Received-SPF: pass (google.com: domain of linux-kernel+bounces-54429-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Precedence: bulk
MIME-Version: 1.0
References: <20240205110959.4021-1-ryncsn@gmail.com> <CAOUHufYYoW6Nn26YsdBwxDw8iNLRf2c6ZLoF530YCgYZ2uvikQ@mail.gmail.com>
In-Reply-To: <CAOUHufYYoW6Nn26YsdBwxDw8iNLRf2c6ZLoF530YCgYZ2uvikQ@mail.gmail.com>
From: Kairui Song <ryncsn@gmail.com>
Date: Tue, 6 Feb 2024 15:38:51 +0800
Message-ID: <CAMgjq7ALbFbmQDnt8KPwB0h9j5E5SBEJn7bC+NVMhX__U8w12Q@mail.gmail.com>
Subject: Re: [PATCH] mm/swap: fix race condition in direct swapin path
To: Yu Zhao <yuzhao@google.com>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>, 
	"Huang, Ying" <ying.huang@intel.com>, Chris Li <chrisl@kernel.org>, 
	Minchan Kim <minchan@kernel.org>, Hugh Dickins <hughd@google.com>, 
	Johannes Weiner <hannes@cmpxchg.org>, Matthew Wilcox <willy@infradead.org>, Michal Hocko <mhocko@suse.com>, 
	Yosry Ahmed <yosryahmed@google.com>, David Hildenbrand <david@redhat.com>, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 6, 2024 at 2:03=E2=80=AFPM Yu Zhao <yuzhao@google.com> wrote:
>
> On Mon, Feb 5, 2024 at 4:10=E2=80=AFAM Kairui Song <ryncsn@gmail.com> wro=
te:
> >
> > From: Kairui Song <kasong@tencent.com>
> >
> > In the direct swapin path, when two or more threads swapin the same ent=
ry
>
> There is no other places referring to that path as "direct" swapin.
>
> I'd rephrase it as: "When skipping swapcache for SWP_SYNCHRONOUS_IO,
> ...", and similarly for the subject: "mm: fix race when skipping
> swapcache".

Good suggestion.

>
> > at the same time, they get different pages (A, B) because swap cache is
> > skipped. Before one thread (T0) finishes the swapin and installs page (=
A)
> > to the PTE, another thread (T1) could finish swapin of page (B),
> > swap_free the entry, then modify and swap-out the page again, using the
> > same entry. It break the pte_same check because PTE value is unchanged,
> > causing ABA problem. Then thread (T0) will then install the stalled pag=
e
> > (A) into the PTE so new data in page (B) is lost, one possible callstac=
k
> > is like this:
> >
> > CPU0                                CPU1
> > ----                                ----
> > do_swap_page()                      do_swap_page() with same entry
> > <direct swapin path>                <direct swapin path>
> > <alloc page A>                      <alloc page B>
> > swap_readpage() <- read to page A   swap_readpage() <- read to page B
> > <slow on later locks or interrupt>  <finished swapin first>
> > ...                                 set_pte_at()
> >                                     swap_free() <- Now the entry is fre=
ed.
> >                                     <write to page B, now page A stalle=
d>
> >                                     <swap out page B using same swap en=
try>
> > pte_same() <- Check pass, PTE seems
> >               unchanged, but page A
> >               is stalled!
> > swap_free() <- page B content lost!
> > set_pte_at() <- staled page A installed!
> >
> > To fix this, reuse swapcache_prepare which will pin the swap entry usin=
g
> > the cache flag, and allow only one thread to pin it. Release the pin
> > after PT unlocked. Racers will simply busy wait since it's a rare
> > and very short event.
> >
> > Other methods like increasing the swap count don't seem to be a good
> > idea after some tests, that will cause racers to fall back to the
> > cached swapin path, two swapin path being used at the same time
> > leads to a much more complex scenario.
> >
> > Reproducer:
> >
> > This race issue can be triggered easily using a well constructed
> > reproducer and patched brd (with a delay in read path) [1]:
> >
> > With latest 6.8 mainline, race caused data loss can be observed easily:
> > $ gcc -g -lpthread test-thread-swap-race.c && ./a.out
> >   Polulating 32MB of memory region...
> >   Keep swapping out...
> >   Starting round 0...
> >   Spawning 65536 workers...
> >   32746 workers spawned, wait for done...
> >   Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!
> >   Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!
> >   Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!
> >   Round 0 Failed, 15 data loss!
> >
> > This reproducer spawns multiple threads sharing the same memory region
> > using a small swap device. Every two threads updates mapped pages one b=
y
> > one in opposite direction trying to create a race, with one dedicated
> > thread keep swapping out the data out using madvise.
> >
> > The reproducer created a reproduce rate of about once every 5 minutes,
> > so the race should be totally possible in production.
> >
> > After this patch, I ran the reproducer for over a few hundred rounds
> > and no data loss observed.
> >
> > Performance overhead is minimal, microbenchmark swapin 10G from 32G
> > zram:
> >
> > Before:     10934698 us
> > After:      11157121 us
> > Non-direct: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)
> >
> > Fixes: 0bcac06f27d7 ("mm, swap: skip swapcache for swapin of synchronou=
s device")
> > Link: https://github.com/ryncsn/emm-test-project/tree/master/swap-stres=
s-race [1]
> > Signed-off-by: Kairui Song <kasong@tencent.com>
>
> Cc: stable@vger.kernel.org
>
> Acked-by: Yu Zhao <yuzhao@google.com>

Thanks!