Re: [PATCH] mm: swapfile: avoid split_swap_cluster() NULL pointer dereference
From: Huang, Ying
Date: Wed Sep 23 2020 - 01:13:56 EST
Rafael Aquini <aquini@xxxxxxxxxx> writes:
> On Wed, Sep 23, 2020 at 10:21:36AM +0800, Huang, Ying wrote:
>> Hi, Rafael,
>>
>> Rafael Aquini <aquini@xxxxxxxxxx> writes:
>>
>> > The swap area descriptor only gets struct swap_cluster_info *cluster_info
>> > allocated if the swapfile is backed by non-rotational storage.
>> > When the swap area is laid on top of ordinary disk spindles, lock_cluster()
>> > will naturally return NULL.
>>
>> Thanks for reporting. But the bug looks strange. Because in a system
>> with only HDD swap devices, during THP swap out, the swap cluster
>> shouldn't be allocated, as in
>>
>> shrink_page_list()
>> add_to_swap()
>> get_swap_page()
>> get_swap_pages()
>> swap_alloc_cluster()
>>
>
> The underlying problem is that swap_info_struct.cluster_info is always NULL
> on the rotational storage case.
Yes.
> So, it's very easy to follow that constructions
> like this one, in split_swap_cluster
>
> ...
> ci = lock_cluster(si, offset);
> cluster_clear_huge(ci);
> ...
>
> will go for a NULL pointer dereference, in that case, given that lock_cluster
> reads:
>
> ...
> struct swap_cluster_info *ci;
> ci = si->cluster_info;
> if (ci) {
> ci += offset / SWAPFILE_CLUSTER;
> spin_lock(&ci->lock);
> }
> return ci;
> ...
But on HDD, we shouldn't call split_swap_cluster() at all, because we
will not allocate swap cluster firstly. So, if we run into this,
there should be some other bug, we need to figure it out.
Best Regards,
Huang, Ying