lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGsJ_4xEM5od8Ebs4Kaejqw6DU8cu=YX+mfXejLoTuDySxjTOA@mail.gmail.com>
Date: Tue, 20 Feb 2024 23:26:57 +1300
From: Barry Song <21cnbao@...il.com>
To: Kairui Song <ryncsn@...il.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org, 
	"Huang, Ying" <ying.huang@...el.com>, Chris Li <chrisl@...nel.org>, 
	Minchan Kim <minchan@...nel.org>, Barry Song <v-songbaohua@...o.com>, Yu Zhao <yuzhao@...gle.com>, 
	SeongJae Park <sj@...nel.org>, David Hildenbrand <david@...hat.com>, Hugh Dickins <hughd@...gle.com>, 
	Johannes Weiner <hannes@...xchg.org>, Matthew Wilcox <willy@...radead.org>, Michal Hocko <mhocko@...e.com>, 
	Yosry Ahmed <yosryahmed@...gle.com>, Aaron Lu <aaron.lu@...el.com>, stable@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4] mm/swap: fix race when skipping swapcache

On Tue, Feb 20, 2024 at 5:56 PM Kairui Song <ryncsn@...il.com> wrote:
>
> On Tue, Feb 20, 2024 at 12:01 PM Barry Song <21cnbao@...il.com> wrote:
> >
> > On Tue, Feb 20, 2024 at 4:42 PM Kairui Song <ryncsn@...il.com> wrote:
> > >
> > > On Tue, Feb 20, 2024 at 9:31 AM Andrew Morton <akpm@...ux-foundation.org> wrote:
> > > >
> > > > On Mon, 19 Feb 2024 16:20:40 +0800 Kairui Song <ryncsn@...il.com> wrote:
> > > >
> > > > > From: Kairui Song <kasong@...cent.com>
> > > > >
> > > > > When skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads
> > > > > swapin the same entry at the same time, they get different pages (A, B).
> > > > > Before one thread (T0) finishes the swapin and installs page (A)
> > > > > to the PTE, another thread (T1) could finish swapin of page (B),
> > > > > swap_free the entry, then swap out the possibly modified page
> > > > > reusing the same entry. It breaks the pte_same check in (T0) because
> > > > > PTE value is unchanged, causing ABA problem. Thread (T0) will
> > > > > install a stalled page (A) into the PTE and cause data corruption.
> > > > >
> > > > > @@ -3867,6 +3868,20 @@ vm_fault_t do_swap_page(struct vm_fault *vmf)
> > > > >       if (!folio) {
> > > > >               if (data_race(si->flags & SWP_SYNCHRONOUS_IO) &&
> > > > >                   __swap_count(entry) == 1) {
> > > > > +                     /*
> > > > > +                      * Prevent parallel swapin from proceeding with
> > > > > +                      * the cache flag. Otherwise, another thread may
> > > > > +                      * finish swapin first, free the entry, and swapout
> > > > > +                      * reusing the same entry. It's undetectable as
> > > > > +                      * pte_same() returns true due to entry reuse.
> > > > > +                      */
> > > > > +                     if (swapcache_prepare(entry)) {
> > > > > +                             /* Relax a bit to prevent rapid repeated page faults */
> > > > > +                             schedule_timeout_uninterruptible(1);
> > > >
> > > > Well this is unpleasant.  How often can we expect this to occur?
> > > >
> > >
> > > The chance is very low, using the current mainline kernel and ZRAM,
> > > even with threads set to race on purpose using the reproducer I
> > > provides, for 647132 page faults it occured 1528 times (~0.2%).
> > >
> > > If I run MySQL and sysbench with 128 threads and 16G buffer pool, with
> > > 6G cgroup limit and 32G ZRAM, it occured 1372 times for 40 min,
> > > 109930201 page faults in total (~0.001%).
> >
>
> Hi Barry,
>
> > it might not be a problem for throughput. but for real-time and tail latency,
> > this hurts. For example, this might increase dropping frames of UI which
> > is an important parameter to evaluate performance :-)
> >
>

Hi Kairui,

> That's a true issue, as Chris mentioned before I think we need to
> think of some clever data struct to solve this more naturally in the
> future, similar issue exists for cached swapin as well and it has been
> there for a while. On the other hand I think maybe applications that
> are extremely latency sensitive should try to avoid swap on fault? A
> swapin could cause other issues like reclaim, throttled or contention
> with many other things, these seem to have a higher chance than this
> race.

ideally, if memory is very very large, we can avoid swap or mlock a
lot of things. In Android phones, most anon memory is actually in
swap as a system with limited memory.
For example, users might switch between a couple of applications.
some cold app could be entirely swapped. but those applications
can be re-activated by users all of a sudden.
We do mlock some limited memories. but we don't abuse mlock()
everywhere :-)
For a soft-real time system, a lot of other optimization is involved
to make sure RT/UI tasks can get priority on getting locks, memory
etc.
Overall we live together with swap but still try our best to make
important tasks have low latency.

