Received-SPF: pass (google.com: domain of linux-kernel+bounces-63887-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Message-ID: <8620c1a0-e091-46e9-418a-db66e621b9c4@quicinc.com>
Date: Tue, 13 Feb 2024 21:57:34 +0530
Precedence: bulk
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.13.0
Subject: Re: [PATCH] mm/huge_memory: fix swap entry values of tail pages of
 THP
Content-Language: en-US
To: David Hildenbrand <david@redhat.com>, <gregkh@linuxfoundation.org>,
        <akpm@linux-foundation.org>, <willy@infradead.org>, <vbabka@suse.cz>,
        <dhowells@redhat.com>, <surenb@google.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
        # see patch
 description <stable@vger.kernel.org>
References: <1707814102-22682-1-git-send-email-quic_charante@quicinc.com>
 <a683e199-ce8a-4534-a21e-65f2528415a6@redhat.com>
From: Charan Teja Kalla <quic_charante@quicinc.com>
In-Reply-To: <a683e199-ce8a-4534-a21e-65f2528415a6@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit

Thanks David!!

On 2/13/2024 2:55 PM, David Hildenbrand wrote:
> On 13.02.24 09:48, Charan Teja Kalla wrote:
>> An anon THP page is first added to swap cache before reclaiming it.
>> Initially, each tail page contains the proper swap entry value(stored in
>> ->private field) which is filled from add_to_swap_cache(). After
> 
> This is a stable-only fix? In that case, it make sense to indicate that
> in the patch subject [PATCH STABLE vX.Y].
> 
Noted. Will take care of this from next time.

> But it's always odd to have stable-only fixes, the docs [1] don't cover
> that (maybe they should? or I missed it).
> 
Not sure If the below rules implicitly allows:
 - It or __an equivalent fix__ must already exist in Linus' tree (upstream).
 - It cannot be bigger than 100 lines, with context.

> [1]
> https://www.kernel.org/doc/Documentation/process/stable-kernel-rules.rst>
> So we are migrating a THP that was added to the swapcache. Do you have a
> reproducer?
> 
Yes, a bunch of them can be reproduced daily in our device farm which is
being tested on 6.1.

>> migrating the THP page sitting on the swap cache, only the swap entry of
>> the head page is filled(see folio_migrate_mapping()).
>>
>> Now when this page is tried to split(one case is when this page is again
>> migrated, see migrate_pages()->try_split_thp()), the tail pages
>> ->private is not stored with proper swap entry values.  When this tail
>> page is now try to be freed, as part of it delete_from_swap_cache() is
>> called which operates on the wrong swap cache index and eventually
>> replaces the wrong swap cache index with shadow/NULL value, frees the
>> page.
> 
> But what if we don't split the THP after migration. Is there anything
> else that can go wrong?
> 
> It's sufficient to look where upstream calls page_swap_entry():
> 
> For example, do_swap_page() will never be able to make progress, because
> the swap entry of the page does not correspond to the swap entry in the
> PTE? It can easily fault on a swap PTE that refers a THP subpage in the
> swapcache.
> 
> So unless I am missing something, only fixing this up during the split
> is insufficient. You have to fix it up during migration.
> 

I think you are right....My understanding is that below can make the
do_swap_page() will never be able to make progress:
do_swap_page:
		entry = pte_to_swp_entry(vmf->orig_pte);
		......
                if (unlikely(!folio_test_swapcache(folio) ||
                             page_private(page) != entry.val))
                        goto out_page;

This current patch is posted looking at the series in upstream that
looks simple, but that turn out to be not correct.

BTW, the fix we've tested internally is below discussed in [1].

diff --git a/mm/migrate.c b/mm/migrate.c
index 9f5f52d..8049f4e 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -427,10 +427,8 @@ int folio_migrate_mapping(struct address_space
*mapping,
        folio_ref_add(newfolio, nr); /* add cache reference */
        if (folio_test_swapbacked(folio)) {
                __folio_set_swapbacked(newfolio);
-               if (folio_test_swapcache(folio)) {
+               if (folio_test_swapcache(folio))
                        folio_set_swapcache(newfolio);
-                       newfolio->private = folio_get_private(folio);
-               }
                entries = nr;
        } else {
                VM_BUG_ON_FOLIO(folio_test_swapcache(folio), folio);
@@ -446,6 +444,8 @@ int folio_migrate_mapping(struct address_space *mapping,

        /* Swap cache still stores N entries instead of a high-order
entry */
        for (i = 0; i < entries; i++) {
+               set_page_private(folio_page(newfolio, i),
+                               folio_page(folio, i)->private);
                xas_store(&xas, newfolio);
                xas_next(&xas);
        }

[1]
https://lore.kernel.org/linux-mm/69cb784f-578d-ded1-cd9f-c6db04696336@quicinc.com/

>>
>> This leads to the state with a swap cache containing the freed page.
>> This issue can manifest in many forms and the most common thing observed
>> is the rcu stall during the swapin (see mapping_get_entry()).
>>
>> On the recent kernels, this issues is indirectly getting fixed with the
>> series[1], to be specific[2].
>>
>> When tried to back port this series, it is observed many merge
>> conflicts and also seems dependent on many other changes. As backporting
>> to LTS branches is not a trivial one, the similar change from [2] is
>> picked as a fix.
> 
> The fix is in
> 
> commit cfeed8ffe55b37fa10286aaaa1369da00cb88440
> Author: David Hildenbrand <david@redhat.com>
> Date:   Mon Aug 21 18:08:46 2023 +0200
> 
>     mm/swap: stop using page->private on tail pages for THP_SWAP
> 
>>
>> [1] https://lore.kernel.org/all/20230821160849.531668-1-david@redhat.com/
>> [2] https://lore.kernel.org/all/20230821160849.531668-5-david@redhat.com/
>>
>> Closes:
>> https://lore.kernel.org/linux-mm/69cb784f-578d-ded1-cd9f-c6db04696336@quicinc.com/
>> Fixes: 3417013e0d18 ("mm/migrate: Add folio_migrate_mapping()")
>> Cc: <stable@vger.kernel.org> # see patch description, applicable to <=6.1
>> Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
> 
> 3417013e0d18 went into 5.16.
> 
> cfeed8ffe55b3 went into 6.6.
> 
> So only 6.1 is affected.
> 

I tried to dig why the older kernels don't have this issue. The issue
persists on the older kernels too, AFAICS. See,
migrate_page_move_mapping().

So, The Fixes: tag too is unique for 6.1 kernel. And older LTS kernel
requires different tag it seems..

> 
> Isn't there a way to bite the bullet and backport that series to 6.1
> instead?

My worry is that, because of merge conflicts, not sure If It can end up
in inducing some other issues.

Although we didn't test THP on older kernels, from the code walk, it
seems issue persists to me on older to 6.1 kernel, unless I am missing
something here. So back porting of this series to all those LTS kernels,
may not be a straight forward?

So, I am really not sure of what is the way forward here...
>

Thanks.