From: "Gong, Sishuai" <sishuai@purdue.edu>
To: "cl@linux.com" <cl@linux.com>,
"penberg@kernel.org" <penberg@kernel.org>,
"rientjes@google.com" <rientjes@google.com>,
"iamjoonsoo.kim@lge.com" <iamjoonsoo.kim@lge.com>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>
Cc: "linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Race: data race between shmem_getpage() and mapping_set_gfp_mask()
Date: Mon, 30 Nov 2020 18:14:29 +0000 [thread overview]
Message-ID: <C952EC41-A297-478C-8700-9EC3C66B4AF7@purdue.edu> (raw)
Hi,
We found a data race in linux kernel 5.3.11 that we are able to reproduce in x86 under specific interleavings. Currently, we are not sure about the consequence of this race so we would like to confirm with the community if this can be a harmful bug.
------------------------------------------
Writer site
/tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/include/linux/pagemap.h:118
98 }
99
100 static inline gfp_t mapping_gfp_mask(struct address_space * mapping)
101 {
102 return mapping->gfp_mask;
103 }
104
105 /* Restricts the given gfp_mask to what the mapping allows. */
106 static inline gfp_t mapping_gfp_constraint(struct address_space *mapping,
107 gfp_t gfp_mask)
108 {
109 return mapping_gfp_mask(mapping) & gfp_mask;
110 }
111
112 /*
113 * This is non-atomic. Only to be used before the mapping is activated.
114 * Probably needs a barrier...
115 */
116 static inline void mapping_set_gfp_mask(struct address_space *m, gfp_t mask)
117 {
==> 118 m->gfp_mask = mask;
119 }
------------------------------------------
Reader site
/tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/mm/shmem.c:139
119
120 return min(nr_pages - totalhigh_pages(), nr_pages / 2);
121 }
122 #endif
123
124 static bool shmem_should_replace_page(struct page *page, gfp_t gfp);
125 static int shmem_replace_page(struct page **pagep, gfp_t gfp,
126 struct shmem_inode_info *info, pgoff_t index);
127 static int shmem_swapin_page(struct inode *inode, pgoff_t index,
128 struct page **pagep, enum sgp_type sgp,
129 gfp_t gfp, struct vm_area_struct *vma,
130 vm_fault_t *fault_type);
131 static int shmem_getpage_gfp(struct inode *inode, pgoff_t index,
132 struct page **pagep, enum sgp_type sgp,
133 gfp_t gfp, struct vm_area_struct *vma,
134 struct vm_fault *vmf, vm_fault_t *fault_type);
135
136 int shmem_getpage(struct inode *inode, pgoff_t index,
137 struct page **pagep, enum sgp_type sgp)
138 {
==> 139 return shmem_getpage_gfp(inode, index, pagep, sgp,
140 mapping_gfp_mask(inode->i_mapping), NULL, NULL, NULL);
141 }
------------------------------------------
Writer calling trace
- ksys_ioctl
-- do_vfs_ioctl
--- vfs_ioctl
---- blkdev_ioctl
----- __blkdev_driver_ioctl
------ loop_set_fd
------------------------------------------
Reader calling trace
- ksys_read
-- vfs_read
--- __vfs_read
---- shmem_getpage
Thanks,
Sishuai
next reply other threads:[~2020-11-30 18:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-30 18:14 Gong, Sishuai [this message]
2020-11-30 18:16 ` Matthew Wilcox
2020-12-01 20:33 ` Gong, Sishuai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C952EC41-A297-478C-8700-9EC3C66B4AF7@purdue.edu \
--to=sishuai@purdue.edu \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox