From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4A63CF259B for ; Mon, 14 Oct 2024 02:28:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2F5986B0082; Sun, 13 Oct 2024 22:28:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2A5946B0083; Sun, 13 Oct 2024 22:28:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 16E736B0085; Sun, 13 Oct 2024 22:28:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id ED5E36B0082 for ; Sun, 13 Oct 2024 22:28:37 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 11E3340AE3 for ; Mon, 14 Oct 2024 02:28:33 +0000 (UTC) X-FDA: 82670624148.16.DE3FBE0 Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com [209.85.208.176]) by imf10.hostedemail.com (Postfix) with ESMTP id 271D5C000D for ; Mon, 14 Oct 2024 02:28:32 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=mQL8UFh2; spf=pass (imf10.hostedemail.com: domain of ryncsn@gmail.com designates 209.85.208.176 as permitted sender) smtp.mailfrom=ryncsn@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728872775; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=DfmcJnsg9hPSgI4ciMyHW2uknZSwabtGxD0Ci3TDCIM=; b=NOwZUtw5Ly1vyO9/QQmsngPxcFF0lcbZJWdn+sTfV84sWfWhRKOCdFg/ReeyGesfOD2+2K TR1HkqeCYkACJkWO+P4E+De7YFf7IE6vlnyR1gG8L0VLamfsZ8DqqHrhyUlRk+9BWz6/uP s/XZv0wN9V91dmJvYYH3tSNHNFzCE1Y= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728872775; a=rsa-sha256; cv=none; b=scGjJDTajpzKgqj4TdKsVGhAj4KXJEs619rZA3XHjbxi/zykMf+CMwKDaFHoGyXL5cT2ZM kwRwBHhqC5iH7c4MSGC4ypusV8z2H1fjErbE+TBuQMrQwoifKFuXx9T1GWRgSpH/ZWTGL6 9/OvM415C2NIecWNV+DycFcUe3FAe60= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=mQL8UFh2; spf=pass (imf10.hostedemail.com: domain of ryncsn@gmail.com designates 209.85.208.176 as permitted sender) smtp.mailfrom=ryncsn@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-lj1-f176.google.com with SMTP id 38308e7fff4ca-2fb49510250so4190761fa.0 for ; Sun, 13 Oct 2024 19:28:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728872914; x=1729477714; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=DfmcJnsg9hPSgI4ciMyHW2uknZSwabtGxD0Ci3TDCIM=; b=mQL8UFh2EtFZjmw9T6tiuP4pXzcCQXwPK6wZPsrVMvDjQQee6s7oi/v/4wrh1Z7EVy Ef5nwSjwitFp07KFnwBuut1kX8H3hXrz0UyA4RVNfmxx+CSOM4ucgBhpjgi/NdGlEP4W Ouk85anWoPd1VY9paTdZWympRONx3IRgGN5jA0M3uoSTwp7JMeQkM3zAFDLWfDB/R9nH BFNjeVY2t4onu5yQwFyQjGtQCui8YwomD2/agMVyLAlWI32SuRNXeQjMGW3zRXva27B5 mjHHu9NN3KpDyoKbwu+liV7jERSTB27bWt6rv50p7OXe6XCV/qRcTuH0fVU4DDtT5cke VKsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728872914; x=1729477714; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DfmcJnsg9hPSgI4ciMyHW2uknZSwabtGxD0Ci3TDCIM=; b=d5H3A30OdcE9dYy6oYSnWPPgvvG6e08N3sOJ4JWpaXOkIqF2kE1TI+/tMVh3rF4oxq /qYkoWzMi04U16QMUJlNTaehXYKz142WNamWhrSSJ1sZNGNHp6O6spZR/yGupk1YAIlp +IHfDZ3YxBZUcU/tfM2oMeDv3BiMQCe52r9maOtUNIOimLJyylW7AKM9SnoYMiH9EpjG