From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36CA7CF9C5B for ; Tue, 24 Sep 2024 00:29:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BAB806B007B; Mon, 23 Sep 2024 20:29:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B348D6B0083; Mon, 23 Sep 2024 20:29:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9AE4F6B0085; Mon, 23 Sep 2024 20:29:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 7DABF6B007B for ; Mon, 23 Sep 2024 20:29:00 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 43F931C6F64 for ; Tue, 24 Sep 2024 00:29:00 +0000 (UTC) X-FDA: 82597746840.17.8164775 Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by imf15.hostedemail.com (Postfix) with ESMTP id 5D8BFA0004 for ; Tue, 24 Sep 2024 00:28:58 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=V0QYlVo6; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf15.hostedemail.com: domain of aha310510@gmail.com designates 209.85.216.41 as permitted sender) smtp.mailfrom=aha310510@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727137607; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=IfGFG2zuOgkqW7Ma7oy1+jUoyJHiJGowMQv0QfB8uTQ=; b=DLGq0hbk2Vir7mHv6zEwfVn6wDwtpH4xgd7HXg6VPayQpAwtRBQDEoKMxdHK7DXyt24fKF ei1EJc0rNvkAq79zg/TmKjmKD+wx2JcNcdK9sCa2gByb7BVUrqX7QbR3q1q10j6pOjmY7b ASQQwaIHDoRAbI6rSw2KFE+kBr9k7Ww= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727137607; a=rsa-sha256; cv=none; b=Yc8tJaTvM4dwOYFF7q+yvqsQ4whFkXPQvUT1Q7lK454uQ05h7HtwUr3qdsnRs7LL4qRpl1 +5GhBUy+lWi4YGTLFZqTiOx7+/9fS/QBXebjSoI0REzRNtnmHnukFqWh7H/rKY1PoQzynV sTyczz083/8zrDqxa4xL7MuMTYRbpSI= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=V0QYlVo6; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf15.hostedemail.com: domain of aha310510@gmail.com designates 209.85.216.41 as permitted sender) smtp.mailfrom=aha310510@gmail.com Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-2d889ba25f7so3358341a91.0 for ; Mon, 23 Sep 2024 17:28:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1727137737; x=1727742537; darn=kvack.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=IfGFG2zuOgkqW7Ma7oy1+jUoyJHiJGowMQv0QfB8uTQ=; b=V0QYlVo6ygwaG2lnef/3iIYKZzyJSKQlFzQId5Ndgm2sGLkm36Drxxmaj7TehTOW0X 5rNxf/scB7Y9z5wgo2DSLsKpYrqaH4Bbt9hREVgthgvSKvbjJGdTLljDt0s0H24DH9aD jBKPuU5Q04xjL3qR73JM4OlaBn7NizW+h9RKBcXT6PjNeimKzFa1O5TwYjyZ4zyVJVL9 L7s0cwm+Q+9BZda1uJCx04Ww6Z3LiIOh5EdjqulB0Y66TSiW7NG7Pf+eblM84uTx1y95 R46qSjABg6A3+G6VVOVya6HcJ6vBA8hK5tK7pVqQlTy1hlebCfGrgMUugW/fzxpQbbF6 g/GA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727137737; x=1727742537; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IfGFG2zuOgkqW7Ma7oy1+jUoyJHiJGowMQv0QfB8uTQ=; b=eXHYhspTlTVyXYz/DRDVCpaPGfmoTkAEtpxuKar5pOS2Hb0iL6PClfRrVK4cusXV4m 