| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Mar 2022 10:51:42 -0800
From: Yang Shi <shy828301@...il.com>
To: Miaohe Lin <linmiaohe@...wei.com>
Cc: HORIGUCHI NAOYA(堀口 直也)
<naoya.horiguchi@....com>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/4] mm/memory-failure.c: fix wrong user reference report
On Tue, Mar 8, 2022 at 5:11 AM Miaohe Lin <linmiaohe@...wei.com> wrote:
>
> On 2022/3/8 4:14, Yang Shi wrote:
> > On Mon, Mar 7, 2022 at 3:26 AM Miaohe Lin <linmiaohe@...wei.com> wrote:
> >>
> >> On 2022/3/4 16:27, HORIGUCHI NAOYA(堀口 直也) wrote:
> >>> On Mon, Feb 28, 2022 at 10:02:43PM +0800, Miaohe Lin wrote:
> >>>> The dirty swapcache page is still residing in the swap cache after it's
> >>>> hwpoisoned. So there is always one extra refcount for swap cache.
> >>>
> >>> The diff seems fine at a glance, but let me have a few question to
> >>> understand the issue more.
> >>>
> >>> - Is the behavior described above the effect of recent change on shmem where
> >>> dirty pagecache is pinned on hwpoison (commit a76054266661 ("mm: shmem:
> >>> don't truncate page if memory failure happens"). Or the older kernels
> >>> behave as the same?
> >>>
> >>> - Is the behavior true for normal anonymous pages (not shmem pages)?
> >>>
> >>
> >> The behavior described above is aimed at swapcache not pagecache. So it should be
> >> irrelevant with the recent change on shmem.
> >>
> >> What I try to fix here is that me_swapcache_dirty holds one extra pin via SwapCache
> >> regardless of the return value of delete_from_lru_cache. We should try to report more
> >> accurate extra refcount for debugging purpose.
> >
> > I think you misunderstood the code. The delete_from_lru_cache()
> > returning 0 means the page was on LRU and isolated from LRU
> > successfully now. Returning -EIO means the page was not on LRU, so it
> > should have at least an extra pin on it.
> >
> > So MF_DELAYED means there is no other pin other than hwpoison and
> > swapcache which is expected, MF_FAILED means there might be extra
> > pins.
> >
> > The has_extra_refcount() raised error then there is *unexpected* refcount.
>
> Many thanks for your explanation. It seems you're right. If page is held on
> the lru_pvecs when we try to do delete_from_lru_cache, and after that it's
> drained to the lru list( so its refcnt might be 2 now). Then we might have
> the following complain if extra_pins is always true:
> "Memory failure: ... still referenced by 0 users\n"
>
> But it seems the origin code can not report the correct reason too because
> if we retry, page can be delete_from_lru_cache and we can succeed now.
Retry is ok, but it seems overkilling to me IMHO.
>
> Anyway, many thanks for pointing this out.
>
> >
> >>
> >>> I'm trying to test hwpoison hitting the dirty swapcache, but it seems that
> >>> in my testing memory_faliure() fails with "hwpoison: unhandlable page"
> >>
> >> Maybe memory_faliure is racing with page reclaim where page is isolated?
> >>
> >>> warning at get_any_page(). So I'm still not sure that me_pagecache_dirty()
> >>> fixes any visible problem.
> >>
> >> IIUC, me_pagecache_dirty can't do much except for the corresponding address_space supporting
> >> error_remove_page which can truncate the dirty pagecache page. But this may cause silent data
> >> loss. It's better to keep the page stay in the pagecache until the file is truncated, hole
> >> punched or removed as commit a76054266661 pointed out.
> >>
> >> Thanks.
> >>
> >>>> Thanks,
> >>> Naoya Horiguchi
> >>>
> >>>>
> >>>> Signed-off-by: Miaohe Lin <linmiaohe@...wei.com>
> >>>> ---
> >>>> mm/memory-failure.c | 6 +-----
> >>>> 1 file changed, 1 insertion(+), 5 deletions(-)
> >>>>
> >>>> diff --git a/mm/memory-failure.c b/mm/memory-failure.c
> >>>> index 0d7c58340a98..5f9503573263 100644
> >>>> --- a/mm/memory-failure.c
> >>>> +++ b/mm/memory-failure.c
> >>>> @@ -984,7 +984,6 @@ static int me_pagecache_dirty(struct page_state *ps, struct page *p)
> >>>> static int me_swapcache_dirty(struct page_state *ps, struct page *p)
> >>>> {
> >>>> int ret;
> >>>> - bool extra_pins = false;
> >>>>
> >>>> ClearPageDirty(p);
> >>>> /* Trigger EIO in shmem: */
> >>>> @@ -993,10 +992,7 @@ static int me_swapcache_dirty(struct page_state *ps, struct page *p)
> >>>> ret = delete_from_lru_cache(p) ? MF_FAILED : MF_DELAYED;
> >>>> unlock_page(p);
> >>>>
> >>>> - if (ret == MF_DELAYED)
> >>>> - extra_pins = true;
> >>>> -
> >>>> - if (has_extra_refcount(ps, p, extra_pins))
> >>>> + if (has_extra_refcount(ps, p, true))
> >>>> ret = MF_FAILED;
> >>>>
> >>>> return ret;
> >>>> --
> >>>> 2.23.0
> >>
> >>
> > .
> >
>
Powered by blists - more mailing lists