From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C24AFCF259D for ; Mon, 14 Oct 2024 04:08:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 58F1F6B0082; Mon, 14 Oct 2024 00:08:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 53F876B0083; Mon, 14 Oct 2024 00:08:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 407476B0085; Mon, 14 Oct 2024 00:08:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 219ED6B0082 for ; Mon, 14 Oct 2024 00:08:46 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 9158A1C4BC8 for ; Mon, 14 Oct 2024 04:08:37 +0000 (UTC) X-FDA: 82670876526.02.9CE6826 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by imf26.hostedemail.com (Postfix) with ESMTP id B4568140004 for ; Mon, 14 Oct 2024 04:08:39 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=KSVaWDAe; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf26.hostedemail.com: domain of aha310510@gmail.com designates 209.85.216.47 as permitted sender) smtp.mailfrom=aha310510@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728878819; a=rsa-sha256; cv=none; b=8XOzVG0VoI6lFiV9gF/VTiPi7smOZWBC7kYax/9gjVr+TYoJ2sj7hwvBpUUIaXwmLTFtA1 dHnfu9g2j4eM8PyedfVruS4Ur5nRfRD3KzRswzr0ecpdVUG2IvYXVks8bYW397D7MtKH47 7LT5WodHUtwWpOUg0XkyMLn3fa9MQPQ= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=KSVaWDAe; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf26.hostedemail.com: domain of aha310510@gmail.com designates 209.85.216.47 as permitted sender) smtp.mailfrom=aha310510@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728878819; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Q0n3M3lRMu2x3EPFhPx2LmNLycYmfqIiVCwXkFopdKo=; b=jlaYvEd9YCdpOF9M83renTMaO6lC7XbXRvF0r/0qbDFzLGb8VP2OOcm4ncw2rmnIZifIy4 QiKTKz71Hz6GTWZxkAeXcP1A+eoqfl75GVl/kadSYw6a+Mm1mvPuCO5lzs7pCY1V27Ms4I FjbXDeXQrQHHDZV7BV2K4keEwFycdOM= Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-2e2a97c2681so2746181a91.2 for ; Sun, 13 Oct 2024 21:08:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728878922; x=1729483722; darn=kvack.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=Q0n3M3lRMu2x3EPFhPx2LmNLycYmfqIiVCwXkFopdKo=; b=KSVaWDAeod249nfiR68+0gzlkc7R4Uv/MTAmu+6xThFEXq336c0h3OPGlxCn50k0LK K74I/OSaC9Sslx/oAxV+PQiP+60LfUCsHvLO+/mIkXD6jyhyOJlBd4aFfqnrA5uuv3O6 XZEQrBGukVaLJlnuPrQbWOkOVKBxHdmDo4RQrXj/Zzv3WGvYCD8wOF7BK/tvw4RDCB09 F9pbHjKZoemRnfpaDLGnTO8IFVekx0sJv+K4QKx02FMjmtNJe68JvAKBz+hCo78KQi5w jSQQ0qlz7c62blI8KVq0vW4Y/K9Yv+gPQon84haUXVu2tTD35nwxm0SeltuGJ5MnMiwY j2Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728878922; x=1729483722; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q0n3M3lRMu2x3EPFhPx2LmNLycYmfqIiVCwXkFopdKo=; b=Y8VlnE/le9bzRYtXf9imfL7Xcscu6/SThJtIsJE4JQPf6ptd5+tTWaggmtB+ZGHCtw 52uZTNS/LX9k70OnyrgkUK5eN7rvpbIotExm9vMvfv/vZEMum5kcJR1T7odtBEit2yfo c36cERpIT+27cUYMjlSUiDi43iFNPhnaLvvtp641wJSmEljiv7IAHaCFDLWskdyLSoxu hivhjeBLfRv8efhrVHROvWgisRe6R+sFUxtFiowKeTymY4LEGqk8EsTFa8kGbm7pabcc KlOU4N/kEscrvgtWA98B7vP5XmpTsEm3sKn1iTcirpFoMtO9l2QXBRzZ14YQxMY/Eqf7 tt1Q== X-Gm-Message-State: AOJu0YyGykKsXCWSe0+sb2XBriqZu9pHuSmdZurPa8XZFZUR/OgSHOWu