Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp225107lqt; Thu, 18 Apr 2024 13:10:10 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUbi9FoqGeKQsPyM3+cToP2UrjNBiWjyXjJNeG4J6A/Ow7d6L6Uv+qH7rcrrCyyMX6IDn8P8KvlaGsCpdkmXcAmYLXoD+T/mIt85zsVpQ== X-Google-Smtp-Source: AGHT+IEnytVzpVvHa7fSs2ouAQj+ekwLRvHsOEjPQnY5LDvbQ8TCAWRdFjXBsq8thk6GzJhcI8YT X-Received: by 2002:a17:90a:8d0f:b0:2ac:5d2d:12ac with SMTP id c15-20020a17090a8d0f00b002ac5d2d12acmr183337pjo.5.1713471010718; Thu, 18 Apr 2024 13:10:10 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713471010; cv=pass; d=google.com; s=arc-20160816; b=lEaFgDB4uUYjlumiFwVUL+EaT63T4H7E3POFiLrdoR35k6qD6jmEU/Xo3Sdzv6lmIU 8KSXmtdnCjkw9xFbSVjr+ny5/92ZEgRxpKDtYeewrlfLEnBVBXwAw+Nrqj0y7IirF02d zw8DTo5PBANEL9/sDOTg59Sn8JNWPK39l9EaLF/017TWsg0hlTSODDGeN8gPRJPnFzes OVnazmIUsOB2qjMChEisBv5+u1W5kfm0CVx3jMDmlRPK5Vvqn/BHzOhYR0vzCbUcX8T0 /syL83RFvxbZ9imiW5IlVtD9iyE9wrQdNgHCDvSJNwS1wQvjG8SdTxnIhxdIOyCpU7Kn Kfxg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=Mp8BfU7cj3Avv6w7b6diX/CWBRB9qpT5rd/d7P5dcFg=; fh=fJc01b6L26DIsAoCColmTwsydFWqgaK5Lgxq/Kh71VI=; b=O2jtMOJD7a8Ml0Fn4Y1tE7R0S9wJzV1LuKdpQE1jMOyMeo7ep9KhEGjUjz9Q6YEi3C 38ElXq8hJXl/upIMXozf1zj+t1SRWUOcQKz/hsuWxJiLwY9uVI+WWdKqDbiZLewDgIiD e7nBeLqzopdghEJpkgyLJGkDnGuFFgMxrk02P6kffiRLkxRSsLsKHf3RHBrQJi8Jrxmr iYQFkY8X1mBZ/fW3jD9jf0ysbIeOaSZF9GHm52247LbjGKqn9plk/+n+rV2E3G5j6S48 5QCBYD9YBvrG6KL7lxZSOR4JvKO6x+o70qkdCBu/2b66AS8Lh265HpzfXeEhldrdGjmg eKCg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=UvUZ0NM5; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-150730-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-150730-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id lx10-20020a17090b4b0a00b002a2532ab940si2114348pjb.169.2024.04.18.13.10.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Apr 2024 13:10:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-150730-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=UvUZ0NM5; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-150730-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-150730-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 57D6B282B01 for ; Thu, 18 Apr 2024 20:10:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 103D3181B90; Thu, 18 Apr 2024 20:10:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UvUZ0NM5" Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53995180A8D for ; Thu, 18 Apr 2024 20:10:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713471005; cv=none; b=WAKUASH2n+iIoWLa28B0np04+pthEptHcxEFx/eZZZZ2Yfv1a5NZ0wGShqbfuqNXik1zmXihFC7u3aS7NK6k8Mh2+5zbJIXro1peOnxAcV4Zx8GdoVMhX/fny7HgGjgPVHK1aOmqvIo/1aaXYWFUy2k9H+P+d1ZBM2276c4z17I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713471005; c=relaxed/simple; bh=s9iI3OKQXwaBu4CUf7G1NuE/rQMlTxloyWIe7jxfkJw=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=mCgYTaoFywZaTvLJdtivW2CTBSZ1FIBJxlF0fbtMRvpEu0f8fKkinIPxxqBPxb2dmP0iKddPXw4lwxU6+Yk2XcPfh9KZZdjH4StbDhT/Yx2W03S3/t3C/9ZOwJf+I35hIo9EJJdeIZmiJOGEEE0UioSOqwRqX8GMmDm4iYe8xpM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=UvUZ0NM5; arc=none smtp.client-ip=209.85.167.