| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Apr 2017 16:14:51 +0300
From: Andrey Ryabinin <aryabinin@...tuozzo.com>
To: Michal Hocko <mhocko@...nel.org>
CC: Shakeel Butt <shakeelb@...gle.com>,
Seth Jennings <sjenning@...hat.com>,
Dan Streetman <ddstreet@...e.org>,
Linux MM <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH] mm/zswap: fix potential deadlock in
zswap_frontswap_store()
On 04/03/2017 03:45 PM, Michal Hocko wrote:
> On Mon 03-04-17 15:37:07, Andrey Ryabinin wrote:
>>
>>
>> On 04/03/2017 11:47 AM, Michal Hocko wrote:
>>> On Fri 31-03-17 10:00:30, Shakeel Butt wrote:
>>>> On Fri, Mar 31, 2017 at 8:30 AM, Andrey Ryabinin
>>>> <aryabinin@...tuozzo.com> wrote:
>>>>> zswap_frontswap_store() is called during memory reclaim from
>>>>> __frontswap_store() from swap_writepage() from shrink_page_list().
>>>>> This may happen in NOFS context, thus zswap shouldn't use __GFP_FS,
>>>>> otherwise we may renter into fs code and deadlock.
>>>>> zswap_frontswap_store() also shouldn't use __GFP_IO to avoid recursion
>>>>> into itself.
>>>>>
>>>>
>>>> Is it possible to enter fs code (or IO) from zswap_frontswap_store()
>>>> other than recursive memory reclaim? However recursive memory reclaim
>>>> is protected through PF_MEMALLOC task flag. The change seems fine but
>>>> IMHO reasoning needs an update. Adding Michal for expert opinion.
>>>
>>> Yes this is true.
>>
>> Actually, no. I think we have a bug in allocator which may lead to
>> recursive direct reclaim.
>>
>> E.g. for costly order allocations (or order > 0 &&
>> ac->migratetype != MIGRATE_MOVABLE) with __GFP_NOMEMALLOC
>> (gfp_pfmemalloc_allowed() returns false) __alloc_pages_slowpath()
>> may call __alloc_pages_direct_compact() and unconditionally clear
>> PF_MEMALLOC:
>
> Not sure what is the bug here. __GFP_NOMEMALLOC is supposed to inhibit
> PF_MEMALLOC. And we do not recurse to the reclaim path. We only do the
> compaction. Or what am I missing?
>
The bug here is that __alloc_pages_direct_compact() will *unconditionally* clear PF_MEMALLOC.
So if we already under direct reclaim (so PF_MEMALLOC was already set) __alloc_pages_direct_compact()
will clear that PF_MEMALLOC. If compaction failed we may go into direct reclaim again because
the following following if in __alloc_pages_slowpath() is false:
/* Avoid recursion of direct reclaim */
if (current->flags & PF_MEMALLOC)
goto nopage;
/* Try direct reclaim and then allocating */
page = __alloc_pages_direct_reclaim(gfp_mask, order, alloc_flags, ac,
So, recursion might look like this:
alloc_pages()
__perform_reclaim()
current->flags |= PF_MEMALLOC;
try_to_free_pages()
alloc_pages(__GFP_NONMEMALLOC):
__alloc_pages_direct_compact():
current->flags &= ~PF_MEMALLOC;
if (current->flags & PF_MEMALLOC) //now it's false
goto nopage;
__alloc_pages_direct_reclaim()
__perform_reclaim()
Powered by blists - more mailing lists