mm, swap: fix race between swapoff and some swap operations

When swapin is performed, after getting the swap entry information from
the page table, system will swap in the swap entry, without any lock held
to prevent the swap device from being swapoff.  This may cause the race
like below,

CPU 1				CPU 2
-----				-----
				do_swap_page
				  swapin_readahead
				    __read_swap_cache_async
swapoff				      swapcache_prepare
  p->swap_map = NULL		        __swap_duplicate
					  p->swap_map[?] /* !!! NULL pointer access */

Because swapoff is usually done when system shutdown only, the race may
not hit many people in practice.  But it is still a race need to be fixed.

To fix the race, get_swap_device() is added to check whether the specified
swap entry is valid in its swap device.  If so, it will keep the swap
entry valid via preventing the swap device from being swapoff, until
put_swap_device() is called.

Because swapoff() is very rare code path, to make the normal path runs as
fast as possible, rcu_read_lock/unlock() and synchronize_rcu() instead of
reference count is used to implement get/put_swap_device().  >From
get_swap_device() to put_swap_device(), RCU reader side is locked, so
synchronize_rcu() in swapoff() will wait until put_swap_device() is
called.

In addition to swap_map, cluster_info, etc.  data structure in the struct
swap_info_struct, the swap cache radix tree will be freed after swapoff,
so this patch fixes the race between swap cache looking up and swapoff
too.

Races between some other swap cache usages and swapoff are fixed too via
calling synchronize_rcu() between clearing PageSwapCache() and freeing
swap cache data structure.

Another possible method to fix this is to use preempt_off() +
stop_machine() to prevent the swap device from being swapoff when its data
structure is being accessed.  The overhead in hot-path of both methods is
similar.  The advantages of RCU based method are,

1. stop_machine() may disturb the normal execution code path on other
   CPUs.

2. File cache uses RCU to protect its radix tree.  If the similar
   mechanism is used for swap cache too, it is easier to share code
   between them.

3. RCU is used to protect swap cache in total_swapcache_pages() and
   exit_swap_address_space() already.  The two mechanisms can be
   merged to simplify the logic.

Link: http://lkml.kernel.org/r/20190522015423.14418-1-ying.huang@intel.com
Fixes: 235b62176712 ("mm/swap: add cluster lock")
Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
Reviewed-by: Andrea Parri <andrea.parri@amarulasolutions.com>
Not-nacked-by: Hugh Dickins <hughd@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Jérôme Glisse <jglisse@redhat.com>
Cc: Yang Shi <yang.shi@linux.alibaba.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 122 insertions, 32 deletions

diff --git a/mm/swapfile.c b/mm/swapfile.c
index 596ac98051c5..dbab16ddefa6 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1079,12 +1079,11 @@ fail:
 static struct swap_info_struct *__swap_info_get(swp_entry_t entry)
 {
         struct swap_info_struct *p;
-        unsigned long offset, type;
+        unsigned long offset;
 
         if (!entry.val)
                 goto out;
-        type = swp_type(entry);
-        p = swap_type_to_swap_info(type);
+        p = swp_swap_info(entry);
         if (!p)
                 goto bad_nofile;
         if (!(p->flags & SWP_USED))
@@ -1187,6 +1186,69 @@ static unsigned char __swap_entry_free_locked(struct swap_info_struct *p,
         return usage;
 }
 
