9JQydJG5F45VCrV9/8nYyiDIoRQrBNtP9APxeotKrJ3UEkQTpCxg6BYwwaSVmcfO5 TVgK5YIqsGYcpfG64wrZPC2bbUV0xPnMS+Fn3 X-Google-Smtp-Source: AGHT+IG56GnSx/icUKcpW2g1TdmDV8jpp8YYRBIDEDLsrlN53cdfS8z6kseUUUJKe+O2UFb9/tb+9l8ETduOCrlEOh4= X-Received: by 2002:a17:906:249a:b0:a46:cef3:4aba with SMTP id e26-20020a170906249a00b00a46cef34abamr404344ejb.75.1711136114064; Fri, 22 Mar 2024 12:35:14 -0700 (PDT) MIME-Version: 1.0 References: <01b0b8e8-af1d-4fbe-951e-278e882283fd@linux.dev> In-Reply-To: From: Yosry Ahmed Date: Fri, 22 Mar 2024 12:34:37 -0700 Message-ID: Subject: Re: [External] Re: [bug report] mm/zswap :memory corruption after zswap_load(). To: Zhongkun He Cc: Chengming Zhou , Johannes Weiner , Andrew Morton , linux-mm , wuyun.abel@bytedance.com, zhouchengming@bytedance.com, Nhat Pham , Kairui Song , Minchan Kim , David Hildenbrand , Barry Song <21cnbao@gmail.com>, Chris Li , Ying Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: DA829A0005 X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: i79n4p1zax7m6nuptkws9buf4ejdc6hj X-HE-Tag: 1711136115-649346 X-HE-Meta: U2FsdGVkX19z7Prz0XUeqfki7vLGdIJLcarcKmTWuZ5p6zdB2YrVlEDQhQEc8HIiKEMjZ+OknD941ao1L+9tcGVCTjtmMv5Vfh0Zu+iRWOfI59g2/wKjXwSG08lcFVIPosu66lcLUeui+yKGwI9D2Pr6P2YBUlDIM3Eec5gps4a+URg8aIJDuk3Im3DYJomUWpjnJSJesIUXf5mgQmwfmeKnlgv323/CcT070lO7MZdSn5hiz6p5el4JYGDh90Vd1Qk7sGGzsaC/AZfHgoJyqYjJ1WRuth2b3L0DRebVOYQSQWr6rTKnOlO5pl6+aR6klbuvSN4PQI2YED9aQ7KH2wjRcsf+o1+lUB5UObKaA7AJ0DNWc0eVR7fSBI5nwXUvLXeKlNJ9pZoxRdDufdK8SkjyeqseBeWfokFsaedmqcO3gfN/Kr4RNAMfBhPoQ1tHju/b43sIUjny+rqbyM7H6pGLJFSTZHLZbNaCdi6TT9v2PsqAUSE4Wbdv4aU4DVew/c0s0BDfM3d3E1crWPLa7fMMxTZlpEKqUBc6pyvc64UiQOQRZwbdK21jRQzIFNvc/8gMoxN9VihpJqNYaUGLKar/PfcARb5SjnnbICZhxVpAkZGrA6t67opZFJPj3QTy3c1VWNNO9Ccs8LBwhosvH9fIx0yVd7n2O05HgFlkmCDqqLz1dag0tq3T/AvpezAQ4XFA17bXVSsOB58HUfQNX0y7JSBjeUgRP1582QrvmxTc80SY1SwbgnquegDfekMGcnsJWjpu94t48lPEwEq5X+POyItJKEhLPHHya9rzaAslq5a06IQMBHmfHAt4EgJqJP9kCgT3k0Hxww6Azo4V4NhP8FWjP2IKoAyyyIA8h1IPVe8LHPXpnewd5AeKfyLq7uNl5KxEf0WPtsagZhG0gN1RZRXrpvlWOBuMZnJuGQ9E8P3wNINUEaWy2uoM0UawEF9H7+EIbLDESaOFk2R QD+U7dwa ovpXQlIhiVx2CBQzKT6kMptOmxwQcPgbqKAZCYpHQd0fAOAbZxsXxRkLKDldobelurKqpd9QwySlm45h3MNQWvnvuywu1071o/gY0fWKIVxG69tgc8irC0XJUU+5Jm42NQdIbyA40yacpWXw0dGn2QiuYBayS3yhLzB5m35TAgHdfFIYPZFzYQM+oDJKCWi6xLCxKSaJVXNiDBGedlgsDc/hibbe2HCt0WJ7rC2GmTBgFZHBByx74mzuhPpngTtnq8L7EMglPeDoib84DH+Ky9PH4eLMVyIQP7VHhvRWV+AQhelj5IUIgqVMCVozp/kskI489n52yWwlDrGps54Tx2yf+CQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Mar 21, 2024 at 8:04=E2=80=AFPM Zhongkun He wrote: > > On Thu, Mar 21, 2024 at 5:29=E2=80=AFPM Chengming Zhou wrote: > > > > On 2024/3/21 14:36, Zhongkun He wrote: > > > On Thu, Mar 21, 2024 at 1:24=E2=80=AFPM Chengming Zhou wrote: > > >> > > >> On 2024/3/21 13:09, Zhongkun He wrote: > > >>> On Thu, Mar 21, 2024 at 12:42=E2=80=AFPM Chengming Zhou > > >>> wrote: > > >>>> > > >>>> On 2024/3/21 12:34, Zhongkun He wrote: > > >>>>> Hey folks, > > >>>>> > > >>>>> Recently, I tested the zswap with memory reclaiming in the mainli= ne > > >>>>> (6.8) and found a memory corruption issue related to exclusive lo= ads. > > >>>> > > >>>> Is this fix included? 