Re: [PATCH -mm] mm: Fix race between swapoff and mincore

Michal Hocko <mhocko@xxxxxxxxxx> · Fri, 16 Mar 2018 13:37:37 +0100



On Tue 13-03-18 09:20:36, Huang, Ying wrote:
> From: Huang Ying <ying.huang@xxxxxxxxx>
> 
> >From commit 4b3ef9daa4fc ("mm/swap: split swap cache into 64MB
> trunks") on, after swapoff, the address_space associated with the swap
> device will be freed.  So swap_address_space() users which touch the
> address_space need some kind of mechanism to prevent the address_space
> from being freed during accessing.
> 
> When mincore process unmapped range for swapped shmem pages, it
> doesn't hold the lock to prevent swap device from being swapoff.  So
> the following race is possible,
> 
> CPU1					CPU2
> do_mincore()				swapoff()
>   walk_page_range()
>     mincore_unmapped_range()
>       __mincore_unmapped_range
>         mincore_page
> 	  as = swap_address_space()
>           ...				  exit_swap_address_space()
>           ...				    kvfree(spaces)
> 	  find_get_page(as)
> 
> The address space may be accessed after being freed.
> 
> To fix the race, get_swap_device()/put_swap_device() is used to
> enclose find_get_page() to check whether the swap entry is valid and
> prevent the swap device from being swapoff during accessing.
> 
> Signed-off-by: "Huang, Ying" <ying.huang@xxxxxxxxx>

Fixes: 4b3ef9daa4fc ("mm/swap: split swap cache into 64MB  trunks")

> Cc: Minchan Kim <minchan@xxxxxxxxxx>
> Cc: Michal Hocko <mhocko@xxxxxxxx>
> Cc: Johannes Weiner <hannes@xxxxxxxxxxx>
> Cc: Dave Hansen <dave.hansen@xxxxxxxxx>
> Cc: Hugh Dickins <hughd@xxxxxxxxxx>

Acked-by: Michal Hocko <mhocko@xxxxxxxx>

> ---
>  mm/mincore.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/mm/mincore.c b/mm/mincore.c
> index fc37afe226e6..a66f2052c7b1 100644
> --- a/mm/mincore.c
> +++ b/mm/mincore.c
> @@ -68,8 +68,16 @@ static unsigned char mincore_page(struct address_space *mapping, pgoff_t pgoff)
>  		 */
>  		if (radix_tree_exceptional_entry(page)) {
>  			swp_entry_t swp = radix_to_swp_entry(page);
> -			page = find_get_page(swap_address_space(swp),
> -					     swp_offset(swp));
> +			struct swap_info_struct *si;
> +
> +			/* Prevent swap device to being swapoff under us */
> +			si = get_swap_device(swp);
> +			if (si) {
> +				page = find_get_page(swap_address_space(swp),
> +						     swp_offset(swp));
> +				put_swap_device(si);
> +			} else
> +				page = NULL;
>  		}
>  	} else
>  		page = find_get_page(mapping, pgoff);
> -- 
> 2.15.1
> 

-- 
Michal Hocko
SUSE Labs