From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62979C02192 for ; Wed, 5 Feb 2025 15:00:55 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E01C7280019; Wed, 5 Feb 2025 10:00:54 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id DB14C280018; Wed, 5 Feb 2025 10:00:54 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C5182280019; Wed, 5 Feb 2025 10:00:54 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id A1D81280018 for ; Wed, 5 Feb 2025 10:00:54 -0500 (EST) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id BEA6E1408F3 for ; Wed, 5 Feb 2025 15:00:48 +0000 (UTC) X-FDA: 83086202976.05.616F4BC Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) by imf12.hostedemail.com (Postfix) with ESMTP id D75B640023 for ; Wed, 5 Feb 2025 15:00:45 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=0ZwybfdF; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf12.hostedemail.com: domain of jannh@google.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738767646; a=rsa-sha256; cv=none; b=fE3waYqjeB3qvtE1Wcqy+qTDMvqE672RHFXjq79eBOfahkIKEwgMEidDxS0dEDTYxe/QsA JPDTYXk4VvFOmYNkVtZ70F3+w/RRgzsTSjVjGGM8/ReiD756Nwn8aG1YdoUZkWCfr8ujkN 0/gpvqaRWk/gGp9eEYyIChOtL15mNk8= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=0ZwybfdF; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf12.hostedemail.com: domain of jannh@google.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738767646; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bh4SFstw4Y2Mzl5Q95yQLXnvJ0oL3/7dIeDylh0bX7c=; b=CsJZS8TtjflauR247srsKrm/Ee3McurVHj4cjJ7OMj3P6Uu9QY7ZlJVEZV83ZmFvdZ52TF tgrd4XIGQTtbkx/quNgHmo5FGCogHp1bC1ujLg8yhrTmEtBX7hVFDq/n5XNd7K8dH5NQNi kLyMlDeW7N0IZ47lW8TfESMdjW08af0= Received: by mail-ed1-f51.google.com with SMTP id 4fb4d7f45d1cf-5dcd43726ecso13568a12.1 for ; Wed, 05 Feb 2025 07:00:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1738767643; x=1739372443; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=bh4SFstw4Y2Mzl5Q95yQLXnvJ0oL3/7dIeDylh0bX7c=; b=0ZwybfdFPRMIsOEFqDT21WnrUXYmZvVBMZ6pWpM+QAR8EzD/vT0Y+Q2A7msy9ZJ8mz gCRrfYUTBfRLUcnNspYc75x3dEjsvKlwDOCr2ez564v9ySYHr1xuJPTa2h83mGTVb8XU wFbFEKPelcQbTpsCOMpKVbyhGra604o82+R0T8e1d54Cja8X4TMUdzBHRE30LjtmTJvU B7btthXIjq8XlTl6TP4MiCVnkQp886aTFwtlzGpk24KiHDNFYOj3ISobsCrPaZnVl2nI 8/Uw1NAm6PniqCCUQp+IGW2PvMfUDXsSLShru/bEgJD21dkDxntAS4EaKjbt5hKikvS9 XJlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738767643; x=1739372443; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bh4SFstw4Y2Mzl5Q95yQLXnvJ0oL3/7dIeDylh0bX7c=; b=L/5wU3o73ZmWrGERn4m65W5BGYrPNP8Hm2nsE/5AyIma/MItxH/wK9x8ZDpOOVbb5I