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-516d3a470d5so1548739e87.3 for ; Thu, 18 Apr 2024 13:10:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713471001; x=1714075801; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Mp8BfU7cj3Avv6w7b6diX/CWBRB9qpT5rd/d7P5dcFg=; b=UvUZ0NM5tDw0b7dfYGOyzmF+386XnR4E3ZJUGqaULFdtdOnW2orR14YP8Ct13kH30I rAc6tt9hI1XNpLiYzUSCDUwpdj0JQhOw3Kgg+HpJX4MbYgv2MtuW+Y+frKJZ1JEi/U9T jpZlJt0IpHxtwrqDvuttPcv3didtW9+zlw3g+YMrcFZH3JMnHR5waRSkTYd88VnhOak8 jNZqnJP3UDHVkbNjOt+qe2Oe1xFtXWqz3d4kXYsUdClk+Cc8V5+LcggCuCZkQaGsiTdp 44429IL2Uxd5RSCMJQhJwklBaQt4oZlumW2yDBpq+XFfhsUJo4T5lq7bXibUzv8IG7/Q /kQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713471001; x=1714075801; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Mp8BfU7cj3Avv6w7b6diX/CWBRB9qpT5rd/d7P5dcFg=; b=G9DEf9DmHPLMNvOxUUhg8fdxImBU+cgCH2BanIQbzOFYieLn0iU6SyvPvid1t/s3fB fvd1sZIJOl3zKtGiDX7AH+4V1cz6d0uloZcmYqiJYXxlu6aMGUMrOmJuILkHAQbBcsc+ kbGpcdB80INpJGPPtZn9ClgPMGTGybA4njz58/ki69oj9tE/pvvKt32HpoV71GWoJJj/ FoXzuzIJGVdzY72qxt0xfWQRGSUy6gavDTXg9D6CnE9pdDuL7ph1ymR+tmhumgprNLdd PUwc4ZL+wBLeu3eB0CRIRWq9jtdxGvysqoJiu5/OlBAsnuS7GMiPJc4OzLNH8AGGyXPF EIoQ== X-Forwarded-Encrypted: i=1; AJvYcCUiC5sioezYThLYcNpRbCsHhGZ0oRkD4r/9CE4cWwLvufxYiAOkpaGSMuTh8fQTH82zC/81rKELgwGkoj/mJbcYs819tIJhyBnwD5Bk X-Gm-Message-State: AOJu0YxqjwovpTLea/T8ssnnIt36/7LNM36Fj/E9TqxyB4giT/GYHk0/ +Q9/91PFr/hp26X4JXFkbfdIwJEXoqjtCLQNJg4xQgayv96WQnYgNRwhmfk2StMuxPbo2fSrLap /cTtbuYsHuNVp+ktyNAzfycaP4iWfG/eRffvVNXJ1SyN3PRyAgh6uLTs= X-Received: by 2002:ac2:5d44:0:b0:518:baa1:381b with SMTP id w4-20020ac25d44000000b00518baa1381bmr46743lfd.50.1713471001029; Thu, 18 Apr 2024 13:10:01 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <3iccc6vjl5gminut3lvpl4va2lbnsgku5ei2d7ylftoofy3n2v@gcfdvtsq6dx2> <246c1f4d-af13-40fa-b968-fbaf36b8f91f@linux.dev> <20240417143324.GA1055428@cmpxchg.org> <4c3ppfjxnrqx6g52qvvhqzcc4pated2q5g4mi32l22nwtrkqfq@a4lk6s5zcwvb> <20240418124043.GC1055428@cmpxchg.org> In-Reply-To: <20240418124043.GC1055428@cmpxchg.org> From: Yosry Ahmed Date: Thu, 18 Apr 2024 13:09:22 -0700 Message-ID: Subject: Re: [REGRESSION] Null pointer dereference while shrinking zswap To: Johannes Weiner Cc: Christian Heusel , Chengming Zhou , Nhat Pham , Seth Jennings , Dan Streetman , Vitaly Wool , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, David Runge , "Richard W.M. Jones" , Mark W , regressions@lists.linux.dev Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Apr 18, 2024 at 5:40=E2=80=AFAM Johannes Weiner wrote: > > On Wed, Apr 17, 2024 at 07:18:14PM +0200, Christian Heusel wrote: > > On 24/04/17 10:33AM, Johannes Weiner wrote: > > > > > > Christian, can you please test the below patch on top of current > > > upstream? > > > > > > > Hey Johannes, > > > > I have applied your patch on top of 6.9-rc4 and it did solve the crash = for > > me, thanks for hacking together a fix so quickly! =F0=9F=A4=97 > > > > Tested-By: Christian Heusel > > Thanks for confirming it, and sorry about the breakage. > > Andrew, can you please use the updated changelog below? > > --- > > From 52f67f5fab6a743c2aedfc8e04a582a9d1025c28 Mon Sep 17 00:00:00 2001 > From: Johannes Weiner > Date: Thu, 18 Apr 2024 08:26:28 -0400 > Subject: [PATCH] mm: zswap: fix shrinker NULL crash with cgroup_disable= =3Dmemory > > Christian reports a NULL deref in zswap that he bisected down to the > zswap shrinker. The