From patchwork Tue Feb 11 18:39:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qian Cai X-Patchwork-Id: 11376673 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B588F139A for ; Tue, 11 Feb 2020 18:39:56 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 7CD87206ED for ; Tue, 11 Feb 2020 18:39:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lca.pw header.i=@lca.pw header.b="s+FRY8H+" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7CD87206ED Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=lca.pw Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 9A1E36B030E; Tue, 11 Feb 2020 13:39:55 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 952036B030F; Tue, 11 Feb 2020 13:39:55 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8413A6B0310; Tue, 11 Feb 2020 13:39:55 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0038.hostedemail.com [216.40.44.38]) by kanga.kvack.org (Postfix) with ESMTP id 6C2AA6B030E for ; Tue, 11 Feb 2020 13:39:55 -0500 (EST) Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 16176181AEF07 for ; Tue, 11 Feb 2020 18:39:55 +0000 (UTC) X-FDA: 76478710350.25.sea81_396bbfeb4d04c X-Spam-Summary: 2,0,0,25362c39681f02bb,d41d8cd98f00b204,cai@lca.pw,:akpm@linux-foundation.org:elver@google.com:tj@kernel.org::linux-kernel@vger.kernel.org:cai@lca.pw,RULES_HIT:41:355:379:541:800:960:965:966:968:973:988:989:1260:1345:1437:1535:1542:1711:1730:1747:1777:1792:2196:2199:2393:2559:2562:2693:2897:2904:2918:3138:3139:3140:3141:3142:3353:3865:3866:3867:3868:3870:3871:3872:3874:4321:4385:4390:4395:5007:6261:6653:7903:10004:11026:11658:11914:12043:12296:12297:12438:12517:12519:12555:12679:12895:14018:14096:14104:14181:14394:14721:21067:21080:21220:21324:21444:21524:21611:21627:21990:30054,0,RBL:209.85.160.195:@lca.pw:.lbl8.mailshell.net-62.2.0.100 66.100.201.201,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:68,LUA_SUMMARY:none X-HE-Tag: sea81_396bbfeb4d04c X-Filterd-Recvd-Size: 5200 Received: from mail-qt1-f195.google.com (mail-qt1-f195.google.com [209.85.160.195]) by imf33.hostedemail.com (Postfix) with ESMTP for ; Tue, 11 Feb 2020 18:39:54 +0000 (UTC) Received: by mail-qt1-f195.google.com with SMTP id l21so8012152qtr.8 for ; Tue, 11 Feb 2020 10:39:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lca.pw; s=google; h=from:to:cc:subject:date:message-id; bh=wUX84XimYmGL58y+DzX6h0BesHs7o3oJk7cCJ/rePag=; b=s+FRY8H+L2o0LYjVYAMze9JUB1QpIvbbm9dd8JTtRTfz6pUYsbH+UoKl9adNfmjLZo lk+4kTrNVUb9QtohaEMoEpRvhtn2LOA9CMScsc+gJuxHkSE8bPltZyuQcO3txz1nfIIL n9ZcieAfupktiGsDlWJvNDAyaSfem//wVjMzC3IPOKj9PrdG2c305wVAzHA7Ly5pOpCN CxAfnnkFwmc72vMMyyxLHZgFL9lPsKxZkMT6s0xiVA80vuTgyX0vATtUAEWduuZyg0ov kHokO9WwQwVWtBz91FOgypXyL8Yq2mm6aJWLUlzgpRNLZyV7+NDo28fLBLOEFRMdRK3X wa6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=wUX84XimYmGL58y+DzX6h0BesHs7o3oJk7cCJ/rePag=; b=lfGDyyN+gy1zLti+gurJLA/9lrHmrmqEOrIw9h3/UVP7b5YIvq6EkrZ/rzuB+srcUz 9AMVMttFEhrofi5ecmNEDNyy5RKVnnkJYb+vg7MMrQrNYkiNXKHFwUJoub0t/PtaZCPD tuFTzJ9ghzcF3Lt/8+PcV5T/BMI7jS4qiCmYQXsz5r05rQ5NLSwdEvxky0czBVqIGmbV DjzJFVjIr5OlJ672Z74xlj5sRKLbPHdJSvxrn7CwcVbPbBlNo3DokSao5Q4TlBjzSimD h1IuV00Lxwd0GAKQw4lv92qkI5SzgrZUvyFDpXdQQYwrLi2wBfXJJioCBOASnRAPtBjk J1qg== X-Gm-Message-State: APjAAAVz8S6bxXzee7nh9BLHMT/GbUHsrio1kCjMpBlWtasBrBWoww9D 2FLftvbtq/bIjaLwVF+4SSNR0A== X-Google-Smtp-Source: APXvYqzOwN8G547ApDB+/AxLeAtsW7EosMSlxcEgkj0nUCP29m2bN1xxdRjHlKpJGx2zZ8+GU2IkWg== X-Received: by 2002:ac8:2af4:: with SMTP id c49mr3754111qta.367.1581446393834; Tue, 11 Feb 2020 10:39:53 -0800 (PST) Received: from qcai.nay.