Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp676627lqt; Fri, 19 Apr 2024 07:22:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWuye8zdeWY0Qv3bSFD669HFz5Z7L45ND1tvSKlxDR69d1UupkuPaUhbUiGQWYWGmDXzwYD88+Hcwmm9k2pd35Coi83cWOX8G2xMtL1Mw== X-Google-Smtp-Source: AGHT+IFKfx/4Wfus+g+YGwy7fysMeh+JXGFpReRjzW9BBCT0brpM/hF3xtAwvb7Cf1ADxxX5gD+1 X-Received: by 2002:a67:f242:0:b0:47b:6053:c204 with SMTP id y2-20020a67f242000000b0047b6053c204mr2220536vsm.23.1713536568601; Fri, 19 Apr 2024 07:22:48 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713536568; cv=pass; d=google.com; s=arc-20160816; b=u2H+TGyK1PvmoCEKrHP8N34U3zemckz4Ke7Q0oR80iU8Ce+fZ05Wbp2ywU4qFjN6cq 2udVZspokqBLmhiyQlLqRpb9+VzOmqaqwgdVcShm0zdKSqhAGyizxZKUTEwG/Ny46jSP gB+I3srDcwebvOc0VM2aRkJbWy+06VY024joBYZ5Ln7dQc83RcWX3fArt9XKBaK87dt3 Yqj2by4CsIRzK7ZEV4fTf6wJhzAfQB1Ues0uoHIdk/1nbZjA9rOMQYH4cwRfuNRLWZxr F/ELa5aZEJ5dj0arxCT/gQnumhAKpYj6h/m0Sz1EpB/5n7zgNNWK+JyR5DvZCUrpsZCO JNiA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=LbB4KcsnZXNmzG/MHQb9mgjRPkbbsvmUawk+gcbg5EQ=; fh=kPeRqXb6SkrXmsLn4g9yRK9Zg8kzFRfRkBo9O4Y8eoQ=; b=EmvOHwnEA9/b+FyHno9NQT08x0FyMPKzHq49EribJDWaVjRgg625u8XZbhUlYzuuSQ yLTofgtQl5wHhyMeYvLZvlQA3AMzLjql4hRrMtQU476v/SX1NgT02BytgEkA7H4klrAo nF380koteuTcfvVQJPB0M551Dzrxyh0T153W1sm6JSlPOmzvz0UqqV7BhvoyMscMcxf3 QTky8SKKHn3hQ6NXJFHfnTGdSYeSJeZxHT990U8HbTwrUKOq2++uOSFuRNOrD8eeqPRe y1gqXJ2pdiXb3J6xcIk8xEpxCFc8UyusL9k0LfMhbekxzBr87IyX+XYTWUs32K6121iq h3+Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b=RPcZBAc+; arc=pass (i=1 spf=pass spfdomain=cmpxchg.org dkim=pass dkdomain=cmpxchg-org.20230601.gappssmtp.com dmarc=pass fromdomain=cmpxchg.org); spf=pass (google.com: domain of linux-kernel+bounces-151576-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-151576-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cmpxchg.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id g13-20020a0561020ccd00b0047b809a7e23si805209vst.435.2024.04.19.07.22.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Apr 2024 07:22:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-151576-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@cmpxchg-org.20230601.gappssmtp.com header.s=20230601 header.b=RPcZBAc+; arc=pass (i=1 spf=pass spfdomain=cmpxchg.org dkim=pass dkdomain=cmpxchg-org.20230601.gappssmtp.com dmarc=pass fromdomain=cmpxchg.org); spf=pass (google.com: domain of linux-kernel+bounces-151576-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-151576-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cmpxchg.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 27D831C218C1 for ; Fri, 19 Apr 2024 14:22:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 91C0612D77D; Fri, 19 Apr 2024 14:22:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cmpxchg-org.20230601.gappssmtp.com header.i=@cmpxchg-org.20230601.gappssmtp.com header.b="RPcZBAc+" Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 841D21292DC for ; Fri, 19 Apr 2024 14:22:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.44 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713536562; cv=none; b=S8GRj4jFE5NhlBcENMSsJfdGtLUo3wARORmphFIgtSEErbx3MiV5GlUIJDPu4kCuuBTiku8YNmKFsyqWNROmIDUXa/xxVWhFsx99DeJmt+9BvCKJStCAhTSxqzBkEfTEWbRNchk1Bqtc4NIvdWcB62DvaOh0UVFJmIp65/jlb3g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713536562; c=relaxed/simple; bh=+LiWUh2zMmA3ZvW6BiIH2guXxJ9WZ0K6RkAq9Pn05SI=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=kYeXFMa787/rXKN13uMN8eRH+OQNxV2DtJSm2Sp0YNh3cRuAGtiWdydABocKp3gsrktD1hBxI5n8i6wsEQhmBuhDrznDEHzM8N0cNjAC7TFzqE5EGhbQLjvrwxW56fX0mOkBibovvmYp/vUYJ+kDhlUf9vOsBIqFMhXjmgFcLlg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cmpxchg.org; spf=pass smtp.mailfrom=cmpxchg.org; dkim=pass (2048-bit key) header.d=cmpxchg-org.20230601.gappssmtp.com header.i=@cmpxchg-org.20230601.gappssmtp.com header.b=RPcZBAc+; arc=none smtp.client-ip=209.85.219.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cmpxchg.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cmpxchg.org Received: by mail-qv1-f44.google.com with SMTP id 6a1803df08f44-69cb4a046dfso7270036d6.2 for ; Fri, 19 Apr 2024 07:22:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmpxchg-org.20230601.gappssmtp.com; s=20230601; t=1713536557; x=1714141357; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=LbB4KcsnZXNmzG/MHQb9mgjRPkbbsvmUawk+gcbg5EQ=; b=RPcZBAc+vReJTc4kGIYjReLCAN89malZo6YbnkAaoY/KPfSS2vGRMwdBdPT9uDEJjE VsLYEPiHJm0/heo1i33vvYtjGRl+6IQaiN+SGB1WZBtzoS6kDB/gdUaNCHPng7NhEvfo nIcya1SsBxdbwjeWgKF2DeikK6Kc8pKqgRvxKRX+q3CDeYSNTlekLfvUU9g7ZI1YiGYT YbAFHbcqJ7VZyrgNluj+uwuGklyjM4UTG7PH+M8MqtpJJTl9stVi2tL6sEdmVyWeWIfF io+k8oj/mf5dBE3o6NsfJ/1bun2YPpWaMtRLIChWSbZLMhvAaB+dL2Zkrg9ZsoWOsLvV GIZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713536557; x=1714141357; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LbB4KcsnZXNmzG/MHQb9mgjRPkbbsvmUawk+gcbg5EQ=; b=ET8YvUuHIwQjCvcMJwEgV9QR1gokbdPAZSNKxUp6TxFbNc9FiB/btejeWs3Op+UOWv VXt9dTm1r22L5M8BGjHw6fJ0qDQykqSD2jPb3jGcYnOE01qBcDfVXXBoipNHOpH8OSi5 Mq8yjKBoaZ3KM8ilFoOA0KeDNfY813RYjBat+y8OGkKNGwCHTpAdffbqA1bGNaeb5Cpf QqVxqjBbDhbZwBsJ1dY8+5ktMn8+SDXgMW9yRADROuMdEvud+d2Zwah+Jdqh2F9MWXok pL4CssbptpOz1DTAfhkumZHLZvrvTiaFasvUlcjAMAfFMKjQ86lKPHr2Eq4cYE57L3QB MSww== X-Forwarded-Encrypted: i=1; AJvYcCWNW/6todNmAOim/vzeQG5EO6FeVcVES9+Gm2hC33lw7dTyHiBE7sX4mVUUpXGjuGBWt+zClf3kfspWaowYxLpPqlXRGxgX8OghT+ln X-Gm-Message-State: AOJu0Yy8/HseJ4Wz+TwGCLInbzqUOkwX8S5MSFO171Tz47nOOGXDVI/g tJQhkA0TX4uR3xlWf+6/U2/0ojzKzbArsZnPRLKhn8I9JG71hcSX9U0mso91Bww= X-Received: by 2002:ad4:5981:0:b0:69b:2897:4fc4 with SMTP id ek1-20020ad45981000000b0069b28974fc4mr2177086qvb.58.1713536557076; Fri, 19 Apr 2024 07:22:37 -0700 (PDT) Received: from localhost ([2620:10d:c091:400::5:fe4f]) by smtp.gmail.com with ESMTPSA id i11-20020a0cab4b000000b0069b59897310sm1582606qvb.63.2024.04.19.07.22.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Apr 2024 07:22:36 -0700 (PDT) Date: Fri, 19 Apr 2024 10:22:31 -0400 From: Johannes Weiner To: Yosry Ahmed Cc: Christian Heusel , Chengming Zhou , Nhat Pham , Seth Jennings , Dan Streetman , Vitaly Wool , Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, David Runge , "Richard W.M. Jones" , Mark W , regressions@lists.linux.dev Subject: Re: [REGRESSION] Null pointer dereference while shrinking zswap Message-ID: <20240419142231.GD1055428@cmpxchg.org> References: <3iccc6vjl5gminut3lvpl4va2lbnsgku5ei2d7ylftoofy3n2v@gcfdvtsq6dx2> <246c1f4d-af13-40fa-b968-fbaf36b8f91f@linux.dev> <20240417143324.GA1055428@cmpxchg.org> <4c3ppfjxnrqx6g52qvvhqzcc4pated2q5g4mi32l22nwtrkqfq@a4lk6s5zcwvb> <20240418124043.GC1055428@cmpxchg.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Thu, Apr 18, 2024 at 01:09:22PM -0700, Yosry Ahmed wrote: > On Thu, Apr 18, 2024 at 5:40 AM Johannes Weiner wrote: > > > > On Wed, Apr 17, 2024 at 07:18:14PM +0200, Christian Heusel wrote: > > > On 24/04/17 10:33AM, Johannes Weiner wrote: > > > > > > > > Christian, can you please test the below patch on top of current > > > > upstream? > > > > > > > > > > Hey Johannes, > > > > > > I have applied your patch on top of 6.9-rc4 and it did solve the crash for > > > me, thanks for hacking together a fix so quickly! ???? > > > > > > Tested-By: Christian Heusel > > > > Thanks for confirming it, and sorry about the breakage. > > > > Andrew, can you please use the updated changelog below? > > > > --- > > > > From 52f67f5fab6a743c2aedfc8e04a582a9d1025c28 Mon Sep 17 00:00:00 2001 > > From: Johannes Weiner > > Date: Thu, 18 Apr 2024 