Re: [syzbot] [fs?] [mm?] KCSAN: data-race in xas_create / xas_find (8)

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Marco Elver <elver@google.com>
To: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Cc: syzbot <syzbot+b79be83906cd9bab16ff@syzkaller.appspotmail.com>,
	 akpm@linux-foundation.org, linux-fsdevel@vger.kernel.org,
	 linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	 syzkaller-bugs@googlegroups.com, willy@infradead.org
Subject: Re: [syzbot] [fs?] [mm?] KCSAN: data-race in xas_create / xas_find (8)
Date: Mon, 14 Oct 2024 18:42:21 +0200	[thread overview]
Message-ID: <CANpmjNM3DVrO0vT2x3OiqQKLKf8kQ0qK3EdM+Wqi6ru66ZNBaQ@mail.gmail.com> (raw)
In-Reply-To: <CACzwLxgJb=xUCO+TFN_Y6SZ6YxoRn=pg0yfif3+GuHK8kL3x0Q@mail.gmail.com>

On Mon, 14 Oct 2024 at 08:40, Sabyrzhan Tasbolatov <snovitoll@gmail.com> wrote:
>
> On Mon, Oct 14, 2024 at 11:08 AM syzbot
> <syzbot+b79be83906cd9bab16ff@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    2f91ff27b0ee Merge tag 'sound-6.12-rc2' of git://git.kerne..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=155c879f980000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=95098faba89c70c9
> > dashboard link: https://syzkaller.appspot.com/bug?extid=b79be83906cd9bab16ff
> > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/14933c4ac457/disk-2f91ff27.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/6725831fc1a1/vmlinux-2f91ff27.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/98d64e038e72/bzImage-2f91ff27.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+b79be83906cd9bab16ff@syzkaller.appspotmail.com
> >
> > loop4: detected capacity change from 0 to 4096
> > EXT4-fs: Ignoring removed nobh option
> > EXT4-fs: Ignoring removed i_version option
> > ==================================================================
> > BUG: KCSAN: data-race in xas_create / xas_find
> >
> > write to 0xffff888106819919 of 1 bytes by task 3435 on cpu 0:
> >  xas_expand lib/xarray.c:613 [inline]
> >  xas_create+0x666/0xbd0 lib/xarray.c:654
> >  xas_store+0x6f/0xc90 lib/xarray.c:788
>
> AFAIU, xas_store() itself, doesn't have a locking mechanism,
> but is locked in xa_* functions. Example:
>
> void *xa_store_range(...)
> {
>    XA_STATE(xas, xa, 0);
>    ...
>    do {
>       xas_lock(&xas);
>       if (entry) {
>       ...
>          xas_create(&xas, true);
>    }
> ...
> unlock:
>    xas_unlock(&xas);
> }
>
> Same thing is for the another racing xas_find() function:
>
> void *xa_find(...)
> {
>    XA_STATE(xas, xa, *indexp);
>    void *entry;
>    rcu_read_lock();
>    do {
>       if (...)
>          entry = xas_find_marked(&xas, max, filter);
>       else
>          entry = xas_find(&xas, max);
>       ...
>    rcu_read_unlock();
> }
>
> In this KCSAN report, xas_create() and xas_find() are racing for `offset` field.

If you search the mailing list archives, there are several such
reports: https://lore.kernel.org/all/20230914080811.465zw662sus4uznq@quack3/
And have all been deemed benign.

The code might benefit from markings, per:
https://github.com/torvalds/linux/blob/master/tools/memory-model/Documentation/access-marking.txt

But that's entirely up to the maintainer's preference:
https://lwn.net/Articles/816854/

     prev parent reply	other threads:[~2024-10-14 16:43 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-14  6:08 syzbot
2024-10-14  6:40 ` Sabyrzhan Tasbolatov
2024-10-14 16:42   ` Marco Elver [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CANpmjNM3DVrO0vT2x3OiqQKLKf8kQ0qK3EdM+Wqi6ru66ZNBaQ@mail.gmail.com \
    --to=elver@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=snovitoll@gmail.com \
    --cc=syzbot+b79be83906cd9bab16ff@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox