From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C4D1DC00140
	for <linux-mm@archiver.kernel.org>; Wed, 24 Aug 2022 07:56:15 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4BBA16B0072; Wed, 24 Aug 2022 03:56:15 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 46B376B0073; Wed, 24 Aug 2022 03:56:15 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3331D940007; Wed, 24 Aug 2022 03:56:15 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 257396B0072
	for <linux-mm@kvack.org>; Wed, 24 Aug 2022 03:56:15 -0400 (EDT)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id EF4B5A06FD
	for <linux-mm@kvack.org>; Wed, 24 Aug 2022 07:56:14 +0000 (UTC)
X-FDA: 79833728268.11.56C8DDA
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by imf02.hostedemail.com (Postfix) with ESMTP id 9949780012
	for <linux-mm@kvack.org>; Wed, 24 Aug 2022 07:56:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1661327774;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=yX/+8Rw7cX7PklWPsILs75376rGACdvLy1y8/1aR3u8=;
	b=NhJ8m6evaZeCXfmQ76AyfV+dRfZXL0S3+caCnelV76gTtdX99Aph8HrjFZBGp3Zf6qs8hH
	fujsyyPOMqQtF1EoWd5QL3wczFAvTgC8sznOEVxSRfaUY833fYl8YJHdCDiw6ktTQtFH8u
	opK4TNPOFlRRkEiHrhy+gYGb7eysfjY=
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id
 us-mta-122-24GZLGvqN6evNGF-hfdY-w-1; Wed, 24 Aug 2022 03:56:12 -0400
X-MC-Unique: 24GZLGvqN6evNGF-hfdY-w-1
Received: by mail-wm1-f69.google.com with SMTP id f18-20020a05600c4e9200b003a5f81299caso9095579wmq.7
        for <linux-mm@kvack.org>; Wed, 24 Aug 2022 00:56:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:in-reply-to:subject:organization:from
         :references:cc:to:content-language:user-agent:mime-version:date
         :message-id:x-gm-message-state:from:to:cc;
        bh=yX/+8Rw7cX7PklWPsILs75376rGACdvLy1y8/1aR3u8=;
        b=ydbiWs3RCDxwK9eWCgqMEwcYKLwYE+5Mt0DccWVXjkWtS39QgtbrssCfPrd/1v//S2
         1T7zzieS2hB8CqX7u4wRq1AmW8jhhLFAMPN70YeqSa6HgmD/Yz7RM/eZGlZPQ7szWM8w
         /dPyVCxmqzCijNOMZIOJ7xtzQJG/OCl5YJwSXt6CuW2dyFGyPHzEhJeEvKxD7eyY1+eT
         pH7ri20shPZLfJuqdKokjTyFfc0wvHHkNVSjjQ7DIhNAeXg1j+ciimeTo09VkGjwaAUC
         f0KCc2jkTtLljKR6hUYajHQCv2Dk/W7MSzlSiVGAbtLprrQmrD4ud79oqryKVamXJ2r/
         1Deg==
X-Gm-Message-State: ACgBeo11GQMlA8rokcPZvKY7x1LZh1le58v8DYMg3DjK72u6FhTkSG5z
	oaNtmnvD0UBoRmqkMUlUAV4z5nOnRrGnMq/Qwm91kzT8N9emtlXywl/dlwcZAwo2t6g85KUaa6e
	Rwije3TDiCIg=
X-Received: by 2002:a05:6000:15c5:b0:220:727a:24bf with SMTP id y5-20020a05600015c500b00220727a24bfmr16132368wry.621.1661327771582;
        Wed, 24 Aug 2022 00:56:11 -0700 (PDT)
X-Google-Smtp-Source: AA6agR5KMVcgjXhsJt9cJZpZ9jn66ZFfTYNIfIB4dQ29fC/nC3ivi5z6k/oNJTkKKauWbbvmnb+4rg==
X-Received: by 2002:a05:6000:15c5:b0:220:727a:24bf with SMTP id y5-20020a05600015c500b00220727a24bfmr16132354wry.621.1661327771228;
        Wed, 24 Aug 2022 00:56:11 -0700 (PDT)
Received: from ?IPV6:2003:cb:c707:c500:5445:cf40:2e32:6e73? (p200300cbc707c5005445cf402e326e73.dip0.t-ipconnect.de. [2003:cb:c707:c500:5445:cf40:2e32:6e73])
        by smtp.gmail.com with ESMTPSA id l6-20020a05600c4f0600b003a690f704absm216374wmq.4.2022.08.24.00.56.10
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 24 Aug 2022 00:56:10 -0700 (PDT)
Message-ID: <38e227e1-63f4-4aa4-e05c-c47c3345a60f@redhat.com>
Date: Wed, 24 Aug 2022 09:56:09 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.12.0
To: Kefeng Wang <wangkefeng.wang@huawei.com>,
 Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org
Cc: muchun.song@linux.dev, linux-kernel@vger.kernel.org
References: <20220824071909.192535-1-wangkefeng.wang@huawei.com>
From: David Hildenbrand <david@redhat.com>
Organization: Red Hat
Subject: Re: [PATCH 1/2] mm: fix null-ptr-deref in kswapd_is_running()