0cAodXTPeFWCzP2ZmV0fUJkD8VZ+Nc+buUuwEWEmo5ZTJJAGn5Yy/VYUxftfRYFiRLrY HhA8oAnLPX82yLdHBPit5rRB8dWHJ5javEUoYqfd9uFHFbayyzKHY04NZsu/OZQJ7nXO m+rSiR0kqb753h49oDwlerHU0PNlsc1siBvTOuKyQB1iGUv9wtBRB48mjCWKcy5R2KAw 1CVMVGa8CGzoPa217u89qgzOCzVomNZiVxi3xWnsIQP/2aH2ErV2Ip7It0/gVtJFVAJs YjaA== X-Forwarded-Encrypted: i=1; AJvYcCWhqED6jPJ6hX+ohyH/QKRHQxEfe091rVILLGI6dBjcsA9crO049ON1H2Oh9HllVnH2hAyZxMqKqA==@kvack.org X-Gm-Message-State: AOJu0YywwqCda/X3xsmlTUeijaNzMEYU2aQb6fjL2k/kbrEwJcqmpgMR aMDwMRqrvleQ99xp7a6gRvWfrZPuuVc5MreEWtARBjQeBf8yMgzx X-Google-Smtp-Source: AGHT+IHJ6bVoox5RfjPf3s1wHpqUJQTN6W5GRb1G3pAD6Ot3DCAoF1mAlcp62pFQM9xGobdcvbcrtw== X-Received: by 2002:a17:90b:4a8d:b0:2d8:8818:4d51 with SMTP id 98e67ed59e1d1-2dd7f36cb57mr17423004a91.7.1727137736945; Mon, 23 Sep 2024 17:28:56 -0700 (PDT) Received: from smtpclient.apple ([2001:e60:a02a:7af0:89b:3903:a61c:1a89]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2dd6ef3ede0sm10010465a91.46.2024.09.23.17.28.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 23 Sep 2024 17:28:56 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Jeongjun Park Mime-Version: 1.0 (1.0) Subject: Re: [PATCH] mm: migrate: fix data-race in migrate_folio_unmap() Date: Tue, 24 Sep 2024 09:28:44 +0900 Message-Id: References: Cc: David Hildenbrand , akpm@linux-foundation.org, wangkefeng.wang@huawei.com, ziy@nvidia.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot In-Reply-To: To: Matthew Wilcox X-Mailer: iPhone Mail (21G93) X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 5D8BFA0004 X-Stat-Signature: 7hdnjogbh3uaaxc119f1z6i6w3gunfbx X-Rspam-User: X-HE-Tag: 1727137738-244203 X-HE-Meta: U2FsdGVkX1869U0q40WXZnksQixHHd/m9At0KbRqTaYT+EeyK0qgIlO+pLLW7mR/wQ53fVPR5a2yfGjw8bxSziOO3bsf/2CaspGr87eIXw4gbqjpuYNALtgKKCHl+S5Np3iw1IdQ3t2ZzgUNg0EmUlq3ljSf24iYIWD8OXknew3naEoOtwf977jlo5zR6cUWL8RSjiOR9pJ1ZmR4JxbdGBALu9sULzyxenh6K4QGRD6+VaQrRzzrEyxCCMm/Xh8VuCWQUmWgjU+uuflixoI/HRD8yJcWkgLG5J0Wzxm1HT3zYTeu2dkWtALleHo3M2jiWVDPMkKWx507wY0lciENMt57pzQXk8skBwSqLG+8BM6BJwB9Yg4I+fwSYrTH6mgLnBdOlZ1H7qMSCrfcGlkW/VK0AcLNXIl7eLE20WLimJxxLgHPxW4HxVQBClEqRoh6IkEqGQOHKbvAGjIfgkQfrh4haZZjPDHP1hBO7EzfeD/vcRyi2qphKwQJx9sqX2T5yFatDZdqemceDWQM/rApuHRZb9KiDIjciZnIRUHGZpizb4ptl6pP+EL4wmeMwWhJwrPKhjCgQKC8ULnZp0/Isbj/nZcYtl5lLg5USSHlOdSSItFCN9INsygu1Mg5ynqxcMjd0dpggKtKYXIjPfj1sJ6X7jYOmY8iqiLpSgUPlzcrUuwgtbFUSU05hocTZ+yiO2YrlpCzuniB41WJyaS+OAJHDM5tz61JQ1BgNmcCvvruXTR9n42snH5D+9K9XmWBoxcbRchlqEG/Wi9cwyo4l93pep5tFXvYeXyK3wSHN6fefwGuse9NzniaAoh/mUzfrJ6ZgmsAFTKmxp7F1EnK/uX9F5vmsea0+U2esJ/ShmJ48qVISqmjm6oGYdQZ2ALumBvK1prxvVTvKjZw19iDRe6LYftn12PSwGrS64C4RSEXNaougAn06rZm3X85zGoV9ELF9nEVxJn1eOkLpKM A0FUJ66g 