soZTwkE4BfFZIJxsLWhsHP4Epy55jkXw+Y70WT6U5tWjyjMXQ6ZmAZ6BBLUY5l+kaw8I aNmCaVb0TW+ykIjIMjUfG5FYJCFvC3MnRiR1CkL50SbjQRfMVIt2yKtTCc9VHYJrXNM0 7sumpGrcX26nVnM4Ee8lmC3K+PWlhP36UpvbK3DocQRZx+G/+seQ6b2IBhymnsnoCE2d Sos5F4GvzP9NYR4SYA3BZmK046lFFC0u2n5qOCiwu5f5JetxP7BvabVBjhgTTEjzKu/v 3KxA== X-Forwarded-Encrypted: i=1; AJvYcCXlDlgoOjyEXBgcQfc9TNiRHIPzyRS/rwg2fXcqKsu4KcugNgbw45virL+Z/Hm7d4ydjl5HLuMWTQ==@kvack.org X-Gm-Message-State: AOJu0Yz00cLChpSISngwbxHxB3Hv/fffCWu7OV/IZZr6WuFjEwL2COEM WzMbOUayli3QmrdI/1ELH9dzvOYsMdnvNeZ30XoOpD3HfUfLRjKLhomHY6WhmVtAw7IH+/bWD0D JB4Px+XgwOPCWGi7aPOaDtx82HD0QoBqiy1ow X-Gm-Gg: ASbGnctecLchnDDCcoOz22L1Tfjns/c05+0JUPEu4JWdRmBrxWUmJNFUXkVFYgAI0Nc I+tQhl0DWKYtuVkC0t3LbXIFt5723eyyhJDV+Cq0dbkC0PfeAJBeHaDk9wSRCG96LOY0FnIM8a1 L/crucA2/MDxX1vb+lXSZFFgR/Nw== X-Google-Smtp-Source: AGHT+IHGno0gpGGbYBLkdSrCpQQ3wx/4MXbBdtqd22IKoXvDe8XdvZM0XE8liXtix/aEe3SL3z4+Ye2lu1R6RPBOKXg= X-Received: by 2002:aa7:d7d3:0:b0:5dc:d909:3109 with SMTP id 4fb4d7f45d1cf-5dcd9093251mr160600a12.7.1738767642585; Wed, 05 Feb 2025 07:00:42 -0800 (PST) MIME-Version: 1.0 References: <67a34e60.050a0220.50516.0040.GAE@google.com> In-Reply-To: <67a34e60.050a0220.50516.0040.GAE@google.com> From: Jann Horn Date: Wed, 5 Feb 2025 16:00:06 +0100 X-Gm-Features: AWEUYZlZucCQVL5QWy9q08RV8uJzfYam-zAdITGASXdZWg06IzTeZfBp52gAsb0 Message-ID: Subject: Re: [syzbot] [mm?] KCSAN: data-race in mprotect_fixup / try_to_migrate_one To: syzbot Cc: Liam.Howlett@oracle.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, syzkaller-bugs@googlegroups.com, vbabka@suse.cz Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: D75B640023 X-Stat-Signature: x1cckpjxrj47aak3ugw47s17jiamfuuw X-Rspam-User: X-HE-Tag: 1738767645-175083 X-HE-Meta: U2FsdGVkX1+ADwK3ynpjTVGzFZLgrlOxb+hMvVGshcp5hykANT/n8WhZ1UluMA5fBZmssCVyeKMvi6DZ6KI0DtFXc56EZYicRlerlq7k2e755YuXQ9er6yQ9Ta2HAu2tl5749Ni+5Kp4OAOjUhN41JMzTM6R+EwFUkTtLvI0KDUNScSFfrUhPHSZ0edC7oBSn9RlzCFF6xwI2tYlDndi18B20Mry22+fZnu9Bh9JHkTGTNeCOCmvJJCxyuFQSKTyzVRf+BfZDHgdsrR8YlsZWm+8YITEIJwwkfGEgl10BauSVGQH52D9DQXjv6Zu4x5U6E1Wi6BdZFy5mtHrIPU1YuXDp9DeytDjxicPZSqF3Mfj5/HYagzYAB9sU6rhI8oTgHx9jEBGO7mJWeuBE7i6g6H/qHfnV2prY6m2+UjMitpqOrCIowguj4JoIFKPCvabezOyKDQsjRxQB5voPuNJbIQkB2ZG6cKJZAJ1fLvJB2PgftwJrWBG988P51S/JFf5HjC6HieOtwaV2sijL8yKrDhjcAOC2mqExDwOlTwxIgbxnkSUQY9DmMAN8YU23uo1MzgsO5pJvBNrAA/CFRuVZhpFyaOaL1ugoS8bnlop5udltGdhIZDOM7sMoCWgkWG4QuA9S8/mYTJUBsvHBvXhYnv6NBvzZ/xbVrs6ZrArirWOtJTQyLgM81IoRzp2V1Mz9yiegMyIDErF+VRpOD4eruzKtoW4cOsMjuXzBfRJFbOguj4r5M2w7fIy/8SzM2QnEdbMl0J23IhdN6v79gpOYQNx8ylQGtMYNpR7uDDn1TPNkz2c0F2coFQtQYzUIxA46n8cVb3+EzBd/VtTnC1oSGjAasqcwaQw8fqBObsYhh5MCN59VAVnnMPVZtnBw/WVxchka/gGbfTK2LRnLd8I85EHQ2WJXnU5SXqar3FWnKfNVjXrcXzwFtNEklaz96Br8oq5Qp00f3aRDT5AJQ8 