From patchwork Wed Jan 29 10:52:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qian Cai X-Patchwork-Id: 11355821 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7D36113A4 for ; Wed, 29 Jan 2020 10:52:37 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 4020A2071E for ; Wed, 29 Jan 2020 10:52:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=lca.pw header.i=@lca.pw header.b="DKhRjstW" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4020A2071E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=lca.pw Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 6CD7F6B0007; Wed, 29 Jan 2020 05:52:36 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 67DCE6B0008; Wed, 29 Jan 2020 05:52:36 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 56C0F6B000A; Wed, 29 Jan 2020 05:52:36 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0158.hostedemail.com [216.40.44.158]) by kanga.kvack.org (Postfix) with ESMTP id 409616B0007 for ; Wed, 29 Jan 2020 05:52:36 -0500 (EST) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id E1AE0180AD802 for ; Wed, 29 Jan 2020 10:52:35 +0000 (UTC) X-FDA: 76430358270.20.map92_169f7396ff763 X-Spam-Summary: 2,0,0,5621202856e0fee0,d41d8cd98f00b204,cai@lca.pw,:akpm@linux-foundation.org:hannes@cmpxchg.org:elver@google.com::linux-kernel@vger.kernel.org:cai@lca.pw,RULES_HIT:41:355:379:541:800:960:973:988:989:1260:1311:1314:1345:1437:1515:1535:1542:1711:1730:1747:1777:1792:2393:2559:2562:2918:3138:3139:3140:3141:3142:3353:3865:3866:3867:3868:3870:3871:3872:4321:5007:6261:6653:7903:10004:11026:11473:11658:11914:12043:12296:12297:12438:12517:12519:12555:12679:12694:12737:12895:12986:13161:13229:13894:14018:14093:14096:14104:14181:14394:14721:21080:21444:21451:21524:21627:21990:30012:30054:30065:30070,0,RBL:209.85.219.68:@lca.pw:.lbl8.mailshell.net-62.2.0.100 66.100.201.201,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:26,LUA_SUMMARY:none X-HE-Tag: map92_169f7396ff763 X-Filterd-Recvd-Size: 5349 Received: from mail-qv1-f68.google.com (mail-qv1-f68.google.com [209.85.219.68]) by imf39.hostedemail.com (Postfix) with ESMTP for ; Wed, 29 Jan 2020 10:52:35 +0000 (UTC) Received: by mail-qv1-f68.google.com with SMTP id l14so7755067qvu.12 for ; Wed, 29 Jan 2020 02:52:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lca.pw; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8HkYUIvWOezC0v9NUiQvjyLeLXue41vWGlRjf5Gh4Qc=; b=DKhRjstWsgyVPPC0+8k699sVyJG9i4rGYVSw2/cXxQwfOub9SBfGcpKLwELrH5GhcH p0/BbJmNkT5NrA95atCLbZXHNLLQHoa2OJAoiJD8aDBGPxoqgrghg4VqUIF1L1FJ4tCy CyZl0Z6KnQf0jhuXLf3P+VpZEzks+bJ7EOC5PcGE2WP+/LbgF0UGrdXQAMH+kGIePqJ8 55nd9F3cC105PkigbKMngIDCyUGM14hkf+UH9OY7h/4NDCeCAPK3ErLj+IeyWEz/VH2G vOfcqtjKoCTi3dARGYowIV1XjCfOBs/1hzei9baoDkq7S6x77L901CSK2VeykDz4Jx10 3Bzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8HkYUIvWOezC0v9NUiQvjyLeLXue41vWGlRjf5Gh4Qc=; b=NdeWXvuUTGL8Y8RUMoQazXcRbye6V7NdMTrDTDyR5UofLkSl8E3v0rAJ+Q8Pvhrxz7 ujV0sf1fwz82QME4UaYgWfoEOryJMk1IBMoxDuSQ7I5GA8wepQAP64y4+UliG3iCQnDh BmZMq7u/v32OhclYN3gTBib5qYdwB6bJLzonkBEoyq4xeG06hMaQK9bkWHuDetaHsWBC p9PivJ/v+5z+7CC35leRcAc1OcPP2oGYNCAFAdLRR3Rv6n0DCVTI87zffhrTnHYzYweN 37MIDAj8PBXXYEKAXpdFQX0KsF7/CI1NZO2z0Ctf4I1kyjToJ1n9A5YxxJ+/m0VgvWJd //5g== X-Gm-Message-State: APjAAAVHJDZlTQ3sarpKe+hc4jdG21yXLlyq4fZVd7yAWJd+J3OlNg2r lpn5IiOE0J5/+UkXspPCcrxqSQ== X-Google-Smtp-Source: APXvYqy1woZdF7zW7v1V674PosCNrOoNkrQqAXmAtm63gS86urtUje052UtvMRAufBNIRcW0ngOhJg== X-Received: by 2002:ad4:518b:: with SMTP id b11mr27603196qvp.195.1580295154750; Wed, 29 Jan 2020 02:52:34 -0800 (PST) Received: from ovpn-120-127.rdu2.redhat.com (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43]) by smtp.gmail.com with ESMTPSA id f11sm744574qkh.96.2020.01.29.02.52.