From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACE61C25B08 for ; Sat, 20 Aug 2022 07:33:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 03E8C8D0001; Sat, 20 Aug 2022 03:33:13 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F302F6B0074; Sat, 20 Aug 2022 03:33:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E1F098D0001; Sat, 20 Aug 2022 03:33:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id D26DD6B0073 for ; Sat, 20 Aug 2022 03:33:12 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 4A2BF1A02AD for ; Sat, 20 Aug 2022 07:33:12 +0000 (UTC) X-FDA: 79819155024.23.BE397C4 Received: from out1.migadu.com (out1.migadu.com [91.121.223.63]) by imf30.hostedemail.com (Postfix) with ESMTP id B0A0A800B1 for ; Sat, 20 Aug 2022 07:33:11 +0000 (UTC) Content-Type: text/plain; charset=us-ascii DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1660980789; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OXPB7dY7tQ2n85mgIrq2bkd3Z/lqPrZbbmrEZHKR2EI=; b=V53qx512BBfkXrE3QHlAuCrjOL/BGRhH15a+RPQLzdh5ADOmo4WZzCYasXbWSLF7hQrROy vzgnfu5PhZ7MljCwl1QuTRDtohzAPsG1odlzHbyoaNSseMMPQCu3EI9th7yo4q2B+Hygvm W8put8C83HqTG+wE2Ncg5iamruWSeIw= MIME-Version: 1.0 Subject: Re: [PATCH] mm: fix pgdat->kswap accessed concurrently X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Muchun Song In-Reply-To: <20220820032506.126860-1-wangkefeng.wang@huawei.com> Date: Sat, 20 Aug 2022 15:33:04 +0800 Cc: Andrew Morton , Linux MM , Qian Cai , linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: <1E87F09C-4904-49E2-B45C-C408DD5F6F62@linux.dev> References: <20220820032506.126860-1-wangkefeng.wang@huawei.com> To: Kefeng Wang X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1660980792; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=OXPB7dY7tQ2n85mgIrq2bkd3Z/lqPrZbbmrEZHKR2EI=; b=ZhfAMH66CnOJk//IM7p+3WqXzMjLzpyFInm2EUlkXgXiCJdIIVIJ+2sLOk0hM2GPuIcd3I +mrSswk5gDHQs2l+wB+LD8jO66goua8i+0rnXnQU40zp/YMvtpsjrQQyBLeV+iMYkgd7Sn RTXoJJSePmOIZ50eUKIcJq0yz83sxIE= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=V53qx512; spf=pass (imf30.hostedemail.com: domain of muchun.song@linux.dev designates 91.121.223.63 as permitted sender) smtp.mailfrom=muchun.song@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1660980792; a=rsa-sha256; cv=none; b=Be9gtFICsEZ8/0GLJ5cal4wPJ4r23wPKqpytFDXROeCSOsGetB/fKbtyRz1WWBA2Rzgapw szl2CnNp/k2SlJxJnaRJJ4q1QeoDnfC0EdMxmoJIoNSEY6gvThNmPWEKXYvX/BkxujJ/q4 y534Tz7BkGLkx1CDoFiPj5LLLmJIXBk= Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=V53qx512; spf=pass (imf30.hostedemail.com: domain of muchun.song@linux.dev designates 91.121.223.63 as permitted sender) smtp.mailfrom=muchun.song@linux.dev; dmarc=pass (policy=none) header.from=linux.dev X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: B0A0A800B1 X-Stat-Signature: 9ib1nnew4k74kscg914kd5d8eu7k544d X-Rspam-User: X-HE-Tag: 1660980791-354165 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: > On Aug 20, 2022, at 11:25, Kefeng Wang = wrote: >=20 > The pgdat->kswap could be accessed concurrently by kswapd_run() and > kcompactd(), it don't be protected by any lock, which leads to the > following null-ptr-deref, >=20 > vmscan: Failed to start kswapd on node 0 > ... > BUG: KASAN: null-ptr-deref in kcompactd+0x440/0x504 > Read of size 8 at addr 0000000000000024 by task kcompactd0/37 >=20 > CPU: 0 PID: 37 Comm: kcompactd0 Kdump: loaded Tainted: G OE = 5.10.60 #1 > Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 > Call trace: > dump_backtrace+0x0/0x394 > show_stack+0x34/0x4c > dump_stack+0x158/0x1e4 > __kasan_report+0x138/0x140 > kasan_report+0x44/0xdc > __asan_load8+0x94/0xd0 > kcompactd+0x440/0x504 > kthread+0x1a4/0x1f0 > ret_from_fork+0x10/0x18 >=20 > Fix it by adding READ_ONCE()|WRITE_ONCE(). >=20 > Signed-off-by: Kefeng Wang > --- > mm/compaction.c | 4 +++- > mm/vmscan.c | 15 +++++++++------ > 2 files changed, 12 insertions(+), 7 deletions(-) >=20 > diff --git a/mm/compaction.c b/mm/compaction.c > index 640fa76228dd..aa1cfe47f046 100644 > --- a/mm/compaction.c > +++ b/mm/compaction.c > @@ -1983,7 +1983,9 @@ static inline bool is_via_compact_memory(int = order) >=20 > static bool kswapd_is_running(pg_data_t *pgdat) > { > - return pgdat->kswapd && task_is_running(pgdat->kswapd); > + struct task_struct *t =3D READ_ONCE(pgdat->kswapd); > + > + return t && task_is_running(t); > } >=20 > /* > diff --git a/mm/vmscan.c b/mm/vmscan.c > index b2b1431352dc..9abba714249e 100644 > --- a/mm/vmscan.c > +++ b/mm/vmscan.c > @@ -4642,16 +4642,19 @@ unsigned long shrink_all_memory(unsigned long = nr_to_reclaim) > void kswapd_run(int nid) > { > pg_data_t *pgdat =3D NODE_DATA(nid); > + struct task_struct *t; >=20 > - if (pgdat->kswapd) > + if (READ_ONCE(pgdat->kswapd)) > return; >=20 > - pgdat->kswapd =3D kthread_run(kswapd, pgdat, "kswapd%d", nid); > - if (IS_ERR(pgdat->kswapd)) { > + t =3D kthread_run(kswapd, pgdat, "kswapd%d", nid); > + if (IS_ERR(t)) { > /* failure at boot is fatal */ > BUG_ON(system_state < SYSTEM_RUNNING); > pr_err("Failed to start kswapd on node %d\n", nid); > - pgdat->kswapd =3D NULL; > + WRITE_ONCE(pgdat->kswapd, NULL); > + } else { > + WRITE_ONCE(pgdat->kswapd, t); > } > } IIUC, the race is like the followings: CPU 0: CPU 1: kswapd_run() pgdat->kswapd =3D kthread_run() if (IS_ERR(pgdat->kswapd)) kswapd_is_running // load pgdat->kswapd = and it is NOT NULL. pgdat->kswapd =3D NULL = task_is_running(pgdat->kswapd); // NULL pointer dereference So Reviewed-by: Muchun Song Thanks. >=20 > @@ -4661,11 +4664,11 @@ void kswapd_run(int nid) > */ > void kswapd_stop(int nid) > { > - struct task_struct *kswapd =3D NODE_DATA(nid)->kswapd; > + struct task_struct *kswapd =3D = READ_ONCE(NODE_DATA(nid)->kswapd); >=20 > if (kswapd) { > kthread_stop(kswapd); > - NODE_DATA(nid)->kswapd =3D NULL; > + WRITE_ONCE(NODE_DATA(nid)->kswapd, NULL); > } > } >=20 > --=20 > 2.35.3 >=20 >=20