From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D054C02194 for ; Wed, 5 Feb 2025 15:15:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7030728001C; Wed, 5 Feb 2025 10:15:33 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 68A9F280017; Wed, 5 Feb 2025 10:15:33 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 52BBE28001C; Wed, 5 Feb 2025 10:15:33 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 34618280017 for ; Wed, 5 Feb 2025 10:15:33 -0500 (EST) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id E7735120236 for ; Wed, 5 Feb 2025 15:15:32 +0000 (UTC) X-FDA: 83086240104.12.6EFFA2A Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) by imf21.hostedemail.com (Postfix) with ESMTP id D99711C001A for ; Wed, 5 Feb 2025 15:15:30 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=MwlQUJFp; spf=pass (imf21.hostedemail.com: domain of jannh@google.com designates 209.85.208.52 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738768531; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=KzGASh3W9m1TVW4vwU2r5PYBoXrMXzzzHc5NAqC4Qzw=; b=ZRrvSid6oAd2gD4p4MtqfvHcLfSOnks+56yzbh6F7KgTJH6ETildpw8EUT6iOgRXjSBFun SpolF3GNl1+uZKy7+S9V695ecGxffV9sWS8M9DWQ6StIlmhtvvqYo7xCNGD7wbSe7s9Sfk lvg6BCtXTiRDwF/KO+e87lqCjLt3BNc= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=MwlQUJFp; spf=pass (imf21.hostedemail.com: domain of jannh@google.com designates 209.85.208.52 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738768531; a=rsa-sha256; cv=none; b=sFy1C0lJka0ecLwV0BAWCFYd7lvWRqcFGIapjd97H5NrMrR78CqM6YmifWMDy+ju84Anrl +9Ahe1b0CeprRJvAfFI6sRHWisC9aCCC0jHPhKnl/6/N/njWjz53/zTCtvdW9XbG6nD02e 3lqKuzzIKJHCr+LcOeyXaZhycxhG8Gs= Received: by mail-ed1-f52.google.com with SMTP id 4fb4d7f45d1cf-5dbfc122b82so22950a12.0 for ; Wed, 05 Feb 2025 07:15:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1738768529; x=1739373329; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=KzGASh3W9m1TVW4vwU2r5PYBoXrMXzzzHc5NAqC4Qzw=; b=MwlQUJFpGL6JUK1KxE0Fx+y0HqAM5awdrzoTpS5QM9qGiVXe6NTHWoK9sePpzQAtr1 foNzjmWU+4YQgCQ0ecf6Nd0H68FoKmoASYQdRf7tC7hZvdABu3SLNZ8ndFJ4UT0EBbjQ IRIA9SOWw5TazKOznIh9o5QNS3QD0nrPn8qmv34zHKG3uILsgMRNe3R7wjfi/PEVKb59 qutpScRsORSMZYaRcselpdXjhuCW1Ljbdj1ml/awhyRozuQSuUXCZHshrT00kSsUfKC7 rqHgTr5CL3MnAGPrXR1tS8/kbkZJaHn36I+TyrDz3ki+fUNoHErcilGLPTh/TqQ2Eu3c B9Wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738768529; x=1739373329; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KzGASh3W9m1TVW4vwU2r5PYBoXrMXzzzHc5NAqC4Qzw=; b=psUyMS8FX6dz6P+CfkH28rKWyBLIvAdiLex533g/T5wGmliZSh8p3GV5lq9tmQMxpB aEF+vsLrl/+3t7dPIu1gEGmLFNxRQD04CT2PcPZKTzEtvJaPIwCaDrzv3BfNfjL61dCa m2i13YI9as9pnjH3xrpxgzyRnn2a6uz7Ml6IMoU+DWdgDaMpDsckCmi/UjW6vTWMydIs 0a30BMeL4xtJ4juXDmxrqQNIrfMmhe968FJKz0IMaHx2FZCGsutInU02vxqMVmwdbz1S a430Qbl02Zez5kGZkOA0ZWVGFb83YYu+XjwomNPIjXAqiU6ilfPMiPJLCHf/HQHlL/Vv DOyA== X-Forwarded-Encrypted: i=1; AJvYcCUOlKMj+Lfn7MChaRVDnXX7h8Anx1ayQ/GVqpNKm4Xp0S1GnNUUp8dUJkHmlbvBz9+njAV6zfEsOw==@kvack.org X-Gm-Message-State: AOJu0YzrJ9ol0FG6xCN2nel3HjEJerQxhsyroGHqC7n3xNRBrrmg86iO vU6024HA7q7jbDl0H7ghPU45kqyngJGdBzSl8zDUDDU1V/A7t6VIJRnviTAOI/9RbYZT8WwwSIH sYJY84CJ6z26jJTGbkn7VK+gXGcLp+wVn+JjF X-Gm-Gg: ASbGncumoZcy6zcatnKl9DQTJCJcCddznJpqwqzu4nzRj9okYTG3q2pisTNHPuwvqh8 PUnm4XeboJ4qFdgSFuhXufyKpIJxoVCpU/GI70fwTvBRNSGw04Ps+gqZ+ngaoxHw7dvDtjulldK Ba9aux37vpR+QlQ/gbFqTYL+8y1g== X-Google-Smtp-Source: AGHT+IHBJKU5GK02r293SVKE1mJWFB76itJDMaSC0okwjWJ+CuIMFM5+06Wl78dD75ZKA7qCTR1806E0wV6AqELhfk0= X-Received: by 2002:a05:6402:294:b0:5dc:e09f:d069 with SMTP id 4fb4d7f45d1cf-5dce0a00d6fmr56295a12.6.1738768528968; Wed, 05 Feb 2025 07:15:28 -0800 (PST) MIME-Version: 1.0 References: <67a34e60.050a0220.50516.0040.GAE@google.com> <13bb4bbf-92e7-4c45-a3a8-a52312015f92@lucifer.local> In-Reply-To: <13bb4bbf-92e7-4c45-a3a8-a52312015f92@lucifer.local> From: Jann Horn Date: Wed, 5 Feb 2025 16:14:52 +0100 X-Gm-Features: AWEUYZmfrAzMR4mwPkULpHDw3YfNuu69wMoCjFYNLfVJwTJu4pJ0Qh11OJMIpvg Message-ID: Subject: Re: [syzbot] [mm?] KCSAN: data-race in mprotect_fixup / try_to_migrate_one To: Lorenzo Stoakes Cc: syzbot , Liam.Howlett@oracle.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, vbabka@suse.cz Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: D99711C001A X-Stat-Signature: io3yehgg4qc7jqgj7t4nbxq4fkt1gmix X-HE-Tag: 1738768530-647455 X-HE-Meta: U2FsdGVkX1/pBvVqYbPS03XDOkF+TP9ShxUS1hNK4ohY7jlG7N2DKmQwFXcjYxEnAHDMNGa1DB698/i+OCKNO6zwliLavarzlyuPQk+Lk6xZKWdWVo1QCY8a9Wv1t+8SqftbI86p7qW7wgmwoMjvOp4FR9vS/ANFs8u8Z2jXeu5gAGDRAVt4U4RRW2azKzf7b9LZIGosfVNmh8b7w/9bkPq1MoRDxZgLV7m/WpFZNzSZi3FqLEIvIyDzJeVSxr+wIff9ExfOIv7oOMpvdSUUkkgU/zRc5clj+tW2eLZfQNkwSkn8rgSnbTZv/Jj77ytieOM+2QNoIo/GndIYmvr+X+3NdO1pIxVKdEc+R9mZFm39RiHMjlWu4LDGkTO+6s5w5dw8WVniuAmeLZl8ATp8CzjLzh2/ouRwr+Da+nCDrqKDsVsr7udLtruqO1KdFYdQOcHFbIvijk5r3RLwUeMSwajE5aANRGr6MB7aO5oF9+sgDW2WurT8EfDt+eh6a/XnYH92QbWVCYE8/sW9HpSPVkjhfCRWxFxth7Akv0FQipq9MImrUwHjjnQhh+5UYXfztjstv1vDjbzSHtN7Hz071wqTLMGqfjS1rLC1H1B6ICI9ouG+QGquZ84TAa2FiF3hzB13RW8lTqyk84VuZmJsfYC4GxKO7kcBUBEkkTTq5aG9vo/wl1fu+GFZpEdAMqCdROzytG80VdXtik/03WD2WJYCGWPS+xacafJ4Fo4EA+CIYP/y59tuevhqHHtre7LX4U98uZU+UO+gz1KsLAMNQM2RW4sWAR3oVMI6Tt2TOKcd66/hxUVJ4RYdvXEc7VA2HGz/PvzztIX0d8aDNIGgiOO677YiBgpZyiIhcOLRbuEPtijYeHQZewyI71bgnqB8mUz4+08XiL8ZfNiFzj0hA8CsMrtV6nwHAssqHxZJvXI2Ju1GPCKd3wkCvAOTFnjevNHOtGdt5vDEMYtEvnG kUxzYi4O NAHireuH26RE9h0bLIhtwU1Zy/htuKBMXIGvAh1PEql2SiSVmjP1UAWdCSS1vPu1riBl/920016EAmEFxH4BDQJallzwDWrOUlqNG6W4h5B1tLVsfsbDSREIrJVPgWeKaSmUgIkkD+moZbsWJJvzg0c6QVDK5Ov4FC9HwnCnCHayBAxEDQxWlcn29ow9b0fLY4UgNaA2wFMOymPNvEGVwf8Qr6izLXfknczvuemOZhd/wP4OEJxOh/IPc+J+wIm5+AC26dtMiCHGaWSDv+MpxLx9kUcumjoghWQaegcR6/GcPfAXxsKZ3ucN68sOIgvhkrhC8Kbg7uHQCRRXdGM5iccef8WDHgyasZK9FfVlqEB3JC8AvkJxoVkPeWty0me0DR8oiNo7Wp9Aj4u6O8ZJahp6E7vsibaBfhlDRJbdX7A73WmAzvSBF/FmDhf3KmlVOpjo5QXf1tqlw3QakmHfPSPq8SiALo21zoSa1nNDUFgA7mOcvWtp2CPhDhLmvF971QF4AlQddvc26r24secdVYnTqHJtQDNEAv2H9dgagoL25CfUOGwt31AmRS/AhQoapCU4mA925V+8+tMw9tXgWzIKi3PLT6jI1aaaHVX9gf+/qD848MJEp7qLWpVQ/gaZOByVXeu1VAUuzDXDbxTxg1o6hd73MqTk0MgNr8d8u5eQVa34kwGZ1VhuyQ4mJjRbgj6RT/44C715tlINRlGrUl5v2Z/5i8ncOMU3VnINzPWK3MS0i1ySeMEj64SVYjNNP7rsqneOWJJi/zkAHsOMVrRJOm6MJCLzkfAmkKdS4YSP2POzj5acJjtfG2EYROftUUsfp8EmfTusBC8ZfJEWrQJ8CltKS0YD+Jm2DAOoE0HqtPDW/XhF1UFoaAg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.145736, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Feb 5, 2025 at 4:11=E2=80=AFPM Lorenzo Stoakes wrote: > On Wed, Feb 05, 2025 at 04:00:06PM +0100, Jann Horn wrote: > > On Wed, Feb 5, 2025 at 12:41=E2=80=AFPM syzbot > > wrote: > > > syzbot found the following issue on: > > > > > > HEAD commit: d009de7d5428 Merge tag 'livepatching-for-6.14-rc2' of= git:.