From patchwork Fri Feb 21 16:32:04 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Qian Cai <cai@lca.pw>
X-Patchwork-Id: 11396859
Return-Path: <SRS0=ECrd=4J=kvack.org=owner-linux-mm@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 20CDD138D
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri, 21 Feb 2020 16:32:20 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id D7ABB24650
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri, 21 Feb 2020 16:32:19 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=lca.pw header.i=@lca.pw header.b="GjE6IBB7"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D7ABB24650
Authentication-Results: mail.kernel.org;
 dmarc=none (p=none dis=none) header.from=lca.pw
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 2253E6B0005; Fri, 21 Feb 2020 11:32:19 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1D6276B0006; Fri, 21 Feb 2020 11:32:19 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0ECFD6B0007; Fri, 21 Feb 2020 11:32:19 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id E76086B0005
	for <linux-mm@kvack.org>; Fri, 21 Feb 2020 11:32:18 -0500 (EST)
Received: from smtpin02.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id A408C181AEF21
	for <linux-mm@kvack.org>; Fri, 21 Feb 2020 16:32:18 +0000 (UTC)
X-FDA: 76514676756.02.soda31_6b6e300469304
X-Spam-Summary: 
 2,0,0,30bdc14ad02df649,d41d8cd98f00b204,cai@lca.pw,,RULES_HIT:41:355:379:541:800:960:973:988:989:1260:1345:1437:1534:1541:1711:1730:1747:1777:1792:2393:2559:2562:2900:2918:3138:3139:3140:3141:3142:3352:3865:3866:3867:3870:3871:3872:4321:5007:6261:6653:7903:10004:11026:11473:11658:11914:12043:12296:12297:12438:12517:12519:12555:12679:12895:12986:13069:13161:13229:13311:13357:14018:14096:14104:14181:14384:14394:14721:21080:21444:21524:21627:21990:30054,0,RBL:209.85.160.196:@lca.pw:.lbl8.mailshell.net-62.14.0.100
 66.201.201.201,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not
 bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:55,LUA_SUMMARY:none
X-HE-Tag: soda31_6b6e300469304
X-Filterd-Recvd-Size: 4515
Received: from mail-qt1-f196.google.com (mail-qt1-f196.google.com
 [209.85.160.196])
	by imf42.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Fri, 21 Feb 2020 16:32:18 +0000 (UTC)
Received: by mail-qt1-f196.google.com with SMTP id l16so1695148qtq.1
        for <linux-mm@kvack.org>; Fri, 21 Feb 2020 08:32:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=from:to:cc:subject:date:message-id;
        bh=cXaywPD3pmPwWnHt9EIorfvYHMu3YxvGW8+pLbCFwtk=;
        b=GjE6IBB7kSgDFur2+gmu+w75yQ3pWKdgsUjmEmlwKmJfX6D990u2ssMpUcXUQAk1N0
         yAPdZnlTQZjoQZEuNF28ws2q0MzoIVYmjD8aALGeBsrLZlx2b6SQv4tS3NVrxWpwVliW
         g1Nm+9DxSG5OnUOlWsneQ25K/w3cDHuwyoPeLt4vF8k7dSb4BIs7EiHO2yQbdybynOSG
         VAmSW4jCrBHPECZG3u3+3157/iR1uW67/mi5ZjCHaexiJYH3QfKEPQB3WU2SwrN63Rj1
         19AWocC6uBZ2ehtZ9F8qy5DamGSSyn5iARwEvjd1bZsbWyD13lJsE9Ad31C0lg14QBk9
         cVRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=cXaywPD3pmPwWnHt9EIorfvYHMu3YxvGW8+pLbCFwtk=;
        b=NcCUWg171ZkgfSUBgPiMX1NNvDu38w/1n0vRarLkhaazkh7jBdRAZoqi02QEJvf3nS
         jUFTOd0/b6K5Gur14IsJXg1jh7ExQtTo4AU8HUNCbQ4JR/4Nk5maYIh/M6GQAqpPW8ug
         OgxCLmJTog/fgje6XNUGjtjQi2ZzxRiqG3TkFHue2/+6jCW5R24FQP4CRdUt42oqEUAp
         3bJiJDFD7zWAXH/tf77iTXrgA53x280fzJ1w3B+4EI67npgtDxWuHRRDzcmO6i63i11Q
         FZ7UjWhYFCUdPyW/muyufUjeYqPtLgNYE1RbnsqexDcUQajtsY3bExOpBClSCb0Gw+HC
         HoQQ==
X-Gm-Message-State: APjAAAV6yMVwWBJj8ASfL4C+1j0fVCHMFGsocRouB9+qfTFlEEQGtSd6
	4oIC1JGoAPZ+W/C85qVRWdr8jQ==
X-Google-Smtp-Source: 
 APXvYqzRT1G6f354xFAjVBF8mWhm3/fdyFxLMea7bS4t8zw6nXncb5AdQwv3Bi6DSKNKYvq7y+43qQ==
X-Received: by 2002:aed:3203:: with SMTP id y3mr33387658qtd.23.1582302737400;
        Fri, 21 Feb 2020 08:32:17 -0800 (PST)
Received: from qcai.nay.com (nat-pool-bos-t.redhat.com. [66.187.233.206])
        by smtp.gmail.com with ESMTPSA id
 u12sm1748006qke.67.2020.02.21.08.32.16
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 21 Feb 2020 08:32:16 -0800 (PST)
From: Qian Cai <cai@lca.pw>
To: akpm@linux-foundation.org
Cc: elver@google.com,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Qian Cai <cai@lca.pw>
Subject: [PATCH] percpu_counter: fix a data race at vm_committed_as
Date: Fri, 21 Feb 2020 11:32:04 -0500
Message-Id: <1582302724-2804-1-git-send-email-cai@lca.pw>
X-Mailer: git-send-email 1.8.3.1
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000024, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