1wEAkZqa rAPCbJWNnZu83RK8b4dM6NIg98JKZKp8JVlPU89RStY5oFQKSsODRnkuarkDVD8+coaYTaUf9bh5GlpF8irUusblDcZbaujNc3uo+vvDmR0vcnPnU6n5o/DWenJm+h0I4hRnQhN2eWmJxAtTFCCD8Mn7IfFCXDlCDA1TRlvRpYFl5x8PFNyZs6SZOhd9J9JRUHkA4TE+dUnmRraYzRj94yVKSNNveExi1m7J3K2mgJ3Kb234aa3DuePqVF330OJbiQf6X2a5Nl7al52a6rbOmsV2bIGpnqzWqWuEPcH7FynCai8r8VygXcTXdO5HppBzrJXBoP0ZjfLl4iit+KtQWWf84hPIuSaoeZs+lQPfgHLLQHd7SmtNkfzg4iirUxTqqf5YxrTlXoMprNAY3OTAZZWwcVnxZoBMq2yULOAJ6PkanaRG3zdxAAOhTQ0sJJbzq/DbSHlFV+fihMKm+EMD4KxRmmimx/QPJfsyT4oemAgm6CqOVABkmXLkSH6CmKot2vZrLS03cReDsXQzwZTxfDV8mhrlnAsKQ+NKaZx03XjsoNs0xI4W9HZ7Jygq+mom49omp3RPwCTeFchWb99fD3jfbj+dq69KobZXpw642hmoYruozNYYlaY5k5dGNvjuOzyQFCawoF8j224R/c4VzU8BAFEL7i2k5Z78l/mJo4qiu6qbaJ36LGSuwbv4OoxtSTfHt1qDPQGWW2WBWoDnUfKLLpDdl1DyNGPcMn9SoGeQQgmqEz7BzhV+ztCBbjIzG7xpxs6OV2GcfGtN82gZ2XpY/DQF8C0FWCWbfTmcMs6RN5pZqN5iM9mD5Q1zmk2luleHU/XaO/KGN41RG92kfQf6B9uawPuft9hatT4vJ5AA4U04+L6HtgTunDO5gytxRlSFcIL55YrTk7ilHpAUNYMPkHbHlrOPRQkuPYzAGdUCsybmm1eA5gfuIK1H65JvGXIX5kIFy4WIZF/KPzQn4uLWHlJBM /9VeEsJm k7y3Crfu3PD5S3PfZ5p4E08AtL9RMaR0TRdYNNm8etBJL2Tx3hLssQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000797, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Feb 5, 2025 at 12:41=E2=80=AFPM syzbot wrote: > syzbot found the following issue on: > > HEAD commit: d009de7d5428 Merge tag 'livepatching-for-6.14-rc2' of git= :.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=3D12b678a458000= 0 > kernel config: https://syzkaller.appspot.com/x/.config?x=3D9e757e3762bd6= 30b > dashboard link: https://syzkaller.appspot.com/bug?extid=3Dc2e5712cbb14c95= d4847 > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Deb= ian) 2.40 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/9235000a1b88/dis= k-d009de7d.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/098ef82f8ab3/vmlinu= x-d009de7d.xz > kernel image: https://storage.googleapis.com/syzbot-assets/4f51f5eb5782/b= zImage-d009de7d.xz > > IMPORTANT: if you fix the issue, please add the following tag to the comm= it: > Reported-by: syzbot+c2e5712cbb14c95d4847@syzkaller.appspotmail.com > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > BUG: KCSAN: data-race in mprotect_fixup / try_to_migrate_one > > write to 0xffff888114b41700 of 8 bytes by task 6432 on cpu 1: > vm_flags_init include/linux/mm.h:875 [inline] > vm_flags_reset include/linux/mm.h:887 [inline] > mprotect_fixup+0x419/0x5e0 mm/mprotect.c:679 > do_mprotect_pkey+0x6cc/0x9a0 mm/mprotect.c:840 This is one side changing the VMA flags under the mmap lock in write mode..