+/*
+ * Check whether swap entry is valid in the swap device.  If so,
+ * return pointer to swap_info_struct, and keep the swap entry valid
+ * via preventing the swap device from being swapoff, until
+ * put_swap_device() is called.  Otherwise return NULL.
+ *
+ * The entirety of the RCU read critical section must come before the
+ * return from or after the call to synchronize_rcu() in
+ * enable_swap_info() or swapoff().  So if "si->flags & SWP_VALID" is
+ * true, the si->map, si->cluster_info, etc. must be valid in the
+ * critical section.
+ *
+ * Notice that swapoff or swapoff+swapon can still happen before the
+ * rcu_read_lock() in get_swap_device() or after the rcu_read_unlock()
+ * in put_swap_device() if there isn't any other way to prevent
+ * swapoff, such as page lock, page table lock, etc.  The caller must
+ * be prepared for that.  For example, the following situation is
+ * possible.
+ *
+ *   CPU1                               CPU2
+ *   do_swap_page()
+ *     ...                              swapoff+swapon
+ *     __read_swap_cache_async()
+ *       swapcache_prepare()
+ *         __swap_duplicate()
+ *           // check swap_map
+ *     // verify PTE not changed
+ *
+ * In __swap_duplicate(), the swap_map need to be checked before
+ * changing partly because the specified swap entry may be for another
+ * swap device which has been swapoff.  And in do_swap_page(), after
+ * the page is read from the swap device, the PTE is verified not
+ * changed with the page table locked to check whether the swap device
+ * has been swapoff or swapoff+swapon.
+ */
+struct swap_info_struct *get_swap_device(swp_entry_t entry)
+{
+        struct swap_info_struct *si;
+        unsigned long offset;
+
+        if (!entry.val)
+                goto out;
+        si = swp_swap_info(entry);
+        if (!si)
+                goto bad_nofile;
+
+        rcu_read_lock();
+        if (!(si->flags & SWP_VALID))
+                goto unlock_out;
+        offset = swp_offset(entry);
+        if (offset >= si->max)
+                goto unlock_out;
+
+        return si;
+bad_nofile:
+        pr_err("%s: %s%08lx\n", __func__, Bad_file, entry.val);
+out:
+        return NULL;
+unlock_out:
+        rcu_read_unlock();
+        return NULL;
+}
+
 static unsigned char __swap_entry_free(struct swap_info_struct *p,
                                        swp_entry_t entry, unsigned char usage)
 {
@@ -1358,11 +1420,18 @@ int page_swapcount(struct page *page)
         return count;
 }
 
-int __swap_count(struct swap_info_struct *si, swp_entry_t entry)
+int __swap_count(swp_entry_t entry)
 {
+        struct swap_info_struct *si;
         pgoff_t offset = swp_offset(entry);
+        int count = 0;
 
-        return swap_count(si->swap_map[offset]);
+        si = get_swap_device(entry);
+        if (si) {
+                count = swap_count(si->swap_map[offset]);
+                put_swap_device(si);
+        }
+        return count;
 }
 
 static int swap_swapcount(struct swap_info_struct *si, swp_entry_t entry)
@@ -1387,9 +1456,11 @@ int __swp_swapcount(swp_entry_t entry)
         int count = 0;
         struct swap_info_struct *si;
 
-        si = __swap_info_get(entry);
-        if (si)
+        si = get_swap_device(entry);
+        if (si) {
                 count = swap_swapcount(si, entry);
+                put_swap_device(si);
+        }
         return count;
 }
 
@@ -2335,9 +2406,9 @@ static int swap_node(struct swap_info_struct *p)
         return bdev ? bdev->bd_disk->node_id : NUMA_NO_NODE;
 }
 
-static void _enable_swap_info(struct swap_info_struct *p, int prio,
-                                unsigned char *swap_map,
-                                struct swap_cluster_info *cluster_info)
+static void setup_swap_info(struct swap_info_struct *p, int prio,
+                            unsigned char *swap_map,
+                            struct swap_cluster_info *cluster_info)
 {
         int i;
 
@@ -2362,7 +2433,11 @@ static void _enable_swap_info(struct swap_info_struct *p, int prio,
         }
         p->swap_map = swap_map;
         p->cluster_info = cluster_info;
-        p->flags |= SWP_WRITEOK;
+}
+
+static void _enable_swap_info(struct swap_info_struct *p)
+{
+        p->flags |= SWP_WRITEOK | SWP_VALID;
         atomic_long_add(p->pages, &nr_swap_pages);
         total_swap_pages += p->pages;
 