IqbmrxVBobaOuuHna/JDLQ+wpI/zWp7XXCXSoA03cOibRBJYfYZCbRQA+1Ey X-Google-Smtp-Source: AGHT+IEqIbAqxYF4GO3aZygQ5g3tt3hQnOiAkasSP5hJMEWNkQCio2zgfAGt23pD5wFMsZfTUUmslw== X-Received: by 2002:a17:90b:88e:b0:2e2:92dc:6fd4 with SMTP id 98e67ed59e1d1-2e2f0aebf4bmr12516934a91.23.1728878921952; Sun, 13 Oct 2024 21:08:41 -0700 (PDT) Received: from smtpclient.apple ([2001:e60:a816:6dac:10d3:523b:453c:7c13]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2e3132badd2sm4303993a91.40.2024.10.13.21.08.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 13 Oct 2024 21:08:41 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Jeongjun Park Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v2] mm: swap: prevent possible data-race in __try_to_reclaim_swap Date: Mon, 14 Oct 2024 13:08:29 +0900 Message-Id: <8C4EFDA4-A286-40C9-8F96-BD3EE07D6C45@gmail.com> References: Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com In-Reply-To: To: Kairui Song , akpm@linux-foundation.org X-Mailer: iPhone Mail (21G93) X-Rspamd-Queue-Id: B4568140004 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: khqpt4g1joc3yqzpuj7fk4riaunenqra X-HE-Tag: 1728878919-358533 X-HE-Meta: U2FsdGVkX1/uSfpJv1kAyHI9OFtd9xw5dg8XfnLTaQG+lr7Hr3U8YsplDhGibJ3qiX3CiGyJDX09uBfgM5p1qrGt98F6r9tsz0Ztt4fLkTq938YRfruDbnQpvEdZOBximws3aqryNPdwhXl3tvAtSSzj8vFGXPXYU/4mKG/VilTKtiHM+K+OeZQuUyO7wyoWmZcoKYMpx5DCg3xtmSNvs4lFvJNA7olf0AV7/ZI6RurdJPDWqmLOwtCsfZz3sP8dz4rqoigUqDk8CRNgxlcp3s4eA7x9UUvvaqmDUREhN4wi2d0yYdWSMbXChM8YFzpqxjWYMFbbBt0sEc34sDiCGbdUdPBf7xm8IXsDGLx2mzBFdGrWeeSHx/6inQDoTe0IEDSvdxEnKwTAerEvc+sI36canWaTAO+GzFPQ5V8IvpGUsMJv2CAdG79VVQCiPJd5DAIz+yDakLdAdFbBn3ghI04+mnJUkOZdCJCWpY5LkjeyWFcXkEwqYyhW7XimzJPxhu3bIdrbg2KwpxR87gu6SMlWiohD9+eXNlNTPCCkjj2tJT7ERcKqDN6hRFfwsf5pUBDJAWA6epHKFXxYeycjTJWLzWt11ajmuQ9Sf+yayTA2boFGxRMqRCkQskGCB8oT/GDoWuYx0ENxhYoADFU5IOb+d+66MXtyi9wxJS4LI8b60kb4cmE6uEy90zpfR50SPDT+6DC0PpuNc78xsUyjSmQmuTXyc6fGNR2IKP36k4LuoZVNTYZuyA0Ttdn6MUhVJqqMNyABdqooOsQoPfeFnXVp9FaYKAeYy3tYUbSjZiJncMuzXxvDzZJxceYCMBBjfpOys331tj0fkfSPu0YaBaHUNH/bllmZPUvsNUdWidGQtPOQzXAhHfQjwxDWxTF40R+L9pJNOOMNxEErTO+nCMu0gmY67tZFbCwBdO2+t3G54u+/VLa8R6t/f8bK8hEaT7FDCX4tXzRfRTKqypy WsLD4pFz Rlf+Jv40cL+NY+9J20TPsEvFOEzph0l8/hYnOf4VmBjB5cyVkqYwPI07DyVKx9XmoAKnVW99ILSnqSl/VgsCzkpc22ChXa8l4HUEGKbiuKOg8Q984Mg6iZzTJKEoRjZmxJ/7mnjmN2ocFj/2QHOTjhddHiQAR/hWu++leRm2A2YD+W27B2znLPbx3yZy9J9A1Aki2Dy2UTCrXfjomATGDNbxox6+nN2+2dLqogvHZ02SWWTV4bx4aAN7YakoqAnwxkP4+djEGAQ388saf5LaGVr1uCD+i3E37AwCWi5xS+X6hgfRFxI3ZOpRp1MEXVkn52MetYuxJwNXi+ExMfn+Ayel6VhQLF0u0yeadCtS+nFJGnuCCXhkh4UOvIqSNslnlfr6uZtGoXyx+ku1fEfxb4WwH5PKnKM145+bmySKwmyb6KFd/ZruykElC/qv1h3ASmcTaUr2TiyzbrQjpTw5KT6F/XOked6GV/yXJtx1HKGlBQHCoSUc6UFgeIK3yrI0WrnWwAqOKCauOd9tS5KzLBj8GbS39qdTD6lAbEGpCsI5frLh3uYzCsu3vlsExT9nY6Yt7WZjiBhDWQlfQXsGzbJEBkFz2DvQh3Bsbxv4lnPUUncoUIyHJC7AROppUiRFs25ERClGGvPfVjqyGO/4fDQLG1spU/i4PR9jPXVD2CYoYRhH0pIBZ2eHZpg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: > Kairui Song wrote: >=20 > =EF=BB=BFOn Mon, Oct 14, 2024 at 10:17=E2=80=AFAM Jeongjun Park wrote: >>> Kairui Song wrote: >>>=20 >>> =EF=BB=BFOn Mon, Oct 7, 2024 at 3:06=E2=80=AFPM Jeongjun Park wrote: >>>>=20 >>>> A report [1] was uploaded from syzbot. >>>>=20 >>>> In the previous commit 862590ac3708 ("mm: swap: allow cache reclaim to s= kip >>>> slot cache"), the __try_to_reclaim_swap() function reads offset and fol= io->entry >>>> from folio without folio_lock protection. >>>>=20 >>>> In the currently reported KCSAN log, it is assumed that the actual data= -race >>>> will not occur because the calltrace that does WRITE already obtains th= e >>>> folio_lock and then writes. >>>>=20 >>>> However, the existing __try_to_reclaim_swap() function was already impl= emented >>>> to perform reads under folio_lock protection [1], and there is a risk o= f a >>>> data-race occurring through a function other than the one shown in the K= CSAN >>>> log. >>>>=20 >>>> Therefore, I think it is appropriate to change read operations for >>>> folio to be performed under folio_lock. >>>>=20 >>>> [1] >>>>=20 >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> BUG: KCSAN: data-race in __delete_from_swap_cache / __try_to_reclaim_sw= ap >>>>=20 >>>> write to 0xffffea0004c90328 of 8 bytes by task 5186 on cpu 0: >>>> __delete_from_swap_cache+0x1f0/0x290 mm/swap_state.c:163 >>>> delete_from_swap_cache+0x72/0xe0 mm/swap_state.c:243 >>>> folio_free_swap+0x1d8/0x1f0 mm/swapfile.c:1850 >>>> free_swap_cache mm/swap_state.c:293 [inline] >>>> free_pages_and_swap_cache+0x1fc/0x410 mm/swap_state.c:325 >>>> __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] >>>> tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] >>>> tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] >>>> tlb_flush_mmu+0x2cf/0x440 mm/mmu_gather.c:373 >>>> zap_pte_range mm/memory.c:1700 [inline] >>>> zap_pmd_range mm/memory.c:1739 [inline] >>>> zap_pud_range mm/memory.c:1768 [inline] >>>> zap_p4d_range mm/memory.c:1789 [inline] >>>> unmap_page_range+0x1f3c/0x22d0 mm/memory.c:1810 >>>> unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 >>>> unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 >>>> exit_mmap+0x18a/0x690 mm/mmap.c:1864 >>>> __mmput+0x28/0x1b0 kernel/fork.c:1347 >>>> mmput+0x4c/0x60 kernel/fork.c:1369 >>>> exit_mm+0xe4/0x190 kernel/exit.c:571 >>>> do_exit+0x55e/0x17f0 kernel/exit.c:926 >>>> do_group_exit+0x102/0x150 kernel/exit.c:1088 >>>> get_signal+0xf2a/0x1070 kernel/signal.c:2917 >>>> arch_do_signal_or_restart+0x95/0x4b0 arch/x86/kernel/signal.c:337 >>>> exit_to_user_mode_loop kernel/entry/common.c:111 [inline] >>>> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] >>>> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] >>>> syscall_exit_to_user_mode+0x59/0x130 kernel/entry/common.c:218 >>>> do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 >>>> entry_SYSCALL_64_after_hwframe+0x77/0x7f >>>>=20 >>>> read to 0xffffea0004c90328 of 8 bytes by task 5189 on cpu 1: >>>> __try_to_reclaim_swap+0x9d/0x510 mm/swapfile.c:198 >>>> free_swap_and_cache_nr+0x45d/0x8a0 mm/swapfile.c:1915 >>>> zap_pte_range mm/memory.c:1656 [inline] >>>> zap_pmd_range