YGO+ezfmxMwIGoUnudRefVGW7rz5dQKnzvnwVOcFIU0ky0/Gac2xz+4CZYeGubeWp+sX iPm+SwrUUX8pQ42Lf7aaQtDNmC7b/QRxnSDS84r+cEmihNvaUmlEzCnwDFFhxolA7nJl KaSg== X-Forwarded-Encrypted: i=1; AJvYcCXo6WOSzHjMPD472VaPo1Ac21tZ7j0Z1NJ1kWbMg2D/B3uAQWJXSd3RnEuo4paWQ1kfPejluTiT1w==@kvack.org X-Gm-Message-State: AOJu0Yzguop9Lh68xBhArB12vN+poRDezlSAEo30T4HbCIamKnmdmjn9 WzqXjZ1rvsZ4+6pk2Mr+oEwcBZiFiMPvyTeAVHyJKyiRGsrN3iRLc5Ca6QLln0UpOLq5irxCoL1 4HHhNKYT+3SXLfeAcCvpysp3fTEg= X-Google-Smtp-Source: AGHT+IHdK5gACj8fFgR2azBikKqVFWqp+99/BKao1nw8XxstHHQnUNZkLUJ31fKhz6PfYzNyZp/rh8BEm6YYD3UBC0w= X-Received: by 2002:a2e:4a01:0:b0:2fb:4bee:47ec with SMTP id 38308e7fff4ca-2fb4bee4870mr6767741fa.33.1728872913443; Sun, 13 Oct 2024 19:28:33 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Kairui Song Date: Mon, 14 Oct 2024 10:28:16 +0800 Message-ID: Subject: Re: [PATCH v2] mm: swap: prevent possible data-race in __try_to_reclaim_swap To: Jeongjun Park Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 271D5C000D X-Stat-Signature: nc8wwhgjqta8q1q3dj3bc576mnsf435z X-Rspamd-Server: rspam09 X-Rspam-User: X-HE-Tag: 1728872912-453030 X-HE-Meta: U2FsdGVkX1+OxW1a1hzV5O4eoTgC5yQGhgO19kYl5itYDSVvt3qk9rMCQR4yzJSHNs9UnPSTcV0fpvJXsbB5wa9Nn24w4VuXCYCI4gMtrFxSjXtLQvybj4c9UyqhZPu3bXa20Xv4BFdvuGaGfZqF2Lf1FyiiDY9eSsbc1N7FdxVK72Tx/B+MYE7U9t+SZIwSL0Rj3xDegHE/Qr+Aykz20QCrsMuXZxBOvwc2ZWvz905xY7amiQBo96Bw1BmcovD0heIW76OGzdzYjBdBs980NeeHQJnu8UZgHqaI0z4XvVSH9YD3Ze6KQH9hiETNaSQ/wuWJYGC4qsY2cLkVC3j9ktfTzNoMUpbbE2e72yJ8kyjatKG5QWazAZaEgsyAu3btEGwjzvpIBWLDIjqsMfh1ojHOc6lzlONaEYxu2KpI/aYkhaGbE87n89IqV5zcWbwkEkNZ2Yjl9fHpPgno6zXv0h85LRbie2GUNZdbnBD4vL4kjrGHOK67Ztulkg+tTX7J/Fuvi+O8FKi/DU0JoM6mZBhleyZEFl5Qq1fDEovpB9hq8I+jcKksNtQ5+T8bLGQEDSF2NAXT/2EDTbcjilZ0srs8EjR63v6aa8Mo6LkRh5KPiexHmy96QVotaAJPQNaLEuvni6o/WaK+gsX0KX/gqgTp5HZQzyZFmd2/XxF0VCRRJx9vb1g+zZ84pod4DqLCzCvDfKfhoTa2wGItDX9Xm86Ax6WQAJeYKG7tGm2/KGraLDormqoVahD5Sz5xbuGSKKV2KdpNdN8gVlKo0RGgT/UzjhrRkrF4iKG+Ts6mwwqnqBw1XBge6egcM/olrNO2OMfaRRIjtO2nkHD+hTMEZS2d+v93DhbhxTwA9XJarr1J3Yg8t4RWg3OQOEFVWdm9MVyMEPaSMJmXBiKyFBV9gQG1GnbcsjS7omBSwy/+fXedytTWgaPADP4kCeqfELmkl84oaGbfNSZD+bUaUdG ZN6SsDlI TcgEFM8YPT3MClX4QRpL6NRhvqo6sImExU8TK59unDtIpe19Gk8eCO/5FH9xu47GhADHRtVGWL/vkCtOnHtQiTpd2UUKK7QyAtKxhCTjNfCp72VrWVqvs2hcL4DJZhTKYfHYthYef9SxDnQWEdSAYOsEQQazpzGAoRQQZ/RHixrFOPsGjirOOSxMVWSbJbOmOrKCAvMG63qvmocqdMdUq5dM6oSCXsWga21oSK7/7ihiEKjPiyY5+5nBr5JjUOYU1uIP/Nk9CWVQQWeOmLfnepP68R+bcTGMkzIm9iIhPQxY1nuX+aIEjJH7CFNLrlorgZlmM+Jd8Rrf5pcQFnpryzsabvWUGgsXK4dMLYnDtlbOjQrJ2mEWOATPVsCkfnKo0r8VHT3oGgnptKzdWHXTjLI8xNhHtI5gmGkmlBBDgfOKsLDP0DTxZzSXmc/itbfRyhMFaU8CdiG48gPkUvzERPDgHxoDw7PSPjniKOZyuuMBxZYLFjDHbLwTyR6X0qOR3FrJW2zcKful9VmGsGcT3CLL0qtFjtKGDDL/KAIsXN18ny1jsfkRGIj+1YxQG0Qa96DZf X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Oct 14, 2024 at 10:17=E2=80=AFAM Jeongjun Park wrote: > > Kairui Song wrote: > > > > =EF=BB=BFOn