All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] mm, swap: Fix a race in free_swap_and_cache()
@ 2017-03-01 14:38 ` Huang, Ying
  0 siblings, 0 replies; 6+ messages in thread
From: Huang, Ying @ 2017-03-01 14:38 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Huang Ying, Hugh Dickins, Shaohua Li, Minchan Kim, Rik van Riel,
	Tim Chen, linux-mm, linux-kernel

From: Huang Ying <ying.huang@intel.com>

Before using cluster lock in free_swap_and_cache(), the
swap_info_struct->lock will be held during freeing the swap entry and
acquiring page lock, so the page swap count will not change when
testing page information later.  But after using cluster lock, the
cluster lock (or swap_info_struct->lock) will be held only during
freeing the swap entry.  So before acquiring the page lock, the page
swap count may be changed in another thread.  If the page swap count
is not 0, we should not delete the page from the swap cache.  This is
fixed via checking page swap count again after acquiring the page
lock.

Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Shaohua Li <shli@kernel.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Tim Chen <tim.c.chen@intel.com>
---
 mm/swapfile.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/mm/swapfile.c b/mm/swapfile.c
index fadc6a1c0da0..5b67f8ce424c 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1109,6 +1109,18 @@ int page_swapcount(struct page *page)
 	return count;
 }
 
+static int swap_swapcount(struct swap_info_struct *si, swp_entry_t entry)
+{
+	int count = 0;
+	pgoff_t offset = swp_offset(entry);
+	struct swap_cluster_info *ci;
+
+	ci = lock_cluster_or_swap_info(si, offset);
+	count = swap_count(si->swap_map[offset]);
+	unlock_cluster_or_swap_info(si, ci);
+	return count;
+}
+
 /*
  * How many references to @entry are currently swapped out?
  * This does not give an exact answer when swap count is continued,
@@ -1117,17 +1129,11 @@ int page_swapcount(struct page *page)
 int __swp_swapcount(swp_entry_t entry)
 {
 	int count = 0;
-	pgoff_t offset;
 	struct swap_info_struct *si;
-	struct swap_cluster_info *ci;
 
 	si = __swap_info_get(entry);
-	if (si) {
-		offset = swp_offset(entry);
-		ci = lock_cluster_or_swap_info(si, offset);
-		count = swap_count(si->swap_map[offset]);
-		unlock_cluster_or_swap_info(si, ci);
-	}
+	if (si)
+		count = swap_swapcount(si, entry);
 	return count;
 }
 
@@ -1289,7 +1295,8 @@ int free_swap_and_cache(swp_entry_t entry)
 		 * Also recheck PageSwapCache now page is locked (above).
 		 */
 		if (PageSwapCache(page) && !PageWriteback(page) &&
-		    (!page_mapped(page) || mem_cgroup_swap_full(page))) {
+		    (!page_mapped(page) || mem_cgroup_swap_full(page)) &&
+		    !swap_swapcount(p, entry)) {
 			delete_from_swap_cache(page);
 			SetPageDirty(page);
 		}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [PATCH] mm, swap: Fix a race in free_swap_and_cache()
@ 2017-03-01 14:38 ` Huang, Ying
  0 siblings, 0 replies; 6+ messages in thread
From: Huang, Ying @ 2017-03-01 14:38 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Huang Ying, Hugh Dickins, Shaohua Li, Minchan Kim, Rik van Riel,
	Tim Chen, linux-mm, linux-kernel

From: Huang Ying <ying.huang@intel.com>

Before using cluster lock in free_swap_and_cache(), the
swap_info_struct->lock will be held during freeing the swap entry and
acquiring page lock, so the page swap count will not change when
testing page information later.  But after using cluster lock, the
cluster lock (or swap_info_struct->lock) will be held only during
freeing the swap entry.  So before acquiring the page lock, the page
swap count may be changed in another thread.  If the page swap count
is not 0, we should not delete the page from the swap cache.  This is
fixed via checking page swap count again after acquiring the page
lock.

Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Shaohua Li <shli@kernel.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Tim Chen <tim.c.chen@intel.com>
---
 mm/swapfile.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/mm/swapfile.c b/mm/swapfile.c
index fadc6a1c0da0..5b67f8ce424c 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1109,6 +1109,18 @@ int page_swapcount(struct page *page)
 	return count;
 }
 
+static int swap_swapcount(struct swap_info_struct *si, swp_entry_t entry)
+{
+	int count = 0;
+	pgoff_t offset = swp_offset(entry);
+	struct swap_cluster_info *ci;
+
+	ci = lock_cluster_or_swap_info(si, offset);
+	count = swap_count(si->swap_map[offset]);
+	unlock_cluster_or_swap_info(si, ci);
+	return count;
+}
+
 /*
  * How many references to @entry are currently swapped out?
  * This does not give an exact answer when swap count is continued,
@@ -1117,17 +1129,11 @@ int page_swapcount(struct page *page)
 int __swp_swapcount(swp_entry_t entry)
 {
 	int count = 0;
-	pgoff_t offset;
 	struct swap_info_struct *si;
-	struct swap_cluster_info *ci;
 
 	si = __swap_info_get(entry);
-	if (si) {
-		offset = swp_offset(entry);
-		ci = lock_cluster_or_swap_info(si, offset);
-		count = swap_count(si->swap_map[offset]);
-		unlock_cluster_or_swap_info(si, ci);
-	}
+	if (si)
+		count = swap_swapcount(si, entry);
 	return count;
 }
 
@@ -1289,7 +1295,8 @@ int free_swap_and_cache(swp_entry_t entry)
 		 * Also recheck PageSwapCache now page is locked (above).
 		 */
 		if (PageSwapCache(page) && !PageWriteback(page) &&
-		    (!page_mapped(page) || mem_cgroup_swap_full(page))) {
+		    (!page_mapped(page) || mem_cgroup_swap_full(page)) &&
+		    !swap_swapcount(p, entry)) {
 			delete_from_swap_cache(page);
 			SetPageDirty(page);
 		}
-- 
2.11.0

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] mm, swap: Fix a race in free_swap_and_cache()
  2017-03-01 14:38 ` Huang, Ying
@ 2017-03-03 22:43   ` Andrew Morton
  -1 siblings, 0 replies; 6+ messages in thread
From: Andrew Morton @ 2017-03-03 22:43 UTC (permalink / raw)
  To: Huang, Ying
  Cc: Hugh Dickins, Shaohua Li, Minchan Kim, Rik van Riel, Tim Chen,
	linux-mm, linux-kernel

On Wed,  1 Mar 2017 22:38:09 +0800 "Huang, Ying" <ying.huang@intel.com> wrote:

> Before using cluster lock in free_swap_and_cache(), the
> swap_info_struct->lock will be held during freeing the swap entry and
> acquiring page lock, so the page swap count will not change when
> testing page information later.  But after using cluster lock, the
> cluster lock (or swap_info_struct->lock) will be held only during
> freeing the swap entry.  So before acquiring the page lock, the page
> swap count may be changed in another thread.  If the page swap count
> is not 0, we should not delete the page from the swap cache.  This is
> fixed via checking page swap count again after acquiring the page
> lock.

What are the user-visible runtime effects of this bug?  Please always
include this info when fixing things, thanks.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] mm, swap: Fix a race in free_swap_and_cache()
@ 2017-03-03 22:43   ` Andrew Morton
  0 siblings, 0 replies; 6+ messages in thread
From: Andrew Morton @ 2017-03-03 22:43 UTC (permalink / raw)
  To: Huang, Ying
  Cc: Hugh Dickins, Shaohua Li, Minchan Kim, Rik van Riel, Tim Chen,
	linux-mm, linux-kernel

On Wed,  1 Mar 2017 22:38:09 +0800 "Huang, Ying" <ying.huang@intel.com> wrote:

> Before using cluster lock in free_swap_and_cache(), the
> swap_info_struct->lock will be held during freeing the swap entry and
> acquiring page lock, so the page swap count will not change when
> testing page information later.  But after using cluster lock, the
> cluster lock (or swap_info_struct->lock) will be held only during
> freeing the swap entry.  So before acquiring the page lock, the page
> swap count may be changed in another thread.  If the page swap count
> is not 0, we should not delete the page from the swap cache.  This is
> fixed via checking page swap count again after acquiring the page
> lock.