The current patch, to me, seems to add a new place which makes
high priority tasks have no way to be done faster. But I do understand
the percentage is not high. And I have no doubt you have done your
best work on this.

I'm just curious if the number will increase a lot of times for large folios
swap-in as the conflicting memory range is enlarged. and also its
impact on UI and RT tasks.

Thus, I have followed up your work and made it support large folios
swap-in[1] as below. I will get phones to run it and update you with
the result after a couple of days(could be 3-4 weeks later).

Subject: [PATCH] mm: swap: introduce swapcache_prepare_nr and
 swapcache_clear_nr for large folios swap-in

Apply Kairui's work on large folios swap-in

Signed-off-by: Barry Song <v-songbaohua@...o.com>
---

diff --git a/include/linux/swap.h b/include/linux/swap.h
index a293ef17c2b6..f1cf64c9ccb5 100644
--- a/include/linux/swap.h
+++ b/include/linux/swap.h
@@ -483,6 +483,7 @@ extern int add_swap_count_continuation(swp_entry_t, gfp_t);
 extern void swap_shmem_alloc(swp_entry_t);
 extern int swap_duplicate(swp_entry_t);
 extern int swapcache_prepare(swp_entry_t);
+extern int swapcache_prepare_nr(swp_entry_t, int nr);
 extern void swap_free(swp_entry_t);
 extern void swap_nr_free(swp_entry_t entry, int nr_pages);
 extern void swapcache_free_entries(swp_entry_t *entries, int n);
diff --git a/mm/memory.c b/mm/memory.c
index 2d27c087a39e..9cfd806a8236 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3905,7 +3905,7 @@ vm_fault_t do_swap_page(struct vm_fault *vmf)
                                 * reusing the same entry. It's undetectable as
                                 * pte_same() returns true due to entry reuse.
                                 */
-                               if (swapcache_prepare(entry)) {
+                               if (swapcache_prepare_nr(entry, nr_pages)) {
                                        /* Relax a bit to prevent
rapid repeated page faults */
                                        schedule_timeout_uninterruptible(1);
                                        goto out;
@@ -4194,7 +4194,7 @@ vm_fault_t do_swap_page(struct vm_fault *vmf)
 out:
        /* Clear the swap cache pin for direct swapin after PTL unlock */
        if (need_clear_cache)
-               swapcache_clear(si, entry);
+               swapcache_clear_nr(si, entry, nr_pages);
        if (si)
                put_swap_device(si);
        return ret;
@@ -4210,7 +4210,7 @@ vm_fault_t do_swap_page(struct vm_fault *vmf)
                folio_put(swapcache);
        }
        if (need_clear_cache)
-               swapcache_clear(si, entry);
+               swapcache_clear_nr(si, entry, nr_pages);
        if (si)
                put_swap_device(si);
        return ret;
diff --git a/mm/swap.h b/mm/swap.h
index 693d1b281559..a457496bd669 100644
--- a/mm/swap.h
+++ b/mm/swap.h
@@ -39,6 +39,7 @@ void delete_from_swap_cache(struct folio *folio);
 void clear_shadow_from_swap_cache(int type, unsigned long begin,
                                  unsigned long end);
 void swapcache_clear(struct swap_info_struct *si, swp_entry_t entry);
+void swapcache_clear_nr(struct swap_info_struct *si, swp_entry_t
entry, int nr);
 struct folio *swap_cache_get_folio(swp_entry_t entry,
                struct vm_area_struct *vma, unsigned long addr);
 struct folio *filemap_get_incore_folio(struct address_space *mapping,
diff --git a/mm/swapfile.c b/mm/swapfile.c
index 6ecee63cf678..8c9d53f9f068 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -3322,65 +3322,76 @@ void si_swapinfo(struct sysinfo *val)
  * - swap-cache reference is requested but the entry is not used. -> ENOENT
  * - swap-mapped reference requested but needs continued swap count. -> ENOMEM
  */
-static int __swap_duplicate(swp_entry_t entry, unsigned char usage)
+
+static int __swap_duplicate_nr(swp_entry_t entry, int nr, unsigned char usage)
 {
        struct swap_info_struct *p;
        struct swap_cluster_info *ci;
        unsigned long offset;
-       unsigned char count;
-       unsigned char has_cache;
-       int err;
+       unsigned char count[SWAPFILE_CLUSTER];
+       unsigned char has_cache[SWAPFILE_CLUSTER];
+       int err, i;

        p = swp_swap_info(entry);

        offset = swp_offset(entry);
        ci = lock_cluster_or_swap_info(p, offset);