Mon, Oct 7, 2024 at 3:06=E2=80=AFPM Jeongjun Park wrote: > >> > >> A report [1] was uploaded from syzbot. > >> > >> In the previous commit 862590ac3708 ("mm: swap: allow cache reclaim to= skip > >> slot cache"), the __try_to_reclaim_swap() function reads offset and fo= lio->entry > >> from folio without folio_lock protection. > >> > >> In the currently reported KCSAN log, it is assumed that the actual dat= a-race > >> will not occur because the calltrace that does WRITE already obtains t= he > >> folio_lock and then writes. > >> > >> However, the existing __try_to_reclaim_swap() function was already imp= lemented > >> to perform reads under folio_lock protection [1], and there is a risk = of a > >> data-race occurring through a function other than the one shown in the= KCSAN > >> log. > >> > >> Therefore, I think it is appropriate to change read operations for > >> folio to be performed under folio_lock. > >> > >> [1] > >> > >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >> BUG: KCSAN: data-race in __delete_from_swap_cache / __try_to_reclaim_s= wap > >> > >> write to 0xffffea0004c90328 of 8 bytes by task 5186 on cpu 0: > >> __delete_from_swap_cache+0x1f0/0x290 mm/swap_state.c:163 > >> delete_from_swap_cache+0x72/0xe0 mm/swap_state.c:243 > >> folio_free_swap+0x1d8/0x1f0 mm/swapfile.c:1850 > >> free_swap_cache mm/swap_state.c:293 [inline] > >> free_pages_and_swap_cache+0x1fc/0x410 mm/swap_state.c:325 > >> __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] > >> tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] > >> tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] > >> tlb_flush_mmu+0x2cf/0x440 mm/mmu_gather.c:373 > >> zap_pte_range mm/memory.c:1700 [inline] > >> zap_pmd_range mm/memory.c:1739 [inline] > >> zap_pud_range mm/memory.c:1768 [inline] > >> zap_p4d_range mm/memory.c:1789 [inline] > >> unmap_page_range+0x1f3c/0x22d0 mm/memory.c:1810 > >> unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 > >> unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 > >> exit_mmap+0x18a/0x690 mm/mmap.c:1864 > >> __mmput+0x28/0x1b0 kernel/fork.c:1347 > >> mmput+0x4c/0x60 kernel/fork.c:1369 > >> exit_mm+0xe4/0x190 kernel/exit.c:571 > >> do_exit+0x55e/0x17f0 kernel/exit.c:926 > >> do_group_exit+0x102/0x150 kernel/exit.c:1088 > >> get_signal+0xf2a/0x1070 kernel/signal.c:2917 > >> arch_do_signal_or_restart+0x95/0x4b0 arch/x86/kernel/signal.c:337 > >> exit_to_user_mode_loop kernel/entry/common.c:111 [inline] > >> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] > >> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] > >> syscall_exit_to_user_mode+0x59/0x130 kernel/entry/common.c:218 > >> do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 > >> entry_SYSCALL_64_after_hwframe+0x77/0x7f > >> > >> read to 0xffffea0004c90328 of 8 bytes by task 5189 on cpu 1: > >> __try_to_reclaim_swap+0x9d/0x510 mm/swapfile.c:198 > >> free_swap_and_cache_nr+0x45d/0x8a0 mm/swapfile.c:1915 > >> zap_pte_range mm/memory.c:1656 [inline] > >> zap_pmd_range mm/memory.c:1739 [inline] > >> zap_pud_range mm/memory.c:1768 [inline] > >> zap_p4d_range mm/memory.c:1789 [inline] > >> unmap_page_range+0xcf8/0x22d0 mm/memory.c:1810 > >> unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 > >> unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 > >> exit_mmap+0x18a/0x690 mm/mmap.c:1864 > >> __mmput+0x28/0x1b0 kernel/fork.c:1347 > >> mmput+0x4c/0x60 kernel/fork.c:1369 > >> exit_mm+0xe4/0x190 kernel/exit.c:571 > >> do_exit+0x55e/0x17f0 kernel/exit.c:926 > >> __do_sys_exit kernel/exit.c:1055 [inline] > >> __se_sys_exit kernel/exit.c:1053 [inline] > >> __x64_sys_exit+0x1f/0x20 kernel/exit.c:1053 > >> x64_sys_call+0x2d46/0x2d60 arch/x86/include/generated/asm/syscalls_64.= h:61 > >> do_syscall_x64 arch/x86/entry/common.c:52 [inline] > >> do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 > >> entry_SYSCALL_64_after_hwframe+0x77/0x7f > >> > >> value changed: 0x0000000000000242 -> 0x0000000000000000 > >> > >> Reported-by: syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com > >> Fixes: 862590ac3708 ("mm: swap: allow cache reclaim to skip slot cache= ") > >> Signed-off-by: Jeongjun Park > >> --- > >> mm/swapfile.c | 7 ++++--- > >> 1 file changed, 4 insertions(+), 3 deletions(-) > >> > >> diff --git a/mm/swapfile.c b/mm/swapfile.c > >> index 0cded32414a1..eb782fcd5627 100644 > >> --- a/mm/swapfile.c > >> +++ b/mm/swapfile.c > >> @@ -194,9 +194,6 @@ static int __try_to_reclaim_swap(struct swap_info_= struct *si, > >> if (IS_ERR(folio)) > >> return 0; > >> > >> - /* offset could point to the middle of a large folio */ > >> - entry =3D folio->swap; > >> - offset =3D swp_offset(entry); > >> nr_pages =3D folio_nr_pages(folio); > >> ret =3D -nr_pages; > >> > >> @@ -210,6 +207,10 @@ static int __try_to_reclaim_swap(struct swap_info= _struct *si, > >> if (!folio_trylock(folio)) > >> goto out; > >> > >> + /* offset could point to the middle of a large folio */ > >> + entry =3D folio->swap; > >> + offset =3D swp_offset(entry); > >> + > >> need_reclaim =3D ((flags & TTRS_ANYWAY) || > >> ((flags & TTRS_UNMAPPED) && !folio_mapped(folio= )) || > >> ((flags & TTRS_FULL) && mem_cgroup_swap_full(fo= lio))); > >> -- > > > > Reviewed-by: Kairui Song > > > > Hi Andrew, > > > > Will this be added to stable and 6.12? 862590ac3708 is already in 6.12 > > and this fixes a potential issue of it. > > As far as I can see, commit 862590ac3708 was applied starting > from 6.12-rc1, so it looks like no additional commits are needed > for the stable version. Hi, sorry for the confusion, I meant mm-stable, not the stable branch. It's better to merge this in 6.12. > Regards, > > Jeongjun Park