mm/memory.c:1739 [inline] >>>> zap_pud_range mm/memory.c:1768 [inline] >>>> zap_p4d_range mm/memory.c:1789 [inline] >>>> unmap_page_range+0xcf8/0x22d0 mm/memory.c:1810 >>>> unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 >>>> unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 >>>> exit_mmap+0x18a/0x690 mm/mmap.c:1864 >>>> __mmput+0x28/0x1b0 kernel/fork.c:1347 >>>> mmput+0x4c/0x60 kernel/fork.c:1369 >>>> exit_mm+0xe4/0x190 kernel/exit.c:571 >>>> do_exit+0x55e/0x17f0 kernel/exit.c:926 >>>> __do_sys_exit kernel/exit.c:1055 [inline] >>>> __se_sys_exit kernel/exit.c:1053 [inline] >>>> __x64_sys_exit+0x1f/0x20 kernel/exit.c:1053 >>>> x64_sys_call+0x2d46/0x2d60 arch/x86/include/generated/asm/syscalls_64.h= :61 >>>> do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>>> do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 >>>> entry_SYSCALL_64_after_hwframe+0x77/0x7f >>>>=20 >>>> value changed: 0x0000000000000242 -> 0x0000000000000000 >>>>=20 >>>> Reported-by: syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com >>>> Fixes: 862590ac3708 ("mm: swap: allow cache reclaim to skip slot cache"= ) >>>> Signed-off-by: Jeongjun Park >>>> --- >>>> mm/swapfile.c | 7 ++++--- >>>> 1 file changed, 4 insertions(+), 3 deletions(-) >>>>=20 >>>> diff --git a/mm/swapfile.c b/mm/swapfile.c >>>> index 0cded32414a1..eb782fcd5627 100644 >>>> --- a/mm/swapfile.c >>>> +++ b/mm/swapfile.c >>>> @@ -194,9 +194,6 @@ static int __try_to_reclaim_swap(struct swap_info_s= truct *si, >>>> if (IS_ERR(folio)) >>>> return 0; >>>>=20 >>>> - /* offset could point to the middle of a large folio */ >>>> - entry =3D folio->swap; >>>> - offset =3D swp_offset(entry); >>>> nr_pages =3D folio_nr_pages(folio); >>>> ret =3D -nr_pages; >>>>=20 >>>> @@ -210,6 +207,10 @@ static int __try_to_reclaim_swap(struct swap_info_= struct *si, >>>> if (!folio_trylock(folio)) >>>> goto out; >>>>=20 >>>> + /* offset could point to the middle of a large folio */ >>>> + entry =3D folio->swap; >>>> + offset =3D swp_offset(entry); >>>> + >>>> need_reclaim =3D ((flags & TTRS_ANYWAY) || >>>> ((flags & TTRS_UNMAPPED) && !folio_mapped(folio))= || >>>> ((flags & TTRS_FULL) && mem_cgroup_swap_full(foli= o))); >>>> -- >>>=20 >>> Reviewed-by: Kairui Song >>>=20 >>> Hi Andrew, >>>=20 >>> Will this be added to stable and 6.12? 862590ac3708 is already in 6.12 >>> and this fixes a potential issue of it. >>=20 >> As far as I can see, commit 862590ac3708 was applied starting >> from 6.12-rc1, so it looks like no additional commits are needed >> for the stable version. >=20 > Hi, sorry for the confusion, I meant mm-stable, not the stable branch. > It's better to merge this in 6.12. I agree with you. I think this vulnerability should be fixed quickly, so it should be applied directly to the next rc version, not the next tree. However, this vulnerability does not affect the stable=20 version, so I think it is appropriate to move this patch to the mm-hotfixes-unstable tree. What do you think, Andrew? Regards, Jeongjun Park >=20 >> Regards, >>=20 >> Jeongjun Park