On Fri 30-08-19 18:13:31, Vinayak Menon wrote: > The following race is observed due to which a processes faulting > on a swap entry, finds the page neither in swapcache nor swap. This > causes zram to give a zero filled page that gets mapped to the > process, resulting in a user space crash later. > > Consider parent and child processes Pa and Pb sharing the same swap > slot with swap_count 2. Swap is on zram with SWP_SYNCHRONOUS_IO set. > Virtual address 'VA' of Pa and Pb points to the shared swap entry. > > Pa Pb > > fault on VA fault on VA > do_swap_page do_swap_page > lookup_swap_cache fails lookup_swap_cache fails > Pb scheduled out > swapin_readahead (deletes zram entry) > swap_free (makes swap_count 1) > Pb scheduled in > swap_readpage (swap_count == 1) > Takes SWP_SYNCHRONOUS_IO path > zram enrty absent > zram gives a zero filled page This sounds like a zram issue, right? Why is a generic swap path changed then? > > Fix this by reading the swap_count before lookup_swap_cache, which conforms > with the order in which page is added to swap cache and swap count is > decremented in do_swap_page. In the race case above, this will let Pb take > the readahead path and thus pick the proper page from swapcache. > > Signed-off-by: Vinayak Menon <vinmenon@xxxxxxxxxxxxxx> -- Michal Hocko SUSE Labs