"vm_committed_as.count" could be accessed concurrently as reported by
KCSAN,

 BUG: KCSAN: data-race in __vm_enough_memory / percpu_counter_add_batch

 write to 0xffffffff9451c538 of 8 bytes by task 65879 on cpu 35:
  percpu_counter_add_batch+0x83/0xd0
  percpu_counter_add_batch at lib/percpu_counter.c:91
  __vm_enough_memory+0xb9/0x260
  dup_mm+0x3a4/0x8f0
  copy_process+0x2458/0x3240
  _do_fork+0xaa/0x9f0
  __do_sys_clone+0x125/0x160
  __x64_sys_clone+0x70/0x90
  do_syscall_64+0x91/0xb05
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

 read to 0xffffffff9451c538 of 8 bytes by task 66773 on cpu 19:
  __vm_enough_memory+0x199/0x260
  percpu_counter_read_positive at include/linux/percpu_counter.h:81
  (inlined by) __vm_enough_memory at mm/util.c:839
  mmap_region+0x1b2/0xa10
  do_mmap+0x45c/0x700
  vm_mmap_pgoff+0xc0/0x130
  ksys_mmap_pgoff+0x6e/0x300
  __x64_sys_mmap+0x33/0x40
  do_syscall_64+0x91/0xb05
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The read is outside percpu_counter::lock critical section which results
in a data race. Fix it by adding a READ_ONCE() in
percpu_counter_read_positive() which could also service as the existing
compiler memory barrier.

Signed-off-by: Qian Cai <cai@lca.pw>
Acked-by: Marco Elver <elver@google.com>
---
 include/linux/percpu_counter.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/percpu_counter.h b/include/linux/percpu_counter.h
index 4f052496cdfd..0a4f54dd4737 100644
--- a/include/linux/percpu_counter.h
+++ b/include/linux/percpu_counter.h
@@ -78,9 +78,9 @@ static inline s64 percpu_counter_read(struct percpu_counter *fbc)
  */
 static inline s64 percpu_counter_read_positive(struct percpu_counter *fbc)
 {
-	s64 ret = fbc->count;
+	/* Prevent reloads of fbc->count */
+	s64 ret = READ_ONCE(fbc->count);
 
-	barrier();		/* Prevent reloads of fbc->count */
 	if (ret >= 0)
 		return ret;
 	return 0;