13ddaf26be32 ("mm/swap: fix race when skippi= ng swapcache") > > >>>> This fix avoids concurrent swapin using the same swap entry. > > >>>> > > >>> > > >>> Yes, This fix avoids concurrent swapin from different cpu, but the > > >>> reported issue occurs > > >>> on the same cpu. > > >> > > >> I think you may misunderstand the race description in this fix chang= elog, > > >> the CPU0 and CPU1 just mean two concurrent threads, not real two CPU= s. > > >> > > >> Could you verify if the problem still exists with this fix? > > > > > > Yes=EF=BC=8CI'm sure the problem still exists with this patch. > > > There is some debug info, not mainline. > > > > > > bpftrace -e'k:swap_readpage {printf("%lld, %lld,%ld,%ld,%ld\n%s", > > > ((struct page *)arg0)->private,nsecs,tid,pid,cpu,kstack)}' --include > > > linux/mm_types.h > > > > Ok, this problem seems only happen on SWP_SYNCHRONOUS_IO swap backends, > > which now include zram, ramdisk, pmem, nvdimm. > > Yes. > > > > > It maybe not good to use zswap on these swap backends? > > > > The problem here is the page fault handler tries to skip swapcache to > > swapin the folio (swap entry count =3D=3D 1), but then it can't install= folio > > to pte entry since some changes happened such as concurrent fork of ent= ry. > > > > The first page fault returned VM_FAULT_RETRY because > folio_lock_or_retry() failed. How so? The folio is newly allocated and not visible to any other threads or CPUs. swap_read_folio() unlocks it and then returns and we immediately try to lock it again with folio_lock_or_retry(). How does this fail? Let's go over what happens after swap_read_folio(): - The 'if (!folio)' code block will be skipped. - folio_lock_or_retry() should succeed as I mentioned earlier. - The 'if (swapcache)' code block will be skipped. - The pte_same() check should succeed on first look because other concurrent faulting threads should be held off by the newly introduced swapcache_prepare() logic. But looking deeper I think this one may fail due to a concurrent MADV_WILLNEED. - The 'if (unlikely(!folio_test_uptodate(folio)))` part will be skipped because swap_read_folio() marks the folio up-to-date. - After that point there is no possible failure until we install the pte, at which point concurrent faults will fail on !pte_same() and retry. So the only failure I think is possible is the pte_same() check. I see how a concurrent MADV_WILLNEED could cause that check to fail. A concurrent MADV_WILLNEED will block on swapcache_prepare(), but once the fault resolves it will go ahead and read the folio again into the swapcache. It seems like we will end up with two copies of the same folio? Maybe this is harmless because the folio in the swacache will never be used, but it is essentially leaked at that point, right? I feel like I am missing something. Adding other folks that were involved in the recent swapcache_prepare() synchronization thread. Anyway, I agree that at least in theory the data corruption could happen because of exclusive loads when skipping the swapcache, and we should fix that. Perhaps the right thing to do may be to write the folio again to zswap before unlocking it and before calling swapcache_clear(). The need for the write can be detected by checking if the folio is dirty, I think this will only be true if the folio was loaded from zswap.