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Jan 2020 02:52:34 -0800 (PST) From: Qian Cai To: akpm@linux-foundation.org Cc: hannes@cmpxchg.org, elver@google.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Qian Cai Subject: [PATCH] mm/page_counter: fix various data races Date: Wed, 29 Jan 2020 05:52:24 -0500 Message-Id: <20200129105224.4016-1-cai@lca.pw> X-Mailer: git-send-email 2.21.0 (Apple Git-122.2) MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The commit 3e32cb2e0a12 ("mm: memcontrol: lockless page counters") could had memcg->memsw->watermark been accessed concurrently as reported by KCSAN, Reported by Kernel Concurrency Sanitizer on: BUG: KCSAN: data-race in page_counter_try_charge / page_counter_try_charge read to 0xffff8fb18c4cd190 of 8 bytes by task 1081 on cpu 59: page_counter_try_charge+0x4d/0x150 mm/page_counter.c:138 try_charge+0x131/0xd50 mm/memcontrol.c:2405 __memcg_kmem_charge_memcg+0x58/0x140 __memcg_kmem_charge+0xcc/0x280 __alloc_pages_nodemask+0x1e1/0x450 alloc_pages_current+0xa6/0x120 pte_alloc_one+0x17/0xd0 __pte_alloc+0x3a/0x1f0 copy_p4d_range+0xc36/0x1990 copy_page_range+0x21d/0x360 dup_mmap+0x5f5/0x7a0 dup_mm+0xa2/0x240 copy_process+0x1b3f/0x3460 _do_fork+0xaa/0xa20 __x64_sys_clone+0x13b/0x170 do_syscall_64+0x91/0xb47 entry_SYSCALL_64_after_hwframe+0x49/0xbe write to 0xffff8fb18c4cd190 of 8 bytes by task 1153 on cpu 120: page_counter_try_charge+0x5b/0x150 mm/page_counter.c:139 try_charge+0x131/0xd50 mm/memcontrol.c:2405 mem_cgroup_try_charge+0x159/0x460 mem_cgroup_try_charge_delay+0x3d/0xa0 wp_page_copy+0x14d/0x930 do_wp_page+0x107/0x7b0 __handle_mm_fault+0xce6/0xd40 handle_mm_fault+0xfc/0x2f0 do_page_fault+0x263/0x6f9 page_fault+0x34/0x40 Since watermark could be compared or set to garbage due to load or store tearing which would change the code logic, fix it by adding a pair of READ_ONCE() and WRITE_ONCE() in those places. Fixes: 3e32cb2e0a12 ("mm: memcontrol: lockless page counters") Signed-off-by: Qian Cai Acked-by: Michal Hocko Reported-by: syzbot+f36cfe60b1006a94f9dc@syzkaller.appspotmail.com --- mm/page_counter.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mm/page_counter.c b/mm/page_counter.c index de31470655f6..a17841150906 100644 --- a/mm/page_counter.c +++ b/mm/page_counter.c @@ -82,8 +82,8 @@ void page_counter_charge(struct page_counter *counter, unsigned long nr_pages) * This is indeed racy, but we can live with some * inaccuracy in the watermark. */ - if (new > c->watermark) - c->watermark = new; + if (new > READ_ONCE(c->watermark)) + WRITE_ONCE(c->watermark, new); } } @@ -135,8 +135,8 @@ bool page_counter_try_charge(struct page_counter *counter, * Just like with failcnt, we can live with some * inaccuracy in the watermark. */ - if (new > c->watermark) - c->watermark = new; + if (new > READ_ONCE(c->watermark)) + WRITE_ONCE(c->watermark, new); } return true;