From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=xG/9=GZ=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.5 required=3.0 tests=BAYES_00,BIGNUM_EMAILS,
	DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D114AC433E0
	for <linux-mm@archiver.kernel.org>; Fri, 22 Jan 2021 11:09:52 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 39C7C23A03
	for <linux-mm@archiver.kernel.org>; Fri, 22 Jan 2021 11:09:51 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 39C7C23A03
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=oracle.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 642D86B0007; Fri, 22 Jan 2021 06:09:51 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 5C9F46B000A; Fri, 22 Jan 2021 06:09:51 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 491416B000C; Fri, 22 Jan 2021 06:09:51 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0205.hostedemail.com [216.40.44.205])
	by kanga.kvack.org (Postfix) with ESMTP id 2FDEF6B0007
	for <linux-mm@kvack.org>; Fri, 22 Jan 2021 06:09:51 -0500 (EST)
Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id E5005181AF5EA
	for <linux-mm@kvack.org>; Fri, 22 Jan 2021 11:09:50 +0000 (UTC)
X-FDA: 77733140940.27.gate74_0c0305e2756b
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin27.hostedemail.com (Postfix) with ESMTP id C350D3D663
	for <linux-mm@kvack.org>; Fri, 22 Jan 2021 11:09:50 +0000 (UTC)
X-HE-Tag: gate74_0c0305e2756b
X-Filterd-Recvd-Size: 9288
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78])
	by imf35.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Fri, 22 Jan 2021 11:09:49 +0000 (UTC)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1])
	by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MB4Lq7161525;
	Fri, 22 Jan 2021 11:09:43 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=mime-version :
 message-id : date : from : to : cc : subject : content-type :
 content-transfer-encoding; s=corp-2020-01-29;
 bh=vYsYk1T4QXKJBDSCVTtLXWduvWxhtP2qkR9WZ7CGfu0=;
 b=V5nS6eygW5bnqwzD2gyVBjXM+v5slvGbsImP1oMw7gmH3vFHrQ1RmTOP1FhihIjWGbPT
 O40nq0mOe8iloHiZzZab8TSzAIgputTZe/Zpbfh0vK99n6SaLdnZAvvuw/LRv5OXqmoz
 OztqUuIgIhbbNYG/2eYhiyV9eck8thy490PgbQBiBJiOtXDkabGWeCSLej+aKLHTS9CU
 UiTi5V+4/zigtni5j2FLmVFMIfcHO4U7cj9HlQeRqlDro7d7IlhWggp7tmGgwAT6od8U
 hqxlKxcb/nfMjgeWdaOoiCdUI19TxxUUmYBcnnN0sQGw9pCgiUORlxeWv4mQ4w75Aar0 Ig== 
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70])
	by aserp2120.oracle.com with ESMTP id 3668qn3jbd-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 22 Jan 2021 11:09:43 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1])
	by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MB66bb016544;
	Fri, 22 Jan 2021 11:09:42 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])
	by aserp3020.oracle.com with ESMTP id 3668rhcs8d-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 22 Jan 2021 11:09:42 +0000
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19])
	by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 10MB9eLv031949;
	Fri, 22 Jan 2021 11:09:41 GMT
Received: from mwanda (/102.36.221.92) by default (Oracle Beehive Gateway
 v4.0) with ESMTP ; Fri, 22 Jan 2021 03:08:51 -0800
MIME-Version: 1.0
Message-ID: <YAqyRoMNog+6syTS@mwanda>
Date: Fri, 22 Jan 2021 03:08:54 -0800 (PST)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: tiantao6@hisilicon.com
Cc: linux-mm@kvack.org
Subject: [bug report] mm/zswap: add the flag can_sleep_mapped
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9871 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 suspectscore=0
 adultscore=0 mlxlogscore=999 bulkscore=0 malwarescore=0 phishscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000
 definitions=main-2101220061
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9871 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 priorityscore=1501
 adultscore=0 impostorscore=0 mlxlogscore=999 spamscore=0 suspectscore=0
 phishscore=0 clxscore=1011 bulkscore=0 mlxscore=0 lowpriorityscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000
 definitions=main-2101220061
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Hello Tian Tao,

The patch 6753c561f653: "mm/zswap: add the flag can_sleep_mapped"
from Jan 20, 2021, leads to the following static checker warning:

	mm/zswap.c:947 zswap_writeback_entry()
	error: potentially dereferencing uninitialized 'entry'.

mm/zswap.c
   927  static int zswap_writeback_entry(struct zpool *pool, unsigned long handle)
   928  {
   929          struct zswap_header *zhdr;
   930          swp_entry_t swpentry;
   931          struct zswap_tree *tree;
   932          pgoff_t offset;
   933          struct zswap_entry *entry;
   934          struct page *page;
   935          struct scatterlist input, output;
   936          struct crypto_acomp_ctx *acomp_ctx;
   937  
   938          u8 *src, *tmp;
   939          unsigned int dlen;
   940          int ret;
   941          struct writeback_control wbc = {
   942                  .sync_mode = WB_SYNC_NONE,
   943          };
   944  
   945          if (!zpool_can_sleep_mapped(pool)) {
   946  
   947                  tmp = kmalloc(entry->length, GFP_ATOMIC);
                                      ^^^^^^^^^^^^^
"entry" uninitialized.