issue also cropped up in the bug trackers of > libguestfs [1] and the Red Hat bugzilla [2]. > > The problem is that when memcg is disabled with the boot time flag, > the zswap shrinker might get called with sc->memcg =3D=3D NULL. This is > okay in many places, like the lruvec operations. But it crashes in > memcg_page_state() - which is only used due to the non-node accounting > of cgroup's the zswap memory to begin with. > > Nhat spotted that the memcg can be NULL in the memcg-disabled case, > and I was then able to reproduce the crash locally as well. > > [1] https://github.com/libguestfs/libguestfs/issues/139 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=3D2275252 > > Fixes: b5ba474f3f51 ("zswap: shrink zswap pool based on memory pressure") > Cc: stable@vger.kernel.org [v6.8] > Link: https://lkml.kernel.org/r/20240417143324.GA1055428@cmpxchg.org > Reported-by: Christian Heusel > Debugged-by: Nhat Pham > Suggested-by: Nhat Pham > Tested-By: Christian Heusel > Signed-off-by: Johannes Weiner Thanks for fixing this. A couple of comments/questions below, but anyway LG= TM: Acked-by: Yosry Ahmed > --- > mm/zswap.c | 25 ++++++++++++++++--------- > 1 file changed, 16 insertions(+), 9 deletions(-) > > diff --git a/mm/zswap.c b/mm/zswap.c > index caed028945b0..6f8850c44b61 100644 > --- a/mm/zswap.c > +++ b/mm/zswap.c > @@ -1331,15 +1331,22 @@ static unsigned long zswap_shrinker_count(struct = shrinker *shrinker, > if (!gfp_has_io_fs(sc->gfp_mask)) > return 0; > > -#ifdef CONFIG_MEMCG_KMEM > - mem_cgroup_flush_stats(memcg); > - nr_backing =3D memcg_page_state(memcg, MEMCG_ZSWAP_B) >> PAGE_SHI= FT; > - nr_stored =3D memcg_page_state(memcg, MEMCG_ZSWAPPED); > -#else > - /* use pool stats instead of memcg stats */ > - nr_backing =3D zswap_pool_total_size >> PAGE_SHIFT; > - nr_stored =3D atomic_read(&zswap_nr_stored); > -#endif > + /* > + * For memcg, use the cgroup-wide ZSWAP stats since we don't > + * have them per-node and thus per-lruvec. Careful if memcg is > + * runtime-disabled: we can get sc->memcg =3D=3D NULL, which is o= k > + * for the lruvec, but not for memcg_page_state(). > + * > + * Without memcg, use the zswap pool-wide metrics. > + */ > + if (!mem_cgroup_disabled()) { With the current shrinker code, it seems like we cannot get sc->memcg =3D=3D NULL unless mem_cgroup_disabled() is true indeed. However, maybe it's better to check if sc->memcg is not NULL directly instead? This would be more resilient in case the shrinker code changes and passing sc->memcg =3D=3D NULL becomes possible in other cases (e.g. during global shrinking). It seems like other shrinkers do this, for example see count_shadow_nodes() and deferred_split_count(). I am also wondering if we should also check !mem_cgroup_is_root() here? We can avoid the expensive global flush and use the global stats directly in this case. I could also send a follow up patch for this if that's preferred. > + mem_cgroup_flush_stats(memcg); > + nr_backing =3D memcg_page_state(memcg, MEMCG_ZSWAP_B) >> = PAGE_SHIFT; > + nr_stored =3D memcg_page_state(memcg, MEMCG_ZSWAPPED); > + } else { > + nr_backing =3D zswap_pool_total_size >> PAGE_SHIFT; > + nr_stored =3D atomic_read(&zswap_nr_stored); > + } > > if (!nr_stored) > return 0; > -- > 2.44.0