-       count = p->swap_map[offset];
+       for (i = 0; i < nr; i++) {
+               count[i] = p->swap_map[offset + i];

-       /*
-        * swapin_readahead() doesn't check if a swap entry is valid, so the
-        * swap entry could be SWAP_MAP_BAD. Check here with lock held.
-        */
-       if (unlikely(swap_count(count) == SWAP_MAP_BAD)) {
-               err = -ENOENT;
-               goto unlock_out;
+               /*
+                * swapin_readahead() doesn't check if a swap entry is
valid, so the
+                * swap entry could be SWAP_MAP_BAD. Check here with lock held.
+                */
+               if (unlikely(swap_count(count[i]) == SWAP_MAP_BAD)) {
+                       err = -ENOENT;
+                       goto unlock_out;
+               }
+
+               has_cache[i] = count[i] & SWAP_HAS_CACHE;
+               count[i] &= ~SWAP_HAS_CACHE;
+               err = 0;
+
+               if (usage == SWAP_HAS_CACHE) {
+
+                       /* set SWAP_HAS_CACHE if there is no cache and
entry is used */
+                       if (!has_cache[i] && count[i])
+                               has_cache[i] = SWAP_HAS_CACHE;
+                       else if (has_cache[i])          /* someone
else added cache */
+                               err = -EEXIST;
+                       else                            /* no users remaining */
+                               err = -ENOENT;
+               } else if (count[i] || has_cache[i]) {
+
+                       if ((count[i] & ~COUNT_CONTINUED) < SWAP_MAP_MAX)
+                               count[i] += usage;
+                       else if ((count[i] & ~COUNT_CONTINUED) > SWAP_MAP_MAX)
+                               err = -EINVAL;
+                       else if (swap_count_continued(p, offset + i, count[i]))
+                               count[i] = COUNT_CONTINUED;
+                       else
+                               err = -ENOMEM;
+               } else
+                       err = -ENOENT;                  /* unused swap entry */
+
+               if (err)
+                       goto unlock_out;
        }

-       has_cache = count & SWAP_HAS_CACHE;
-       count &= ~SWAP_HAS_CACHE;
-       err = 0;
-
-       if (usage == SWAP_HAS_CACHE) {
-
-               /* set SWAP_HAS_CACHE if there is no cache and entry is used */
-               if (!has_cache && count)
-                       has_cache = SWAP_HAS_CACHE;
-               else if (has_cache)             /* someone else added cache */
-                       err = -EEXIST;
-               else                            /* no users remaining */
-                       err = -ENOENT;
-
-       } else if (count || has_cache) {
-
-               if ((count & ~COUNT_CONTINUED) < SWAP_MAP_MAX)
-                       count += usage;
-               else if ((count & ~COUNT_CONTINUED) > SWAP_MAP_MAX)
-                       err = -EINVAL;
-               else if (swap_count_continued(p, offset, count))
-                       count = COUNT_CONTINUED;
-               else
-                       err = -ENOMEM;
-       } else
-               err = -ENOENT;                  /* unused swap entry */
-
-       WRITE_ONCE(p->swap_map[offset], count | has_cache);
-
+       for (i = 0; i < nr; i++)
+               WRITE_ONCE(p->swap_map[offset + i], count[i] | has_cache[i]);
 unlock_out:
        unlock_cluster_or_swap_info(p, ci);
        return err;
 }

+
+static int __swap_duplicate(swp_entry_t entry, unsigned char usage)
+{
+       return __swap_duplicate_nr(entry, 1, usage);
+}
+
 /*
  * Help swapoff by noting that swap entry belongs to shmem/tmpfs
  * (in which case its reference count is never incremented).
@@ -3419,17 +3430,33 @@ int swapcache_prepare(swp_entry_t entry)
        return __swap_duplicate(entry, SWAP_HAS_CACHE);
 }