What are the user-visible runtime effects of this bug?  Please always
include this info when fixing things, thanks.

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] mm, swap: Fix a race in free_swap_and_cache()
  2017-03-03 22:43   ` Andrew Morton
@ 2017-03-04 11:53     ` huang ying
  -1 siblings, 0 replies; 6+ messages in thread
From: huang ying @ 2017-03-04 11:53 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Huang, Ying, Hugh Dickins, Shaohua Li, Minchan Kim, Rik van Riel,
	Tim Chen, linux-mm, LKML

Hi, Andrew,

Sorry, I clicked the wrong button in my mail client, so forgot Ccing
mailing list.  Sorry for duplicated mail.

On Sat, Mar 4, 2017 at 6:43 AM, Andrew Morton <akpm@linux-foundation.org> wrote:
> On Wed,  1 Mar 2017 22:38:09 +0800 "Huang, Ying" <ying.huang@intel.com> wrote:
>
>> Before using cluster lock in free_swap_and_cache(), the
>> swap_info_struct->lock will be held during freeing the swap entry and
>> acquiring page lock, so the page swap count will not change when
>> testing page information later.  But after using cluster lock, the
>> cluster lock (or swap_info_struct->lock) will be held only during
>> freeing the swap entry.  So before acquiring the page lock, the page
>> swap count may be changed in another thread.  If the page swap count
>> is not 0, we should not delete the page from the swap cache.  This is
>> fixed via checking page swap count again after acquiring the page
>> lock.
>
> What are the user-visible runtime effects of this bug?  Please always
> include this info when fixing things, thanks.

Sure.  I find the race when I review the code, so I didn't trigger the
race via a test program.  If the race occurs for an anonymous page
shared by multiple processes via fork, multiple pages will be
allocated and swapped in from the swap device for the previously
shared one page.  That is, the user-visible runtime effect is more
memory will be used and the access latency for the page will be
higher, that is, the performance regression.

Best Regards,
Huang, Ying

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] mm, swap: Fix a race in free_swap_and_cache()
@ 2017-03-04 11:53     ` huang ying
  0 siblings, 0 replies; 6+ messages in thread
From: huang ying @ 2017-03-04 11:53 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Huang, Ying, Hugh Dickins, Shaohua Li, Minchan Kim, Rik van Riel,
	Tim Chen, linux-mm, LKML

Hi, Andrew,

Sorry, I clicked the wrong button in my mail client, so forgot Ccing
mailing list.  Sorry for duplicated mail.

On Sat, Mar 4, 2017 at 6:43 AM, Andrew Morton <akpm@linux-foundation.org> wrote:
> On Wed,  1 Mar 2017 22:38:09 +0800 "Huang, Ying" <ying.huang@intel.com> wrote:
>
>> Before using cluster lock in free_swap_and_cache(), the
>> swap_info_struct->lock will be held during freeing the swap entry and
>> acquiring page lock, so the page swap count will not change when
>> testing page information later.  But after using cluster lock, the
>> cluster lock (or swap_info_struct->lock) will be held only during
>> freeing the swap entry.  So before acquiring the page lock, the page
>> swap count may be changed in another thread.  If the page swap count
>> is not 0, we should not delete the page from the swap cache.  This is
>> fixed via checking page swap count again after acquiring the page
>> lock.
>
> What are the user-visible runtime effects of this bug?  Please always
> include this info when fixing things, thanks.

Sure.  I find the race when I review the code, so I didn't trigger the
race via a test program.  If the race occurs for an anonymous page
shared by multiple processes via fork, multiple pages will be
allocated and swapped in from the swap device for the previously
shared one page.  That is, the user-visible runtime effect is more
memory will be used and the access latency for the page will be
higher, that is, the performance regression.

Best Regards,
Huang, Ying

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-03-04 12:01 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-01 14:38 [PATCH] mm, swap: Fix a race in free_swap_and_cache() Huang, Ying
2017-03-01 14:38 ` Huang, Ying
2017-03-03 22:43 ` Andrew Morton
2017-03-03 22:43   ` Andrew Morton
2017-03-04 11:53   ` huang ying
2017-03-04 11:53     ` huang ying

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.