@@ -2389,7 +2464,17 @@ static void enable_swap_info(struct swap_info_struct *p, int prio,
         frontswap_init(p->type, frontswap_map);
         spin_lock(&swap_lock);
         spin_lock(&p->lock);
-         _enable_swap_info(p, prio, swap_map, cluster_info);
+        setup_swap_info(p, prio, swap_map, cluster_info);
+        spin_unlock(&p->lock);
+        spin_unlock(&swap_lock);
+        /*
+         * Guarantee swap_map, cluster_info, etc. fields are valid
+         * between get/put_swap_device() if SWP_VALID bit is set
+         */
+        synchronize_rcu();
+        spin_lock(&swap_lock);
+        spin_lock(&p->lock);
+        _enable_swap_info(p);
         spin_unlock(&p->lock);
         spin_unlock(&swap_lock);
 }
@@ -2398,7 +2483,8 @@ static void reinsert_swap_info(struct swap_info_struct *p)
 {
         spin_lock(&swap_lock);
         spin_lock(&p->lock);
-        _enable_swap_info(p, p->prio, p->swap_map, p->cluster_info);
+        setup_swap_info(p, p->prio, p->swap_map, p->cluster_info);
+        _enable_swap_info(p);
         spin_unlock(&p->lock);
         spin_unlock(&swap_lock);
 }
@@ -2501,6 +2587,17 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
 
         reenable_swap_slots_cache_unlock();
 
+        spin_lock(&swap_lock);
+        spin_lock(&p->lock);
+        p->flags &= ~SWP_VALID;         /* mark swap device as invalid */
+        spin_unlock(&p->lock);
+        spin_unlock(&swap_lock);
+        /*
+         * wait for swap operations protected by get/put_swap_device()
+         * to complete
+         */
+        synchronize_rcu();
+
         flush_work(&p->discard_work);
 
         destroy_swap_extents(p);
@@ -3265,17 +3362,11 @@ static int __swap_duplicate(swp_entry_t entry, unsigned char usage)
         unsigned char has_cache;
         int err = -EINVAL;
 
-        if (non_swap_entry(entry))
-                goto out;
-
-        p = swp_swap_info(entry);
+        p = get_swap_device(entry);
         if (!p)
-                goto bad_file;
-
-        offset = swp_offset(entry);
-        if (unlikely(offset >= p->max))
                 goto out;
 
+        offset = swp_offset(entry);
         ci = lock_cluster_or_swap_info(p, offset);
 
         count = p->swap_map[offset];
@@ -3321,11 +3412,9 @@ static int __swap_duplicate(swp_entry_t entry, unsigned char usage)
 unlock_out:
         unlock_cluster_or_swap_info(p, ci);
 out:
+        if (p)
+                put_swap_device(p);
         return err;
-
-bad_file:
-        pr_err("swap_dup: %s%08lx\n", Bad_file, entry.val);
-        goto out;
 }
 
 /*
@@ -3417,6 +3506,7 @@ int add_swap_count_continuation(swp_entry_t entry, gfp_t gfp_mask)
         struct page *list_page;
         pgoff_t offset;
         unsigned char count;
+        int ret = 0;
 
         /*
          * When debugging, it's easier to use __GFP_ZERO here; but it's better
@@ -3424,15 +3514,15 @@ int add_swap_count_continuation(swp_entry_t entry, gfp_t gfp_mask)
          */
         page = alloc_page(gfp_mask | __GFP_HIGHMEM);
 
-        si = swap_info_get(entry);
+        si = get_swap_device(entry);
         if (!si) {
                 /*
                  * An acceptable race has occurred since the failing
-                 * __swap_duplicate(): the swap entry has been freed,
-                 * perhaps even the whole swap_map cleared for swapoff.
+                 * __swap_duplicate(): the swap device may be swapoff
                  */
                 goto outer;
         }
+        spin_lock(&si->lock);
 
         offset = swp_offset(entry);
 
@@ -3450,9 +3540,8 @@ int add_swap_count_continuation(swp_entry_t entry, gfp_t gfp_mask)
         }
 
         if (!page) {
-                unlock_cluster(ci);
-                spin_unlock(&si->lock);
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto out;
         }
 
         /*
@@ -3504,10 +3593,11 @@ out_unlock_cont:
 out:
         unlock_cluster(ci);
         spin_unlock(&si->lock);
+        put_swap_device(si);
 outer:
         if (page)
                 __free_page(page);
-        return 0;
+        return ret;
 }
 
 /*