08:26:28 -0400 > > Subject: [PATCH] mm: zswap: fix shrinker NULL crash with cgroup_disable=memory > > > > Christian reports a NULL deref in zswap that he bisected down to the > > zswap shrinker. The issue also cropped up in the bug trackers of > > libguestfs [1] and the Red Hat bugzilla [2]. > > > > The problem is that when memcg is disabled with the boot time flag, > > the zswap shrinker might get called with sc->memcg == NULL. This is > > okay in many places, like the lruvec operations. But it crashes in > > memcg_page_state() - which is only used due to the non-node accounting > > of cgroup's the zswap memory to begin with. > > > > Nhat spotted that the memcg can be NULL in the memcg-disabled case, > > and I was then able to reproduce the crash locally as well. > > > > [1] https://github.com/libguestfs/libguestfs/issues/139 > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=2275252 > > > > Fixes: b5ba474f3f51 ("zswap: shrink zswap pool based on memory pressure") > > Cc: stable@vger.kernel.org [v6.8] > > Link: https://lkml.kernel.org/r/20240417143324.GA1055428@cmpxchg.org > > Reported-by: Christian Heusel > > Debugged-by: Nhat Pham > > Suggested-by: Nhat Pham > > Tested-By: Christian Heusel > > Signed-off-by: Johannes Weiner > > Thanks for fixing this. A couple of comments/questions below, but anyway LGTM: > > Acked-by: Yosry Ahmed > > > --- > > mm/zswap.c | 25 ++++++++++++++++--------- > > 1 file changed, 16 insertions(+), 9 deletions(-) > > > > diff --git a/mm/zswap.c b/mm/zswap.c > > index caed028945b0..6f8850c44b61 100644 > > --- a/mm/zswap.c > > +++ b/mm/zswap.c > > @@ -1331,15 +1331,22 @@ static unsigned long zswap_shrinker_count(struct shrinker *shrinker, > > if (!gfp_has_io_fs(sc->gfp_mask)) > > return 0; > > > > -#ifdef CONFIG_MEMCG_KMEM > > - mem_cgroup_flush_stats(memcg); > > - nr_backing = memcg_page_state(memcg, MEMCG_ZSWAP_B) >> PAGE_SHIFT; > > - nr_stored = memcg_page_state(memcg, MEMCG_ZSWAPPED); > > -#else > > - /* use pool stats instead of memcg stats */ > > - nr_backing = zswap_pool_total_size >> PAGE_SHIFT; > > - nr_stored = atomic_read(&zswap_nr_stored); > > -#endif > > + /* > > + * For memcg, use the cgroup-wide ZSWAP stats since we don't > > + * have them per-node and thus per-lruvec. Careful if memcg is > > + * runtime-disabled: we can get sc->memcg == NULL, which is ok > > + * for the lruvec, but not for memcg_page_state(). > > + * > > + * Without memcg, use the zswap pool-wide metrics. > > + */ > > + if (!mem_cgroup_disabled()) { > > With the current shrinker code, it seems like we cannot get sc->memcg > == NULL unless mem_cgroup_disabled() is true indeed. However, maybe > it's better to check if sc->memcg is not NULL directly instead? > > This would be more resilient in case the shrinker code changes and > passing sc->memcg == NULL becomes possible in other cases (e.g. during > global shrinking). It seems like other shrinkers do this, for example > see count_shadow_nodes() and deferred_split_count(). Eh, I'm not sure it's better or worse, so it's a bit hard to care. We shouldn't get NULL here when memcg is enabled, and if somebody introduces that bug it's better to catch it early than run into subtle priority inversions when the kernel is deployed to millions of hosts. > I am also wondering if we should also check !mem_cgroup_is_root() > here? We can avoid the expensive global flush and use the global stats > directly in this case. I could also send a follow up patch for this if > that's preferred. I'd rather not proliferate more memcg internals in this code. If this is a concern, optimizing it in the flush and stat functions would make more sense. Reclaim already flushes the subtree before getting here, so odds are good this is a no-op in most cases.