In-Reply-To: <20220824071909.192535-1-wangkefeng.wang@huawei.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1661327774; a=rsa-sha256;
	cv=none;
	b=lkBgMhHQWyvTNTHS0rYG12x2hQIM1H6a85UyKgu6uy5XpzZR9OWYaR5nS/wlNSClOxc8HN
	tUus2dK9BAXwCSj4bqCLBCcEPZTrh6d8+jQZJ4oVitHVGGGLprQk4twZtUngs5QDoNkwXJ
	06s7pZOLk06DkA6oakLcmF73q/Rt8pI=
ARC-Authentication-Results: i=1;
	imf02.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=NhJ8m6ev;
	dmarc=pass (policy=none) header.from=redhat.com;
	spf=pass (imf02.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1661327774;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=yX/+8Rw7cX7PklWPsILs75376rGACdvLy1y8/1aR3u8=;
	b=qMCaWvNNBYkaLgNGLThimIXcxjcCwldd+F62kAvdpmhbGajb/pRr5WU0IAffMgxTgWSl+F
	SDlbDbn+LtT1+WWCy75HsjOue6TFceuPDeRMn8aKtdK1HXlW0jBATgvFma5wg3UdylpNPf
	RM5MhOeE3UNAF9lXR1ngxwvqMT+ncxk=
Authentication-Results: imf02.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=NhJ8m6ev;
	dmarc=pass (policy=none) header.from=redhat.com;
	spf=pass (imf02.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com
X-Stat-Signature: f14eutibynxbr3qbrgr577m9eo76en1z
X-Rspamd-Queue-Id: 9949780012
X-Rspamd-Server: rspam03
X-Rspam-User: 
X-HE-Tag: 1661327774-225482
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 24.08.22 09:19, Kefeng Wang wrote:
> The kswapd_run/stop() will set pgdat->kswapd to NULL, which
> could race with kswapd_is_running() in kcompactd(),
> 
> kswapd_run/stop()	kcompactd()
> 			  kswapd_is_running()
> 				if (pgdat->kswapd) // load non-NULL pgdat->kswapd
>   pgdat->kswapd = NULL
> 				task_is_running(pgdat->kswapd) // Null pointer derefence
> 
> The KASAN report the null-ptr-deref shown below,
> 
>   vmscan: Failed to start kswapd on node 0
>   ...
>   BUG: KASAN: null-ptr-deref in kcompactd+0x440/0x504
>   Read of size 8 at addr 0000000000000024 by task kcompactd0/37
> 
>   CPU: 0 PID: 37 Comm: kcompactd0 Kdump: loaded Tainted: G           OE     5.10.60 #1
>   Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
>   Call trace:
>    dump_backtrace+0x0/0x394
>    show_stack+0x34/0x4c
>    dump_stack+0x158/0x1e4
>    __kasan_report+0x138/0x140
>    kasan_report+0x44/0xdc
>    __asan_load8+0x94/0xd0
>    kcompactd+0x440/0x504
>    kthread+0x1a4/0x1f0
>    ret_from_fork+0x10/0x18
> 
> For race between kswapd_run() and kcompactd(), adding a temporary value
> when create a kthread, and only set it to pgdat->kswapd if kthread_run()
> return successful task_struct to fix the issue.
> 
> For race between kswapd_stop() and kcompactd(), let's call kcompactd_stop()
> before kswapd_stop() to fix the issue.
> 
> Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
> ---
>  mm/memory_hotplug.c | 2 +-
>  mm/vmscan.c         | 8 +++++---
>  2 files changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
> index fad6d1f2262a..2fd45ccbce45 100644
> --- a/mm/memory_hotplug.c
> +++ b/mm/memory_hotplug.c
> @@ -1940,8 +1940,8 @@ int __ref offline_pages(unsigned long start_pfn, unsigned long nr_pages,
>  
>  	node_states_clear_node(node, &arg);
>  	if (arg.status_change_nid >= 0) {
> -		kswapd_stop(node);
>  		kcompactd_stop(node);
> +		kswapd_stop(node);
>  	}

This looks just fragile to randomly break again in the future when
people work on this code without being aware of this condition. Or once
with other (future?) kswapd_is_running() users. We at least need some
comment explaining that the order here matters and why.

But I do wonder if we can't handle it in a cleaner, more obvious, way.

kswapd_start()/kswapd_stop() should have a proper way to synchronize
with kswapd_is_running(). Just the matter of finding a suitable locking
primitive :)

-- 
Thanks,

David / dhildenb