0cz+xgdgpV9/zhtuieyZYL7cxgErwyOsW9Y4PKMa7j+MfjChGe6u1JhxoLXJhsK9/e55C2zYs0kATXn3OXYiCixxSXopxMF93gXj2i+dN3GBuHptFTm0y6wBmbEMEwQoF22nAuY/G6f95ZPtOjlBKs5v+4UbczXLSDDSDOhZ6XW1R/KGTEQWVbzz3czhCtcNQAQG3QWjlN8n7NZ9ptl3vZxzkKXciwxKYPuPDXfItxLeYCAumAsaO+K4JGwQH1E6zvEeHnnMJ9YCIQW+X5Gb4glGNqVjLWKLkM0ZadiTsidcjZ4wz5hfB/SW8bvfl5hb/GSqjzcAChPQqdmG9rHXhfi4K1V3OtQgZnxPAiXDqpTkMtc0RYIp5t1ajsITlrKQY8wq7CFwunE8DMuKDyU6oV3I0zuOvaE4Am7asxL/TbyW6GfSlBddS7EENjs+0f6/ZvIJgyvAtpbSMmZKnCk+wH4E4kuVomdsZpBlMCsDJjHpU3FG61EKyoyzX09JiSrep1BlrkR8fXNDIaEy5gFuCPIrhxYMa6xm57wEHXFUKLVbRFEO4WyMNKxA0ST2z90dvvS6P4VHhrl1V8d9oPDINnNZlIyT67rZnwJ4e8oeDPkA3UMJ5K8kXfWbFvMu01OP5/if/34Ua7+47JwUMwvsEYILeCtsjNm9drJ8D+JzgBgMzHzA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: > Matthew Wilcox wrote: >=20 > =EF=BB=BFOn Mon, Sep 23, 2024 at 05:56:40PM +0200, David Hildenbrand wrote= : >>> On 22.09.24 17:17, Jeongjun Park wrote: >>> I found a report from syzbot [1] >>>=20 >>> When __folio_test_movable() is called in migrate_folio_unmap() to read >>> folio->mapping, a data race occurs because the folio is read without >>> protecting it with folio_lock. >>>=20 >>> This can cause unintended behavior because folio->mapping is initialized= >>> to a NULL value. Therefore, I think it is appropriate to call >>> __folio_test_movable() under the protection of folio_lock to prevent >>> data-race. >>=20 >> We hold a folio reference, would we really see PAGE_MAPPING_MOVABLE flip?= >> Hmm >=20 > No; this shows a page cache folio getting truncated. It's fine; really > a false alarm from the tool. I don't think the proposed patch > introduces any problems, but it's all a bit meh. >=20 Well, I still don't understand why it's okay to read folio->mapping=20 without folio_lock . Since migrate_folio_unmap() is already protected=20 by folio_lock , I think it's definitely necessary to fix it to read=20 folio->mapping under folio_lock protection. If it were still okay to=20 call __folio_test_movable() without folio_lock , then we could=20 annotate data-race, but I'm still not sure if this is a good way=20 to do it. Regards, Jeongjun Park >> Even a racing __ClearPageMovable() would still leave PAGE_MAPPING_MOVABLE= >> set. >>=20 >>> [1] >>>=20 >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> BUG: KCSAN: data-race in __filemap_remove_folio / migrate_pages_batch >>>=20 >>> write to 0xffffea0004b81dd8 of 8 bytes by task 6348 on cpu 0: >>> page_cache_delete mm/filemap.c:153 [inline] >>> __filemap_remove_folio+0x1ac/0x2c0 mm/filemap.c:233 >>> filemap_remove_folio+0x6b/0x1f0 mm/filemap.c:265 >>> truncate_inode_folio+0x42/0x50 mm/truncate.c:178 >>> shmem_undo_range+0x25b/0xa70 mm/shmem.c:1028 >>> shmem_truncate_range mm/shmem.c:1144 [inline] >>> shmem_evict_inode+0x14d/0x530 mm/shmem.c:1272 >>> evict+0x2f0/0x580 fs/inode.c:731 >>> iput_final fs/inode.c:1883 [inline] >>> iput+0x42a/0x5b0 