| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 May 2022 14:40:40 +0800
From: Miaohe Lin <linmiaohe@...wei.com>
To: HORIGUCHI NAOYA(堀口 直也)
<naoya.horiguchi@....com>
CC: "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"hughd@...gle.com" <hughd@...gle.com>,
"willy@...radead.org" <willy@...radead.org>,
"vbabka@...e.cz" <vbabka@...e.cz>,
"dhowells@...hat.com" <dhowells@...hat.com>,
"neilb@...e.de" <neilb@...e.de>,
"apopple@...dia.com" <apopple@...dia.com>,
"david@...hat.com" <david@...hat.com>,
"surenb@...gle.com" <surenb@...gle.com>,
"peterx@...hat.com" <peterx@...hat.com>,
"rcampbell@...dia.com" <rcampbell@...dia.com>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v4 4/5] mm/shmem: fix infinite loop when swap in shmem
error at swapoff time
On 2022/5/25 12:32, HORIGUCHI NAOYA(堀口 直也) wrote:
> On Thu, May 19, 2022 at 08:50:29PM +0800, Miaohe Lin wrote:
>> When swap in shmem error at swapoff time, there would be a infinite loop
>> in the while loop in shmem_unuse_inode(). It's because swapin error is
>> deliberately ignored now and thus info->swapped will never reach 0. So
>> we can't escape the loop in shmem_unuse().
>>
>> In order to fix the issue, swapin_error entry is stored in the mapping
>> when swapin error occurs. So the swapcache page can be freed and the
>> user won't end up with a permanently mounted swap because a sector is
>> bad. If the page is accessed later, the user process will be killed
>> so that corrupted data is never consumed. On the other hand, if the
>> page is never accessed, the user won't even notice it.
>>
>> Reported-by: Naoya Horiguchi <naoya.horiguchi@....com>
>> Signed-off-by: Miaohe Lin <linmiaohe@...wei.com>
>> ---
>
> ...
>> @@ -1672,6 +1676,36 @@ static int shmem_replace_page(struct page **pagep, gfp_t gfp,
>> return error;
>> }
>>
>> +static void shmem_set_folio_swapin_error(struct inode *inode, pgoff_t index,
>> + struct folio *folio, swp_entry_t swap)
>> +{
>> + struct address_space *mapping = inode->i_mapping;
>> + struct shmem_inode_info *info = SHMEM_I(inode);
>> + swp_entry_t swapin_error;
>> + void *old;
>> +
>> + swapin_error = make_swapin_error_entry(&folio->page);
>> + old = xa_cmpxchg_irq(&mapping->i_pages, index,
>> + swp_to_radix_entry(swap),
>> + swp_to_radix_entry(swapin_error), 0);
>> + if (old != swp_to_radix_entry(swap))
>> + return;
>> +
>> + folio_wait_writeback(folio);
>> + delete_from_swap_cache(&folio->page);
>> + spin_lock_irq(&info->lock);
>> + /*
>> + * Don't treat swapin error folio as alloced. Otherwise inode->i_blocks won't
>> + * be 0 when inode is released and thus trigger WARN_ON(inode->i_blocks) in
>> + * shmem_evict_inode.
>> + */
>> + info->alloced--;
>> + info->swapped--;
>
> I'm not familiar with folio yet and might miss some basic thing,
> but is it OK to decrement by one instead of folio_nr_pages()?
info->swapped is also decremented by one in shmem_swapin_folio(). In fact, no huge page
swapin is supported yet (this is also true for non-shmem case). So I think info->swapped--
should be OK. Or am I miss something?
>
> Thanks,
> Naoya Horiguchi
Many thanks for review and comment! It's really helpful! :)
>
Powered by blists - more mailing lists