   948                  if (!tmp)
   949                          return -ENOMEM;
   950          }
   951  
   952          /* extract swpentry from data */
   953          zhdr = zpool_map_handle(pool, handle, ZPOOL_MM_RO);
   954          swpentry = zhdr->swpentry; /* here */
   955          tree = zswap_trees[swp_type(swpentry)];
   956          offset = swp_offset(swpentry);
   957  
   958          /* find and ref zswap entry */
   959          spin_lock(&tree->lock);
   960          entry = zswap_entry_find_get(&tree->rbroot, offset);
   961          if (!entry) {
   962                  /* entry was invalidated */
   963                  spin_unlock(&tree->lock);
   964                  zpool_unmap_handle(pool, handle);
   965                  return 0;

memory leak.

   966          }
   967          spin_unlock(&tree->lock);
   968          BUG_ON(offset != entry->offset);
   969  
   970          /* try to allocate swap cache page */
   971          switch (zswap_get_swap_cache_page(swpentry, &page)) {
   972          case ZSWAP_SWAPCACHE_FAIL: /* no memory or invalidate happened */
   973                  ret = -ENOMEM;
   974                  goto fail;
   975  
   976          case ZSWAP_SWAPCACHE_EXIST:
   977                  /* page is already in the swap cache, ignore for now */
   978                  put_page(page);
   979                  ret = -EEXIST;
   980                  goto fail;
   981  
   982          case ZSWAP_SWAPCACHE_NEW: /* page is locked */
   983                  /* decompress */
   984                  acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx);
   985  
   986                  dlen = PAGE_SIZE;
   987                  src = (u8 *)zhdr + sizeof(struct zswap_header);
   988  
   989                  if (!zpool_can_sleep_mapped(pool)) {
   990  
   991                          memcpy(tmp, src, entry->length);
   992                          src = tmp;
   993  
   994                          zpool_unmap_handle(pool, handle);

Why not just do a "src = tmp = kmemdup(src, entry->length, GFP_ATOMIC);
right, here?  That would avoid unnecessary allocations for the other
cases.

This path calls zpool_unmap_handle() and it frees the "tmp" buffer.  The
other fail paths only free the "tmp" buffer but don't call
zpool_unmap_handle() so is that a leak?


   995                  }
   996  
   997                  mutex_lock(acomp_ctx->mutex);
   998                  sg_init_one(&input, src, entry->length);
   999                  sg_init_table(&output, 1);
  1000                  sg_set_page(&output, page, PAGE_SIZE, 0);
  1001                  acomp_request_set_params(acomp_ctx->req, &input, &output, entry->length, dlen);
  1002                  ret = crypto_wait_req(crypto_acomp_decompress(acomp_ctx->req), &acomp_ctx->wait);
  1003                  dlen = acomp_ctx->req->dlen;
  1004                  mutex_unlock(acomp_ctx->mutex);
  1005  
  1006                  BUG_ON(ret);
  1007                  BUG_ON(dlen != PAGE_SIZE);
  1008  
  1009                  /* page is up to date */
  1010                  SetPageUptodate(page);
  1011          }
  1012  
  1013          /* move it to the tail of the inactive list after end_writeback */
  1014          SetPageReclaim(page);
  1015  
  1016          /* start writeback */
  1017          __swap_writepage(page, &wbc, end_swap_bio_write);
  1018          put_page(page);
  1019          zswap_written_back_pages++;
  1020  
  1021          spin_lock(&tree->lock);
  1022          /* drop local reference */
  1023          zswap_entry_put(tree, entry);
  1024  
  1025          /*
  1026          * There are two possible situations for entry here:
  1027          * (1) refcount is 1(normal case),  entry is valid and on the tree
  1028          * (2) refcount is 0, entry is freed and not on the tree
  1029          *     because invalidate happened during writeback
  1030          *  search the tree and free the entry if find entry
  1031          */
  1032          if (entry == zswap_rb_search(&tree->rbroot, offset))
  1033                  zswap_entry_put(tree, entry);
  1034          spin_unlock(&tree->lock);
  1035  
  1036          goto end;
  1037  
  1038          /*
  1039          * if we get here due to ZSWAP_SWAPCACHE_EXIST
  1040          * a load may be happening concurrently.
  1041          * it is safe and okay to not free the entry.
  1042          * if we free the entry in the following put
  1043          * it is also okay to return !0
  1044          */
  1045  fail:
  1046          spin_lock(&tree->lock);
  1047          zswap_entry_put(tree, entry);
  1048          spin_unlock(&tree->lock);
  1049  
  1050  end:
  1051          if (zpool_can_sleep_mapped(pool))
  1052                  zpool_unmap_handle(pool, handle);
  1053          else
  1054                  kfree(tmp);
  1055  
  1056          return ret;
  1057  }

regards,
dan carpenter