If we allocate a new page, we need to make sure that our folio matches
that new page. This will be solved by changing shmem_replace_page()
to shmem_replace_folio(), but this is the minimal fix.
Fixes: da08e9b79323 ("mm/shmem: convert shmem_swapin_page() to shmem_swapin_folio()")
Signed-off-by: Matthew Wilcox (Oracle) <[email protected]>
---
mm/shmem.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/shmem.c b/mm/shmem.c
index a6f565308133..bcc0a3c7b5bf 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1771,6 +1771,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index,
if (shmem_should_replace_folio(folio, gfp)) {
error = shmem_replace_page(&page, gfp, info, index);
+ folio = page_folio(page);
if (error)
goto failed;
}
--
2.35.1
On Sat, 30 Jul 2022 05:25:18 +0100 "Matthew Wilcox (Oracle)" <[email protected]> wrote:
> If we allocate a new page, we need to make sure that our folio matches
> that new page. This will be solved by changing shmem_replace_page()
> to shmem_replace_folio(), but this is the minimal fix.
>
> ...
>
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -1771,6 +1771,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index,
>
> if (shmem_should_replace_folio(folio, gfp)) {
> error = shmem_replace_page(&page, gfp, info, index);
> + folio = page_folio(page);
> if (error)
> goto failed;
> }
What are the user-visible runtime effects of the bug?
Should we backport this into 5.19.X?
On Tue, Aug 02, 2022 at 05:46:37PM -0700, Andrew Morton wrote:
> On Sat, 30 Jul 2022 05:25:18 +0100 "Matthew Wilcox (Oracle)" <[email protected]> wrote:
>
> > If we allocate a new page, we need to make sure that our folio matches
> > that new page. This will be solved by changing shmem_replace_page()
> > to shmem_replace_folio(), but this is the minimal fix.
> >
> > ...
> >
> > --- a/mm/shmem.c
> > +++ b/mm/shmem.c
> > @@ -1771,6 +1771,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index,
> >
> > if (shmem_should_replace_folio(folio, gfp)) {
> > error = shmem_replace_page(&page, gfp, info, index);
> > + folio = page_folio(page);
> > if (error)
> > goto failed;
> > }
>
> What are the user-visible runtime effects of the bug?
>
> Should we backport this into 5.19.X?
Definitely should be backported. The next line not visible in this
patch context says:
error = shmem_add_to_page_cache(folio, mapping, index,
swp_to_radix_entry(swap), gfp,
charge_mm);
so if we do end up in this path, we store the wrong page in the
shmem inode's page cache, and I would rather imagine that data
corruption ensues.
Looks good.
Reviewed-by: William Kucharski <[email protected]>
> On Aug 2, 2022, at 21:18, Matthew Wilcox <[email protected]> wrote:
>
> On Tue, Aug 02, 2022 at 05:46:37PM -0700, Andrew Morton wrote:
>>> On Sat, 30 Jul 2022 05:25:18 +0100 "Matthew Wilcox (Oracle)" <[email protected]> wrote:
>>>
>>> If we allocate a new page, we need to make sure that our folio matches
>>> that new page. This will be solved by changing shmem_replace_page()
>>> to shmem_replace_folio(), but this is the minimal fix.
>>>
>>> ...
>>>
>>> --- a/mm/shmem.c
>>> +++ b/mm/shmem.c
>>> @@ -1771,6 +1771,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index,
>>>
>>> if (shmem_should_replace_folio(folio, gfp)) {
>>> error = shmem_replace_page(&page, gfp, info, index);
>>> + folio = page_folio(page);
>>> if (error)
>>> goto failed;
>>> }
>>
>> What are the user-visible runtime effects of the bug?
>>
>> Should we backport this into 5.19.X?
>
> Definitely should be backported. The next line not visible in this
> patch context says:
>
> error = shmem_add_to_page_cache(folio, mapping, index,
> swp_to_radix_entry(swap), gfp,
> charge_mm);
>
> so if we do end up in this path, we store the wrong page in the
> shmem inode's page cache, and I would rather imagine that data
> corruption ensues.
>
Looks good.
Reviewed-by: William Kucharski <[email protected]>
> On Jul 29, 2022, at 10:25 PM, Matthew Wilcox (Oracle) <[email protected]> wrote:
>
> If we allocate a new page, we need to make sure that our folio matches
> that new page. This will be solved by changing shmem_replace_page()
> to shmem_replace_folio(), but this is the minimal fix.
>
> Fixes: da08e9b79323 ("mm/shmem: convert shmem_swapin_page() to shmem_swapin_folio()")
> Signed-off-by: Matthew Wilcox (Oracle) <[email protected]>
> ---
> mm/shmem.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index a6f565308133..bcc0a3c7b5bf 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -1771,6 +1771,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index,
>
> if (shmem_should_replace_folio(folio, gfp)) {
> error = shmem_replace_page(&page, gfp, info, index);
> + folio = page_folio(page);
> if (error)
> goto failed;
> }
> --
> 2.35.1
On Sat, 30 Jul 2022, Matthew Wilcox (Oracle) wrote:
> If we allocate a new page, we need to make sure that our folio matches
> that new page. This will be solved by changing shmem_replace_page()
> to shmem_replace_folio(), but this is the minimal fix.
>
> Fixes: da08e9b79323 ("mm/shmem: convert shmem_swapin_page() to shmem_swapin_folio()")
> Signed-off-by: Matthew Wilcox (Oracle) <[email protected]>
Acked-by: Hugh Dickins <[email protected]>
I hit this myself just once, at about the very time you sent the fix.
But, thinking that shmem_replace_page() was special for gma500, couldn't
understand how I (or most people) would ever get there. Turns out that
nowadays tmpfs symlinks longer than 128 can come this way on 32-bit (I
had been testing kmap_local stuff for other reasons).
And today I see that Zdenek hit it on 5.19-rc back in June:
https://lore.kernel.org/lkml/[email protected]/
so this patch is definitely one for -stable.
Hugh
> ---
> mm/shmem.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index a6f565308133..bcc0a3c7b5bf 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -1771,6 +1771,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index,
>
> if (shmem_should_replace_folio(folio, gfp)) {
> error = shmem_replace_page(&page, gfp, info, index);
> + folio = page_folio(page);
> if (error)
> goto failed;
> }
> --
> 2.35.1