fs/inode.c:1909 >>> dentry_unlink_inode+0x24f/0x260 fs/dcache.c:412 >>> __dentry_kill+0x18b/0x4c0 fs/dcache.c:615 >>> dput+0x5c/0xd0 fs/dcache.c:857 >>> __fput+0x3fb/0x6d0 fs/file_table.c:439 >>> ____fput+0x1c/0x30 fs/file_table.c:459 >>> task_work_run+0x13a/0x1a0 kernel/task_work.c:228 >>> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] >>> exit_to_user_mode_loop kernel/entry/common.c:114 [inline] >>> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] >>> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] >>> syscall_exit_to_user_mode+0xbe/0x130 kernel/entry/common.c:218 >>> do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 >>> entry_SYSCALL_64_after_hwframe+0x77/0x7f >>>=20 >>> read to 0xffffea0004b81dd8 of 8 bytes by task 6342 on cpu 1: >>> __folio_test_movable include/linux/page-flags.h:699 [inline] >>> migrate_folio_unmap mm/migrate.c:1199 [inline] >>> migrate_pages_batch+0x24c/0x1940 mm/migrate.c:1797 >>> migrate_pages_sync mm/migrate.c:1963 [inline] >>> migrate_pages+0xff1/0x1820 mm/migrate.c:2072 >>> do_mbind mm/mempolicy.c:1390 [inline] >>> kernel_mbind mm/mempolicy.c:1533 [inline] >>> __do_sys_mbind mm/mempolicy.c:1607 [inline] >>> __se_sys_mbind+0xf76/0x1160 mm/mempolicy.c:1603 >>> __x64_sys_mbind+0x78/0x90 mm/mempolicy.c:1603 >>> x64_sys_call+0x2b4d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h= :238 >>> do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>> do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 >>> entry_SYSCALL_64_after_hwframe+0x77/0x7f >>>=20 >>> value changed: 0xffff888127601078 -> 0x0000000000000000 >>=20 >> Note that this doesn't flip PAGE_MAPPING_MOVABLE, just some unrelated bit= s. >>=20 >>>=20 >>> Reported-by: syzbot >>> Cc: stable@vger.kernel.org >>> Fixes: 7e2a5e5ab217 ("mm: migrate: use __folio_test_movable()") >>> Signed-off-by: Jeongjun Park >>> --- >>> mm/migrate.c | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>>=20 >>> diff --git a/mm/migrate.c b/mm/migrate.c >>> index 923ea80ba744..e62dac12406b 100644 >>> --- a/mm/migrate.c >>> +++ b/mm/migrate.c >>> @@ -1118,7 +1118,7 @@ static int migrate_folio_unmap(new_folio_t get_new= _folio, >>> int rc =3D -EAGAIN; >>> int old_page_state =3D 0; >>> struct anon_vma *anon_vma =3D NULL; >>> - bool is_lru =3D !__folio_test_movable(src); >>> + bool is_lru; >>> bool locked =3D false; >>> bool dst_locked =3D false; >>> @@ -1172,6 +1172,7 @@ static int migrate_folio_unmap(new_folio_t get_new= _folio, >>> locked =3D true; >>> if (folio_test_mlocked(src)) >>> old_page_state |=3D PAGE_WAS_MLOCKED; >>> + is_lru =3D !__folio_test_movable(src); >>=20 >>=20 >> Looks straight forward, though >>=20 >> Acked-by: David Hildenbrand >>=20 >>=20 >> -- >> Cheers, >>=20 >> David / dhildenb >>=20