Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp298624rwl;
        Thu, 6 Apr 2023 19:38:24 -0700 (PDT)
X-Google-Smtp-Source: AKy350aS59g2RKzxgbkOfagydCrrHaCYpcKA6J3ddrTK/O7PYIBsF/SCqYhhDDAsSrqKz1xfpZqL
X-Received: by 2002:a50:e713:0:b0:502:24a4:b0ad with SMTP id a19-20020a50e713000000b0050224a4b0admr397687edn.4.1680835104593;
        Thu, 06 Apr 2023 19:38:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1680835104; cv=none;
        d=google.com; s=arc-20160816;
        b=aNh6tjNB4IPYIL0a669SKDgFvLndNxQdSgXfrVmZ8jhzjJ/6BdqyvMtlgpF7PIFOyU
         pXI2dqavUTr9TarGCAOh2DW42t5FhBjYOL+TDAOFm2XQDXBD1gLlFS0ViXOS50JXqMZf
         1dLEONjOyqur3FagiksKuN3tnAmYAY1z1Hf8xUNWdvQ+4Lj11DBfJqchvsTCXrO6UShn
         4fp3JskL//J6KT7ZMyWKZSQZJxzb9i206Qmkq0BDTPBSrQiXdNjUP671yWaZ8kZnF6ib
         GjpHrFIdo2lM2of00jQOEaSFMP5jIqD4HqlJSPnW1hIT8FJ082SMGoFi5LP9Pie6u/Hf
         OuSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=s8LycYhhoDonglh0mKOW1z8HH74Qq8dbFmwY45FHmb8=;
        b=eNhSAIO/TNAG5WQQXeftJs6GiH/bjhk3o3STcdxmzcPlNmHv/H06thAXNahFt/pdgA
         Z5uz1G4BVOiJsPPdtG+q5wqZdn0tdm1sTmOKNcwv2LkWKwIOsoGsJYlOGH1HDKIoWTFp
         Rb0vRDzDImwVWu63OvVkGGeVD71WMWpXBXy16a0gn3teA3QiL2ZLqUgGV/+4WkMVDwJJ
         9/dBUXCVTPj1gEtgJg99zNZmQ6b8/WCppOOSOCC4YoLKTXsYVfdAOWqVMAwLxmd2NQYi
         nOgd4vOfZAzCBG77nyrJJL8r9g5pjFfUzHIdjbhK0cTR4hNxP55/OO4LmC+sGAgy+Ue/
         ri2Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id x3-20020aa7d6c3000000b005026e488c81si2242770edr.520.2023.04.06.19.37.50;
        Thu, 06 Apr 2023 19:38:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240532AbjDGCUz (ORCPT <rfc822;anuragsharmaalwar@gmail.com>
        + 99 others); Thu, 6 Apr 2023 22:20:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57174 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240502AbjDGCUy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 6 Apr 2023 22:20:54 -0400
Received: from out30-130.freemail.mail.aliyun.com (out30-130.freemail.mail.aliyun.com [115.124.30.130])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 559A0A9;
        Thu,  6 Apr 2023 19:20:53 -0700 (PDT)
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R161e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018045176;MF=rongwei.wang@linux.alibaba.com;NM=1;PH=DS;RN=7;SR=0;TI=SMTPD_---0VfUplq7_1680834049;
Received: from 30.221.130.130(mailfrom:rongwei.wang@linux.alibaba.com fp:SMTPD_---0VfUplq7_1680834049)
          by smtp.aliyun-inc.com;
          Fri, 07 Apr 2023 10:20:50 +0800
Message-ID: <97551857-b2fe-eb26-88a0-780951b873d7@linux.alibaba.com>
Date:   Fri, 7 Apr 2023 10:20:48 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0)
 Gecko/20100101 Thunderbird/102.9.1
Subject: Re: [PATCH v2] mm/swap: fix swap_info_struct race between swapoff and
 get_swap_pages()
Content-Language: en-US
To:     Aaron Lu <aaron.lu@intel.com>
Cc:     akpm@linux-foundation.org, bagasdotme@gmail.com,
        willy@infradead.org, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org
References: <20230401221920.57986-1-rongwei.wang@linux.alibaba.com>
 <20230404154716.23058-1-rongwei.wang@linux.alibaba.com>
 <20230406140416.GA415291@ziqianlu-desk2>
 <20230406145754.GA440657@ziqianlu-desk2>
From:   Rongwei Wang <rongwei.wang@linux.alibaba.com>
In-Reply-To: <20230406145754.GA440657@ziqianlu-desk2>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-10.2 required=5.0 tests=ENV_AND_HDR_SPF_MATCH,
        NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
        SPF_PASS,UNPARSEABLE_RELAY,USER_IN_DEF_SPF_WL autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 2023/4/6 22:57, Aaron Lu wrote:
> On Thu, Apr 06, 2023 at 10:04:16PM +0800, Aaron Lu wrote:
>> On Tue, Apr 04, 2023 at 11:47:16PM +0800, Rongwei Wang wrote:
>>> The si->lock must be held when deleting the si from
>>> the available list.  Otherwise, another thread can
>>> re-add the si to the available list, which can lead
>>> to memory corruption. The only place we have found
>>> where this happens is in the swapoff path. This case
>>> can be described as below:
>>>
>>> core 0                       core 1
>>> swapoff
>>>
>>> del_from_avail_list(si)      waiting
>>>
>>> try lock si->lock            acquire swap_avail_lock
>>>                               and re-add si into
>>>                               swap_avail_head
>>                                 confused here.
>>
>> If del_from_avail_list(si) finished in swaoff path, then this si should
>> not exist in any of the per-node avail list and core 1 should not be
>> able to re-add it.
> I think a possible sequence could be like this:
>
> cpuX                             cpuY
> swapoff                          put_swap_folio()
>
> del_from_avail_list(si)
>                                   taken si->lock
> spin_lock(&si->lock);
>
> 				 swap_range_free()
> 				 was_full && SWP_WRITEOK -> re-add!
> 				 drop si->lock
>
> taken si->lock
> proceed removing si
>
> End result: si left on avail_list after being swapped off.
>
> The problem is, in add_to_avail_list(), it has no idea this si is being
> swapped off and taking si->lock then del_from_avail_list() could avoid
> this problem, so I think this patch did the right thing but the
> changelog about how this happened needs updating and after that:

Hi Aaron

That's my fault. Actually, I don't refers specifically to 
swap_range_free() path in commit, mainly because cpuY can stand all 
threads which is waiting swap_avail_lock, then to call 
add_to_avail_list(), not only swap_range_free(), e.g. maybe swapon().

>
> Reviewed-by: Aaron Lu <aaron.lu@intel.com>

Thanks for your time.

-wrw

>
> Thanks,
> Aaron
>