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D12b678a45= 80000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D9e757e376= 2bd630b > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3Dc2e5712cbb1= 4c95d4847 > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for= Debian) 2.40 > > > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > > > Downloadable assets: > > > disk image: https://storage.googleapis.com/syzbot-assets/9235000a1b88= /disk-d009de7d.raw.xz > > > vmlinux: https://storage.googleapis.com/syzbot-assets/098ef82f8ab3/vm= linux-d009de7d.xz > > > kernel image: https://storage.googleapis.com/syzbot-assets/4f51f5eb57= 82/bzImage-d009de7d.xz > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the = commit: > > > Reported-by: syzbot+c2e5712cbb14c95d4847@syzkaller.appspotmail.com > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > BUG: KCSAN: data-race in mprotect_fixup / try_to_migrate_one > > > > > > write to 0xffff888114b41700 of 8 bytes by task 6432 on cpu 1: > > > vm_flags_init include/linux/mm.h:875 [inline] > > > vm_flags_reset include/linux/mm.h:887 [inline] > > > mprotect_fixup+0x419/0x5e0 mm/mprotect.c:679 > > > do_mprotect_pkey+0x6cc/0x9a0 mm/mprotect.c:840 > > > > This is one side changing the VMA flags under the mmap lock in write mo= de... > > > > > __do_sys_mprotect mm/mprotect.c:861 [inline] > > > __se_sys_mprotect mm/mprotect.c:858 [inline] > > > __x64_sys_mprotect+0x48/0x60 mm/mprotect.c:858 > > > x64_sys_call+0x2770/0x2dc0 arch/x86/include/generated/asm/syscalls_6= 4.h:11 > > > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > > > do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 > > > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > > > > > read to 0xffff888114b41700 of 8 bytes by task 6418 on cpu 0: > > > try_to_migrate_one+0xb5a/0x12e0 mm/rmap.c:2321 > > > rmap_walk_anon+0x28f/0x440 mm/rmap.c:2646 > > > > ... while the other side comes through the rmap, which does not > > involve the mmap lock. Yes, that does not have any mutual locking by > > design, I think. > > > > The comments in the VMA flags code incorrectly assume that no > > concurrency is possible here; and I think the comment in > > mprotect_fixup() about protection by the mmap_lock has also been kinda > > wrong since the beginning of git history. > > > > The VM_LOCKED check in the migration code was added by Hugh in commit > > b74355078b655, but that's just one example syzbot stumbled over; we > > have similar racy vm_flags reads through the rmap on other paths like: > > > > unmap_mapping_range_tree -> unmap_mapping_range_vma -> > > zap_page_range_single -> unmap_single_vma -> unmap_page_range -> ... > > -> zap_pte_range -> zap_present_ptes -> vm_normal_page > > > > I think the right fix might just be to make sure that we use > > WRITE_ONCE() for these vm_flags updates, and READ_ONCE() around > > ->vm_flags reads that can happen in rmap walk paths, though we should > > think about the consequences of concurrently changing flags in every > > place that gets a READ_ONCE()... > > Yup cool similar to my thread on this. > > I hate that we have these landmines waiting for us. Be good to find a way > to explicitly annotate this, or at least comment somehow. > > But agreed, probably adding a READ_ONCE()/WRITE_ONCE() is appropriate at > least for the proximate thing. > > It's a wonder these things don't trigger more, except you need probably > very precise timing to do it... > > I can do a quick cheeky patch. Thanks!