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id o10sm2520877qtp.38.2020.02.11.10.39.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Feb 2020 10:39:53 -0800 (PST) From: Qian Cai To: akpm@linux-foundation.org Cc: elver@google.com, tj@kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Qian Cai Subject: [PATCH] mm/mempool: fix a data race in mempool_free() Date: Tue, 11 Feb 2020 13:39:44 -0500 Message-Id: <1581446384-2131-1-git-send-email-cai@lca.pw> X-Mailer: git-send-email 1.8.3.1 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: mempool_t pool.curr_nr could be accessed concurrently as noticed by KCSAN, BUG: KCSAN: data-race in mempool_free / remove_element write to 0xffffffffa937638c of 4 bytes by task 6359 on cpu 113: remove_element+0x4a/0x1c0 remove_element at mm/mempool.c:132 mempool_alloc+0x102/0x210 (inlined by) mempool_alloc at mm/mempool.c:399 bio_alloc_bioset+0x106/0x2c0 get_swap_bio+0x49/0x230 __swap_writepage+0x680/0xc30 swap_writepage+0x9c/0xf0 pageout+0x33e/0xae0 shrink_page_list+0x1f57/0x2870 shrink_inactive_list+0x316/0x880 shrink_lruvec+0x8dc/0x1380 shrink_node+0x317/0xd80 do_try_to_free_pages+0x1f7/0xa10 try_to_free_pages+0x26c/0x5e0 __alloc_pages_slowpath+0x458/0x1290 read to 0xffffffffa937638c of 4 bytes by interrupt on cpu 64: mempool_free+0x3e/0x150 mempool_free at mm/mempool.c:492 bio_free+0x192/0x280 bio_put+0x91/0xd0 end_swap_bio_write+0x1d8/0x280 bio_endio+0x2c2/0x5b0 dec_pending+0x22b/0x440 [dm_mod] clone_endio+0xe4/0x2c0 [dm_mod] bio_endio+0x2c2/0x5b0 blk_update_request+0x217/0x940 scsi_end_request+0x6b/0x4d0 scsi_io_completion+0xb7/0x7e0 scsi_finish_command+0x223/0x310 scsi_softirq_done+0x1d5/0x210 blk_mq_complete_request+0x224/0x250 scsi_mq_done+0xc2/0x250 pqi_raid_io_complete+0x5a/0x70 [smartpqi] pqi_irq_handler+0x150/0x1410 [smartpqi] __handle_irq_event_percpu+0x90/0x540 handle_irq_event_percpu+0x49/0xd0 handle_irq_event+0x85/0xca handle_edge_irq+0x13f/0x3e0 do_IRQ+0x86/0x190 Since the write is under pool->lock but the read is done as lockless. Even though the commit 5b990546e334 ("mempool: fix and document synchronization and memory barrier usage") introduced the smp_wmb() and smp_rmb() pair to improve the situation, it is adequate to protect it from data races which could lead to a logic bug, so fix it by adding READ_ONCE() for the read. Signed-off-by: Qian Cai --- mm/mempool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/mempool.c b/mm/mempool.c index 85efab3da720..79bff63ecf27 100644 --- a/mm/mempool.c +++ b/mm/mempool.c @@ -489,7 +489,7 @@ void mempool_free(void *element, mempool_t *pool) * ensures that there will be frees which return elements to the * pool waking up the waiters. */ - if (unlikely(pool->curr_nr < pool->min_nr)) { + if (unlikely(READ_ONCE(pool->curr_nr) < pool->min_nr)) { spin_lock_irqsave(&pool->lock, flags); if (likely(pool->curr_nr < pool->min_nr)) { add_element(pool, element);