= . > __do_sys_mprotect mm/mprotect.c:861 [inline] > __se_sys_mprotect mm/mprotect.c:858 [inline] > __x64_sys_mprotect+0x48/0x60 mm/mprotect.c:858 > x64_sys_call+0x2770/0x2dc0 arch/x86/include/generated/asm/syscalls_64.h:= 11 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > read to 0xffff888114b41700 of 8 bytes by task 6418 on cpu 0: > try_to_migrate_one+0xb5a/0x12e0 mm/rmap.c:2321 > rmap_walk_anon+0x28f/0x440 mm/rmap.c:2646 ... while the other side comes through the rmap, which does not involve the mmap lock. Yes, that does not have any mutual locking by design, I think. The comments in the VMA flags code incorrectly assume that no concurrency is possible here; and I think the comment in mprotect_fixup() about protection by the mmap_lock has also been kinda wrong since the beginning of git history. The VM_LOCKED check in the migration code was added by Hugh in commit b74355078b655, but that's just one example syzbot stumbled over; we have similar racy vm_flags reads through the rmap on other paths like: unmap_mapping_range_tree -> unmap_mapping_range_vma -> zap_page_range_single -> unmap_single_vma -> unmap_page_range -> ... -> zap_pte_range -> zap_present_ptes -> vm_normal_page I think the right fix might just be to make sure that we use WRITE_ONCE() for these vm_flags updates, and READ_ONCE() around ->vm_flags reads that can happen in rmap walk paths, though we should think about the consequences of concurrently changing flags in every place that gets a READ_ONCE()... > try_to_migrate+0x11f/0x150 > migrate_folio_unmap mm/migrate.c:1320 [inline] > migrate_pages_batch+0x786/0x1930 mm/migrate.c:1866 > migrate_pages_sync mm/migrate.c:1989 [inline] > migrate_pages+0xf02/0x1840 mm/migrate.c:2098 > do_mbind mm/mempolicy.c:1394 [inline] > kernel_mbind mm/mempolicy.c:1537 [inline] > __do_sys_mbind mm/mempolicy.c:1611 [inline] > __se_sys_mbind+0xfd1/0x11c0 mm/mempolicy.c:1607 > __x64_sys_mbind+0x78/0x90 mm/mempolicy.c:1607 > x64_sys_call+0x2662/0x2dc0 arch/x86/include/generated/asm/syscalls_64.h:= 238 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > value changed: 0x0000000000102077 -> 0x0000000000102071 > > Reported by Kernel Concurrency Sanitizer on: > CPU: 0 UID: 0 PID: 6418 Comm: syz.0.1339 Not tainted 6.14.0-rc1-syzkaller= -00026-gd009de7d5428 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS G= oogle 12/27/2024 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup