From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72A9CCF259B for ; Mon, 14 Oct 2024 02:17:31 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 07CFC6B0082; Sun, 13 Oct 2024 22:17:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 02C956B0083; Sun, 13 Oct 2024 22:17:30 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E36216B0085; Sun, 13 Oct 2024 22:17:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id BFE0F6B0082 for ; Sun, 13 Oct 2024 22:17:30 -0400 (EDT) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 04486AB104 for ; Mon, 14 Oct 2024 02:17:15 +0000 (UTC) X-FDA: 82670596134.16.8EC12AB Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by imf12.hostedemail.com (Postfix) with ESMTP id 87BCC40003 for ; Mon, 14 Oct 2024 02:17:25 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=kRbI81ta; spf=pass (imf12.hostedemail.com: domain of aha310510@gmail.com designates 209.85.210.178 as permitted sender) smtp.mailfrom=aha310510@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728872176; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=rcPB3YmB5BHG6WNKd4tONjPqCA9wIHcCgzWiNUwB9Zw=; b=KwaPYFG1SqmmHR+uneVR+OPhh1cas76K2tWu8daOo1WzhFezr6lvs2RxjDGsdm4vWNRY4e JToQT7+9Pnfp4MQzABch1uHc8jA1yu6+Eju37CC/JlAS3c1apjBZF5NvYJoIiRrU4BPIA6 8bny0ROTzcCRxjy9s38zHmr1cboWL0w= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=kRbI81ta; spf=pass (imf12.hostedemail.com: domain of aha310510@gmail.com designates 209.85.210.178 as permitted sender) smtp.mailfrom=aha310510@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728872176; a=rsa-sha256; cv=none; b=MnY7e70KIY9Y+EjDNF9e2o36CknRsjWHJ/Q4P1O8PSuX+FQCMOf1dYTT8v2gNvDrBf1Qdy l81cnO5/AORJryelNASHRsmQmgAqROIXpqxkzF1PJw/fsBaknVc3RhFA0v8Nz6yQds5YiC 7WkjwBcUHrMpa4tEm/VDC9Z8Dy4DF8Q= Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-71e49ad46b1so1207848b3a.1 for ; Sun, 13 Oct 2024 19:17:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728872247; x=1729477047; darn=kvack.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=rcPB3YmB5BHG6WNKd4tONjPqCA9wIHcCgzWiNUwB9Zw=; b=kRbI81tapAaqqvBkC3gxQmJ/B7TPzBuO7qBYNsbu4OT30QNIFcK9FerXsM0DXDWa90 SDrr87AGcN9zkWi2jOqaGHuOIZF34whwAPrJNDxuse3ayaRURbMAqxPi4oim5XA/r+Bl 44iOIi2g7iQ+Vokanr0Mv/b0xFBFOisMFkcwluGSna1DeBHz2XwmZZWjxHViJrofPJ1V nYgEdQKpEQ1KJpE8F14L3vvV088xhUhYaraM1fkAG7Hiw2FGdercgirx4N12UXRhNyDR Nt3R+DypbVaPJmmwovi47WSPqyqshu7TMI5k0GQJErjAQ8vRrurYyenH1kTfO4XH2DWo mUig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728872247; x=1729477047; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rcPB3YmB5BHG6WNKd4tONjPqCA9wIHcCgzWiNUwB9Zw=; b=JVswk+d03GFEJg2+EYWP82RudmRaUDYmX7Ot4xX/R72rzcqjHgfv954ti4x0+3pRv7 MEL4jGiKwZZ2S3sNIpHDZYSyRl7cfZuoP/oOBzwc4Zfo+pPmIbz67/t7bZXhAQk8nbKb Hf7TSc1KGHSFt3mV6VE/sTnNieHPG3VL561PyEpmzhsfrU0XUT/2IRRjz+MsLA33ROq1 EBD4Ta9X7zS5TGVg8/l7qHdY4LHtkhFFEN/Q0lnC5uOuyAaU2v2Cr3552o7c8j1oanoO qLtcwdIm5oXyUDAaVloBNQCa3h3U5aXOFW988Q6ZpoBgCUKuIcXbzEfs0Gwe6tFzTjW3 xP/A== X-Forwarded-Encrypted: i=1; AJvYcCUWXshhcELgjpv1BAGrsJuRckvnk3V2b5q0nir7SZT0P8+5h2upJgjgWmvHBHo9636KZ1mjlfwGBQ==@kvack.org X-Gm-Message-State: AOJu0Yyd28U0lkp5i9upBWRMjAzM4TbEIthFFEqwyXqgrHKVkXvC9nMs bAw0HC4f5AujGY3AkOm1iMtG28tKZ9zUy0vuy0NST7BJZhlsFrSUTl0pWtts X-Google-Smtp-Source: AGHT+IEttU3qiHCe1VIvFAnfKwKqkvDNBLNLIN9FCGgntq+XFIBt/CjL2+liif8MslmdwfdR0pbSSA== X-Received: by 2002:a05:6a00:812:b0:71e:6122:5919 with SMTP id d2e1a72fcca58-71e61225fa8mr3716796b3a.20.1728872246575; Sun, 13 Oct 2024 19:17:26 -0700 (PDT) Received: from smtpclient.apple ([2001:e60:a816:6dac:10d3:523b:453c:7c13]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71e2a9f6d45sm6362679b3a.80.2024.10.13.19.17.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 13 Oct 2024 19:17:26 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Jeongjun Park Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v2] mm: swap: prevent possible data-race in __try_to_reclaim_swap Date: Mon, 14 Oct 2024 11:17:14 +0900 Message-Id: References: Cc: akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com In-Reply-To: To: Kairui Song X-Mailer: iPhone Mail (21G93) X-Rspamd-Server: rspam03 X-Rspam-User: X-Rspamd-Queue-Id: 87BCC40003 X-Stat-Signature: wggado94d189os9g1ga9ho5w8d9n8g1m X-HE-Tag: 1728872245-503457 X-HE-Meta: U2FsdGVkX1+yG7sNQELwnurE8xQItN7lH9iwgKciCelP62UXzzf7rgdnG7qmgQA356Ke3vsX28LIKpnQTtkoIfDcnn5ZJ+QYSUmWc/7pPxjteEgls0KIBcyAzuk3RUaNWofJg3Sg7r3pweaOYCp4VyqyftNWCCfVwtZ1kuEa9DhWoCE13K1DdrhvBkIWCnChh4xHmGbzwXehtcx5nHWsqnP0b9XljybGpsWAR8nWd6eS3KVq6NX2cnc38IPGukE+aoyYbhSeD2d2pdxEIPFJUc0S0uObT/v+7EnBbb3GiixE5GNTRxe3/iH4kyjndf8YG7fdEUVAoIqULbN8x8/NZAkcl6m/HzhPJ2mj+4wtbLnhEHjwMuvxNdgx+K1U5MbYZtXUddObZWvRek6n3el9SGM9/wo38A3LAM311j5Px+PYkAa6MlTLs1SAI5M3BLmYL+wAY7JqNYAWsx0Fhlph2SuIcmGJRGkVW5AgZENbertfldSmDsk+xZop80A54hFsL7Joie/vgbs+ZerRJ0pFHNPEgk9JlkcybXPQ87adc7WHi6JVW6S6busri/yue2iGtESrAFkr0yGNh/RQh2TMo10fWICZKYue48mWsjPKyqNsD11gAJ2eQPigVsQs9lix62pPGq+BhraHbfNVqtP7SK1dhd+lgXFwXmj35AK3cGwNtmtSC+lKQ5T4t8gpLbzhBLQll8g6QIsTt2ivYc1jEQ3QBwQSnwiNQmUfNbNGfddXTFlVroGtmPxO97TxLcikDU/jBmKbd++K0Yxyq0fXW4Bbdc1OdiYZ/QKChwuPPYcqM3ayzoRRD1/5TAyLFp1aq3BAGJ2qGrNazj2z71fpbFj4kfaRk7K7o9qwfGw2NrL6rQVPIu1PsEoWn2emHtm/5NV7EsdQIp2kUjGtr0EWAjGzV2v+wNHjcVC9y8AAFJjyjbAk890Qz2VRlLhWbQYcqlz9rTbamPRP7+VabFA 7eQqq5xP SyOnd3iUdGc/o181Fcsjq+R+0dNx77mrqztXhebFQStQM464OPEAJ0tnTNhFIYMz5nrExtldhD2G1oXbQkyIho+g2NpN6u4S+eFMPq703nWZA+mYjE/7Q5mbIownVEvcZMk5sDmlnrexWXYa2j3bHC8yrh1I3j/twMqfmWq/A8kqTR71bmWBKcq9Mettiz9/ZM6BU4e3DGBWlrEUKORGcgTn80pF/7A9kgkp6xu/jsltxuSAug+Tt4Wb4Tbf4AdZwr82k2xJj3d/8FTpye881kN8PTjJ9wGyRPFTo9KKmwHL6dOYq4K8472LBXtWKrO4t8rZk3hdSIhVl6o2kMfhDKGfyXCx+mIbVMhU/QoPEInkxJ6WHGyBxn6dNAj2NMiL3Pwcb/ZwSTx1B3vGubPxdN2r7mRlLqvhrW4g4IteiHNC2sSqyKe9iZxowjA6gTmXO+dLJCJ/icY7CVenx9Y0KwS7aLCYvsFgSVPc19YNeeu6mA7wXP+knJYhRFBhG6fWu+npNwXC1OKkSCd8mc5u429tsBfX2cvQNJMGqeUkOIMkR6isJuXGKj1FRue4rnjNSwCw6XAYRT3j+bjuAUKtpPTmb7FoNbLDuGx2C1PIH6aT9JPxO6L9weHpjf1IMj0lttfN/pN743co2H+FBVzbI5PHgSOs5HE8ksZmFRxpN1ixrrayQqki95E4opQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: > Kairui Song wrote: >=20 > =EF=BB=BFOn Mon, Oct 7, 2024 at 3:06=E2=80=AFPM Jeongjun Park wrote: >>=20 >> A report [1] was uploaded from syzbot. >>=20 >> In the previous commit 862590ac3708 ("mm: swap: allow cache reclaim to sk= ip >> slot cache"), the __try_to_reclaim_swap() function reads offset and folio= ->entry >> from folio without folio_lock protection. >>=20 >> In the currently reported KCSAN log, it is assumed that the actual data-r= ace >> will not occur because the calltrace that does WRITE already obtains the >> folio_lock and then writes. >>=20 >> However, the existing __try_to_reclaim_swap() function was already implem= ented >> to perform reads under folio_lock protection [1], and there is a risk of a= >> data-race occurring through a function other than the one shown in the KC= SAN >> log. >>=20 >> Therefore, I think it is appropriate to change read operations for >> folio to be performed under folio_lock. >>=20 >> [1] >>=20 >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> BUG: KCSAN: data-race in __delete_from_swap_cache / __try_to_reclaim_swap= >>=20 >> write to 0xffffea0004c90328 of 8 bytes by task 5186 on cpu 0: >> __delete_from_swap_cache+0x1f0/0x290 mm/swap_state.c:163 >> delete_from_swap_cache+0x72/0xe0 mm/swap_state.c:243 >> folio_free_swap+0x1d8/0x1f0 mm/swapfile.c:1850 >> free_swap_cache mm/swap_state.c:293 [inline] >> free_pages_and_swap_cache+0x1fc/0x410 mm/swap_state.c:325 >> __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] >> tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] >> tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] >> tlb_flush_mmu+0x2cf/0x440 mm/mmu_gather.c:373 >> zap_pte_range mm/memory.c:1700 [inline] >> zap_pmd_range mm/memory.c:1739 [inline] >> zap_pud_range mm/memory.c:1768 [inline] >> zap_p4d_range mm/memory.c:1789 [inline] >> unmap_page_range+0x1f3c/0x22d0 mm/memory.c:1810 >> unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 >> unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 >> exit_mmap+0x18a/0x690 mm/mmap.c:1864 >> __mmput+0x28/0x1b0 kernel/fork.c:1347 >> mmput+0x4c/0x60 kernel/fork.c:1369 >> exit_mm+0xe4/0x190 kernel/exit.c:571 >> do_exit+0x55e/0x17f0 kernel/exit.c:926 >> do_group_exit+0x102/0x150 kernel/exit.c:1088 >> get_signal+0xf2a/0x1070 kernel/signal.c:2917 >> arch_do_signal_or_restart+0x95/0x4b0 arch/x86/kernel/signal.c:337 >> exit_to_user_mode_loop kernel/entry/common.c:111 [inline] >> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] >> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] >> syscall_exit_to_user_mode+0x59/0x130 kernel/entry/common.c:218 >> do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >>=20 >> read to 0xffffea0004c90328 of 8 bytes by task 5189 on cpu 1: >> __try_to_reclaim_swap+0x9d/0x510 mm/swapfile.c:198 >> free_swap_and_cache_nr+0x45d/0x8a0 mm/swapfile.c:1915 >> zap_pte_range mm/memory.c:1656 [inline] >> zap_pmd_range mm/memory.c:1739 [inline] >> zap_pud_range mm/memory.c:1768 [inline] >> zap_p4d_range mm/memory.c:1789 [inline] >> unmap_page_range+0xcf8/0x22d0 mm/memory.c:1810 >> unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 >> unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 >> exit_mmap+0x18a/0x690 mm/mmap.c:1864 >> __mmput+0x28/0x1b0 kernel/fork.c:1347 >> mmput+0x4c/0x60 kernel/fork.c:1369 >> exit_mm+0xe4/0x190 kernel/exit.c:571 >> do_exit+0x55e/0x17f0 kernel/exit.c:926 >> __do_sys_exit kernel/exit.c:1055 [inline] >> __se_sys_exit kernel/exit.c:1053 [inline] >> __x64_sys_exit+0x1f/0x20 kernel/exit.c:1053 >> x64_sys_call+0x2d46/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:6= 1 >> do_syscall_x64 arch/x86/entry/common.c:52 [inline] >> do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >>=20 >> value changed: 0x0000000000000242 -> 0x0000000000000000 >>=20 >> Reported-by: syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com >> Fixes: 862590ac3708 ("mm: swap: allow cache reclaim to skip slot cache") >> Signed-off-by: Jeongjun Park >> --- >> mm/swapfile.c | 7 ++++--- >> 1 file changed, 4 insertions(+), 3 deletions(-) >>=20 >> diff --git a/mm/swapfile.c b/mm/swapfile.c >> index 0cded32414a1..eb782fcd5627 100644 >> --- a/mm/swapfile.c >> +++ b/mm/swapfile.c >> @@ -194,9 +194,6 @@ static int __try_to_reclaim_swap(struct swap_info_str= uct *si, >> if (IS_ERR(folio)) >> return 0; >>=20 >> - /* offset could point to the middle of a large folio */ >> - entry =3D folio->swap; >> - offset =3D swp_offset(entry); >> nr_pages =3D folio_nr_pages(folio); >> ret =3D -nr_pages; >>=20 >> @@ -210,6 +207,10 @@ static int __try_to_reclaim_swap(struct swap_info_st= ruct *si, >> if (!folio_trylock(folio)) >> goto out; >>=20 >> + /* offset could point to the middle of a large folio */ >> + entry =3D folio->swap; >> + offset =3D swp_offset(entry); >> + >> need_reclaim =3D ((flags & TTRS_ANYWAY) || >> ((flags & TTRS_UNMAPPED) && !folio_mapped(folio)) |= | >> ((flags & TTRS_FULL) && mem_cgroup_swap_full(folio= ))); >> -- >=20 > Reviewed-by: Kairui Song >=20 > Hi Andrew, >=20 > Will this be added to stable and 6.12? 862590ac3708 is already in 6.12 > and this fixes a potential issue of it. As far as I can see, commit 862590ac3708 was applied starting from 6.12-rc1, so it looks like no additional commits are needed for the stable version. Regards, Jeongjun Park=