From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB33BC77B61 for ; Mon, 24 Apr 2023 13:49:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3BCA36B007B; Mon, 24 Apr 2023 09:49:21 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 36B4A6B007D; Mon, 24 Apr 2023 09:49:21 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 282096B007E; Mon, 24 Apr 2023 09:49:21 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 16E0C6B007B for ; Mon, 24 Apr 2023 09:49:21 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id BA465801B9 for ; Mon, 24 Apr 2023 13:49:20 +0000 (UTC) X-FDA: 80716416480.25.883AEFC Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) by imf02.hostedemail.com (Postfix) with ESMTP id EE19E8001A for ; Mon, 24 Apr 2023 13:49:18 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=OvPfRmaz; spf=pass (imf02.hostedemail.com: domain of dvyukov@google.com designates 209.85.167.43 as permitted sender) smtp.mailfrom=dvyukov@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1682344159; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=5pP+RxkIYzemZdCZ53UUeyLEz4L6xQOJqoI1Dw7qkHQ=; b=vjDM2IJGvYarEq1upm27/xgK7hEuQOn1h3tYHcXkq7Gj90nidMGMmpWXjF+4VWDY15hIO2 YfsZT+eAahMsW567DX8TCUXcJlHcftlGUuwh5yoZjVAXCyOdSnt4jCU4agiqNwCnExilwQ KxyH19Co1t7bICHsRwEcy+QLXBGKwhU= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=OvPfRmaz; spf=pass (imf02.hostedemail.com: domain of dvyukov@google.com designates 209.85.167.43 as permitted sender) smtp.mailfrom=dvyukov@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1682344159; a=rsa-sha256; cv=none; b=c3QhmvzSjIoEPkLCh6S06VCCIO9BogVtEZZ12SoDz30YUavuKaEG2jvTcxdQl+a/qpbRgJ a3KF0oBxIW4RxDBcHJ7W1Pico2CVO1yq1UZ2OZAhvvEWLdY+3xbJbh0I9irHbg/lAUTHlB uaToMUrMbzlYm8Gbs3bnVoRsTG0qA8I= Received: by mail-lf1-f43.google.com with SMTP id 2adb3069b0e04-4efea87c578so3477e87.1 for ; Mon, 24 Apr 2023 06:49:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1682344157; x=1684936157; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5pP+RxkIYzemZdCZ53UUeyLEz4L6xQOJqoI1Dw7qkHQ=; b=OvPfRmaz3tdzsvigbEso2jGXAWxziIiwH3npny3IJUoaynFsoO9+KIlD4flJ4FbkP8 rrRjgevhV/G3mj0QKp9UsIc/d5KhDHg79PBplls+V8MDGZ9JZ9HapY9UOPYxsq75zt8t of4qR9dQMh9ltWU/hFdsgGXE/5lc5yuXcf2QA6h2Kp59/eaunCSedY2PXjWHWIy/SXkZ lU22lbFZDPd0qgXXkqWURh0hrYw14c8+fVZHjjnB5xjewJu2ptZnghvjqnKtNSs5H09w Cb7e/+lB7MTRsiBTfMU/7SYtZjAVWO//su1m3FufzbkGF++CCEkA1lX6w0NRhEDcq2Og 6GBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682344157; x=1684936157; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5pP+RxkIYzemZdCZ53UUeyLEz4L6xQOJqoI1Dw7qkHQ=; b=OFOalQrMendBwN0OG0QR38van440Uotu8kxg1wACGmBD/eNskTdVLa57vuAyrTYiM7 GDg2lQ31aJe2zAhza2GJTDS9Cmteg5BG+T8+hj8tgYOrAPzBMmzz+Spc4bPtsu01oBVf YuLQmQJA7aCAXEbX5Dh0uyTrcVASGY0Z0dKTrrZAOgrV6kG4TN4JHZXTS2TNcngWwQFX WNEfr+6U/hy4ia5BtPivhcaDv12cVdos0uZqDCnbkRVNFk/1+GPb3Dwts3GqzYanQAh/ lEAEW8+z7hSI6RCt6copHQXG3Tbc0vr5gyYrPrK16yrerc/Tj0pFogwcqgltxA/zWg3w Gakg== X-Gm-Message-State: AAQBX9cowCjBdnnHZTWRtu1oxm6htFsdUt4WseIWbgMDlED7hkZitVbG QX7KuCZBqT6yOeS8qmcvUyyGJlWvuxKE5ewFq1rIcA== X-Google-Smtp-Source: AKy350YKHv6i0YsOKB/k2YG8Y9bmIUVxcsE88sYOazC2VGHdo0q/sQzUcf19ECK3kOBZ9drPl1Jv7Io4F6X/zKxnXAM= X-Received: by 2002:a05:6512:3d2a:b0:4ed:d7d:d141 with SMTP id d42-20020a0565123d2a00b004ed0d7dd141mr254260lfv.6.1682344156926; Mon, 24 Apr 2023 06:49:16 -0700 (PDT) MIME-Version: 1.0 References: <000000000000d0737c05fa0fd499@google.com> In-Reply-To: From: Dmitry Vyukov Date: Mon, 24 Apr 2023 15:49:04 +0200 Message-ID: Subject: Re: [syzbot] [fs?] [mm?] KCSAN: data-race in __filemap_remove_folio / folio_mapping (2) To: Matthew Wilcox Cc: syzbot , djwong@kernel.org, hch@infradead.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-xfs@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: EE19E8001A X-Stat-Signature: dkyf8gwconb4tpz6a6tf3hmadky3grkx X-HE-Tag: 1682344158-424724 X-HE-Meta: U2FsdGVkX1+532Lxco2/HGWY2iiY+t/mz12z8g4J00NJ3/Y78YaLyEI6OTGak+7vDkd9PiFiBKKg/Aj/GDyZST33HEKYhaPtnByufLYoIu4T+yjacCAES0D8u+9NOGLCEajJME+ZpLNEIIT/yPaB7LC+3wfGMJmNd4XjIMzajXCIFAm8ViBpDs478XpPPdsx73TBqvZHIfKRrCna0v5iE9ddWx96uZgPvIjb0wZJC5/sVhU995o8YqwWQMppdxDYEDdtnvbxFvxMNTIhQU0l2+vL4U1Foo1AwTd5g/PqBgyWAXi8vL+a+53u1wPJr2UsJzWFXZEQlg6PqtHtiFMtrWre5W7XdG78nWNgGJVmvKg/DXoOfpyXmJX07gY8LqwGEyfrK/odCy+NbbAgGjFKVsdh8Q6eBRbBg8HCql6GbmaQxG9yfokN6cb/yALByW/VP02ATu6AHmS8Ciht42DcwZ81f7Ofkv6Ve36fm6gWG0RdeT1zI5MiU17uvABo/gUjZl4XSj9U0wIpQkOmtL9BN4Wqg/UavT+NAr+XzS9VriSrodNugwkg+GlWRTpe3wgvqWj1i66H93JvByPVy97gC+l6wF03NeZ9zqaNHiDp3iipuacE6t6S7KVP6IRJCiXPMfiGoGiIp363bDCHRoGYY+iAjRAf4qkJQNOfXEiOgp9k0gBVAGxy/8LXu2vHZXW5XC3PoqCJxo0+AJKqarI6GYies4ntpeE1Vho7xHG5OGba9PA0dt0r/9v88CNvBBHu1pKQQZQFiZcG2h1jEWlrAI2w+QxBz4/QpnjOyfkdfotSsNZx9mo8J8YbLWYju7yqpLt5v+CXcfxw/8ueQFY17UqPMkDAguRAyxdG/62SgDdtDZs6mbFgTKETNgFsQ0rXafV5XHKp8POhHrNm9xE7P9CK4gzuO88LaRCdMNq1ldaAOPrtpwNoJFdGp17lI2pgSmcwQPxI7e8BV4Wf++R nN9Hj4ae 1hpGY/nUUj8btFRUQV6G1GKNx9d6a8bYBYUyr8iMwKmt1FLU6zjQLA/gAcovaaY0jShAxTe1GsaZMxbahvFcq+1hIOwyNxcLqjX/3fjn5XSMnUnyrBOWUzuNDH86UFKJUaPb6tbTjySrx9/IHX0FbrlGFlEVrvO2Qhy4XYEI0z2bRRxH/HVWPK/iW2gPcBAP6A8LOpAk9VFIuKrovMzNah96J7yvXd/K8b7wZwIXl5ZsrsL8QzCIeeoqzG+5YRxdxpYMRYBoDNkZIOpCrGFkPFyupAUqp/9UoivWMuTsdpz52RrAoL+XJrx4l+b59tepW8RtsSQWVeJkHLLjWUSRJPUf+VAsd7HzeMDwLtY2vokVtCEQ5hpG/rhRUv4bOggzLmSFUi2OO2qZIWMlxWSozbOwq4jBVdr2L2rKgGdXEazEF07BXOJsdKhEXnX9maV1BFGwY23tnsf7PIeP0bUdjvPCRLBu1CBDGdryyNS7Vdsj7F2LsTU3VcltjC7nB/pGt/ImcDYPR0GHp57ACDwUMemlxow== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, 24 Apr 2023 at 15:21, Matthew Wilcox wrote: > > On Mon, Apr 24, 2023 at 09:38:43AM +0200, Dmitry Vyukov wrote: > > On Mon, 24 Apr 2023 at 09:19, syzbot > > wrote: > > If I am reading this correctly, it can lead to NULL derefs in > > folio_mapping() if folio->mapping is read twice. I think > > folio->mapping reads/writes need to use READ/WRITE_ONCE if racy. > > You aren't reading it correctly. > > mapping = folio->mapping; > if ((unsigned long)mapping & PAGE_MAPPING_FLAGS) > return NULL; > > return mapping; > > The racing write is storing NULL. So it might return NULL or it might > return the old mapping, or it might return NULL. Either way, the caller > has to be prepared for NULL to be returned. > > It's a false posiive, but probably worth silencing with a READ_ONCE(). Yes, but the end of the function does not limit effects of races. I think this can still crash on NULL deref. The simplest example would be to compile this: struct address_space *folio_mapping(struct folio *folio) { ... mapping = folio->mapping; if ((unsigned long)mapping & PAGE_MAPPING_FLAGS) return NULL; return mapping; } ret = !mapping_unevictable(folio_mapping(folio)) && !folio_test_mlocked(folio); static inline bool mapping_unevictable(struct address_space *mapping) { return mapping && test_bit(AS_UNEVICTABLE, &mapping->flags); } to this: if (!((unsigned long)folio->mapping & PAGE_MAPPING_FLAGS) && folio->mapping) if (test_bit(AS_UNEVICTABLE, &folio->mapping->flags)) which does crash.