-void swapcache_clear(struct swap_info_struct *si, swp_entry_t entry)
+int swapcache_prepare_nr(swp_entry_t entry, int nr)
+{
+       return __swap_duplicate_nr(entry, nr, SWAP_HAS_CACHE);
+}
+
+void swapcache_clear_nr(struct swap_info_struct *si, swp_entry_t entry, int nr)
 {
        struct swap_cluster_info *ci;
        unsigned long offset = swp_offset(entry);
-       unsigned char usage;
+       unsigned char usage[SWAPFILE_CLUSTER];
+       int i;

        ci = lock_cluster_or_swap_info(si, offset);
-       usage = __swap_entry_free_locked(si, offset, SWAP_HAS_CACHE);
+       for (i = 0; i < nr; i++)
+               usage[i] = __swap_entry_free_locked(si, offset + i,
SWAP_HAS_CACHE);
        unlock_cluster_or_swap_info(si, ci);
-       if (!usage)
-               free_swap_slot(entry);
+       for (i = 0; i < nr; i++) {
+               if (!usage[i]) {
+                       free_swap_slot(entry);
+                       entry.val++;
+               }
-
-       if (usage == SWAP_HAS_CACHE) {
-
-               /* set SWAP_HAS_CACHE if there is no cache and entry is used */
-               if (!has_cache && count)
-                       has_cache = SWAP_HAS_CACHE;
-               else if (has_cache)             /* someone else added cache */
-                       err = -EEXIST;
-               else                            /* no users remaining */
-                       err = -ENOENT;
-
-       } else if (count || has_cache) {
-
-               if ((count & ~COUNT_CONTINUED) < SWAP_MAP_MAX)
-                       count += usage;
-               else if ((count & ~COUNT_CONTINUED) > SWAP_MAP_MAX)
-                       err = -EINVAL;
-               else if (swap_count_continued(p, offset, count))
-                       count = COUNT_CONTINUED;
-               else
-                       err = -ENOMEM;
-       } else
-               err = -ENOENT;                  /* unused swap entry */
-
-       WRITE_ONCE(p->swap_map[offset], count | has_cache);
-
+       for (i = 0; i < nr; i++)
+               WRITE_ONCE(p->swap_map[offset + i], count[i] | has_cache[i]);
 unlock_out:
        unlock_cluster_or_swap_info(p, ci);
        return err;
 }

+
+static int __swap_duplicate(swp_entry_t entry, unsigned char usage)
+{
+       return __swap_duplicate_nr(entry, 1, usage);
+}
+
 /*
  * Help swapoff by noting that swap entry belongs to shmem/tmpfs
  * (in which case its reference count is never incremented).
@@ -3419,17 +3430,33 @@ int swapcache_prepare(swp_entry_t entry)
        return __swap_duplicate(entry, SWAP_HAS_CACHE);
 }

-void swapcache_clear(struct swap_info_struct *si, swp_entry_t entry)
+int swapcache_prepare_nr(swp_entry_t entry, int nr)
+{
+       return __swap_duplicate_nr(entry, nr, SWAP_HAS_CACHE);
+}
+
+void swapcache_clear_nr(struct swap_info_struct *si, swp_entry_t entry, int nr)
 {
        struct swap_cluster_info *ci;
        unsigned long offset = swp_offset(entry);
-       unsigned char usage;
+       unsigned char usage[SWAPFILE_CLUSTER];
+       int i;

        ci = lock_cluster_or_swap_info(si, offset);
-       usage = __swap_entry_free_locked(si, offset, SWAP_HAS_CACHE);
+       for (i = 0; i < nr; i++)
+               usage[i] = __swap_entry_free_locked(si, offset + i,
SWAP_HAS_CACHE);
        unlock_cluster_or_swap_info(si, ci);
-       if (!usage)
-               free_swap_slot(entry);
+       for (i = 0; i < nr; i++) {
+               if (!usage[i]) {
+                       free_swap_slot(entry);
+                       entry.val++;
+               }
+       }
+}
+
+void swapcache_clear(struct swap_info_struct *si, swp_entry_t entry)
+{
+       swapcache_clear_nr(si, entry, 1);
 }

 struct swap_info_struct *swp_swap_info(swp_entry_t entry)

[1] https://lore.kernel.org/linux-mm/20240118111036.72641-1-21cnbao@gmail.com/

>
> > BTW, I wonder if ying's previous proposal - moving swapcache_prepare()
> > after swap_read_folio() will further help decrease the number?
>
> We can move the swapcache_prepare after folio alloc or cgroup charge,
> but I didn't see an observable change from statistics, for some
> workload the reading is even worse. I think that's mostly due to
> noise, or higher swap out rate since all raced threads will alloc an
> extra folio now. Applications that have many pages swapped out due to
> memory limit are already on the edge of triggering another reclaim, so
> a dozen more folio alloc could just trigger that...

sometimes. might not be edged because of this app, but because users
launch another app as foreground and this one becomes background.

>
> And we can't move it after swap_read_folio()... That's exactly what we
> want to protect.

understood, thanks!

Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