On Wed, Feb 26, 2025 at 06:56:25PM +0000, Yosry Ahmed wrote:
> Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding
> the per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock
> (through crypto_exit_scomp_ops_async()).
>
> On the other hand, crypto_alloc_acomp_node() holds the scomp_lock
> (through crypto_scomp_init_tfm()), and then allocates memory.
> If the allocation results in reclaim, we may attempt to hold the per-CPU
> acomp_ctx mutex.
>
> The above dependencies can cause an ABBA deadlock. For example in the
> following scenario:
>
> (1) Task A running on CPU #1:
> crypto_alloc_acomp_node()
> Holds scomp_lock
> Enters reclaim
> Reads per_cpu_ptr(pool->acomp_ctx, 1)
>
> (2) Task A is descheduled
>
> (3) CPU #1 goes offline
> zswap_cpu_comp_dead(CPU #1)
> Holds per_cpu_ptr(pool->acomp_ctx, 1))
> Calls crypto_free_acomp()
> Waits for scomp_lock
>
> (4) Task A running on CPU #2:
> Waits for per_cpu_ptr(pool->acomp_ctx, 1) // Read on CPU #1
> DEADLOCK
>
> Since there is no requirement to call crypto_free_acomp() with the
> per-CPU acomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the
> mutex is unlocked. Also move the acomp_request_free() and kfree() calls
> for consistency and to avoid any potential sublte locking dependencies
> in the future.
>
> With this, only setting acomp_ctx fields to NULL occurs with the mutex
> held. This is similar to how zswap_cpu_comp_prepare() only initializes
> acomp_ctx fields with the mutex held, after performing all allocations
> before holding the mutex.
>
> Opportunistically, move the NULL check on acomp_ctx so that it takes
> place before the mutex dereference.
>
> Fixes: 12dcb0ef5406 ("mm: zswap: properly synchronize freeing resources during CPU hotunplug")
> Reported-by: syzbot+1a517ccfcbc6a7ab0f82@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://lore.kernel.org/all/67bcea51.050a0220.bbfd1.0096.GAE@xxxxxxxxxx/
> Cc: <stable@xxxxxxxxxxxxxxx>
> Co-developed-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Yosry Ahmed <yosry.ahmed@xxxxxxxxx>
> Acked-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> ---
>
> v1 -> v2:
> - Explained the problem more clearly in the commit message.
> - Moved all freeing calls outside the lock critical section.
> v1: https://lore.kernel.org/all/Z72FJnbA39zWh4zS@xxxxxxxxxxxxxxxxxxx/
>
> ---
Hi Andrew,
I don't see this patch in any MM tree, I think it's because there were
discussions about whether this should be fixed on the zswap side or the
crypto side.
I am not sure what the status of the crypto fix is, but if no one
objects I'd like to get this zswap fix merged anyway if possible.
> mm/zswap.c | 30 ++++++++++++++++++++++--------
> 1 file changed, 22 insertions(+), 8 deletions(-)
>
> diff --git a/mm/zswap.c b/mm/zswap.c
> index ac9d299e7d0c1..adf745c66aa1d 100644
> --- a/mm/zswap.c
> +++ b/mm/zswap.c
> @@ -881,18 +881,32 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node)
> {
> struct zswap_pool *pool = hlist_entry(node, struct zswap_pool, node);
> struct crypto_acomp_ctx *acomp_ctx = per_cpu_ptr(pool->acomp_ctx, cpu);
> + struct acomp_req *req;
> + struct crypto_acomp *acomp;
> + u8 *buffer;
> +
> + if (IS_ERR_OR_NULL(acomp_ctx))
> + return 0;
>
> mutex_lock(&acomp_ctx->mutex);
> - if (!IS_ERR_OR_NULL(acomp_ctx)) {
> - if (!IS_ERR_OR_NULL(acomp_ctx->req))
> - acomp_request_free(acomp_ctx->req);
> - acomp_ctx->req = NULL;
> - if (!IS_ERR_OR_NULL(acomp_ctx->acomp))
> - crypto_free_acomp(acomp_ctx->acomp);
> - kfree(acomp_ctx->buffer);
> - }
> + req = acomp_ctx->req;
> + acomp = acomp_ctx->acomp;
> + buffer = acomp_ctx->buffer;
> + acomp_ctx->req = NULL;
> + acomp_ctx->acomp = NULL;
> + acomp_ctx->buffer = NULL;
> mutex_unlock(&acomp_ctx->mutex);
>
> + /*
> + * Do the actual freeing after releasing the mutex to avoid subtle
> + * locking dependencies causing deadlocks.
> + */
> + if (!IS_ERR_OR_NULL(req))
> + acomp_request_free(req);
> + if (!IS_ERR_OR_NULL(acomp))
> + crypto_free_acomp(acomp);
> + kfree(buffer);
> +
> return 0;
> }
>
> --
> 2.48.1.658.g4767266eb4-goog
>
