From patchwork Sun Sep 8 13:52:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeongjun Park X-Patchwork-Id: 13795489 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86249CD4F4C for ; Sun, 8 Sep 2024 13:52:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B07C36B00C8; Sun, 8 Sep 2024 09:52:29 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AB7696B00CA; Sun, 8 Sep 2024 09:52:29 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 97F506B00CB; Sun, 8 Sep 2024 09:52:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 779296B00C8 for ; Sun, 8 Sep 2024 09:52:29 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 2AFD9404A2 for ; Sun, 8 Sep 2024 13:52:29 +0000 (UTC) X-FDA: 82541710818.01.C77D695 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by imf20.hostedemail.com (Postfix) with ESMTP id 7B03D1C000A for ; Sun, 8 Sep 2024 13:52:27 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=cXai65IN; spf=pass (imf20.hostedemail.com: domain of aha310510@gmail.com designates 209.85.215.182 as permitted sender) smtp.mailfrom=aha310510@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1725803448; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=nRtQePYubzq2zFYVdCNEp/e+db/4uKbZNZ9nWI93Mo0=; b=HlbehPn7K/wbmnZJXz16RlUcLKGqmIuXs7SJhNkk98saWOrWKx84ZXwnMg8+rRd5rkU3tu K2y3kiKclo8cN2yrseIp25D8gJ3kgiw4Tz9jOsHg5h9nn5IJ28Bcrc5TCMSBI575iOhWrC nPOA6kvi8Kw3Bu8Z1QNpAZnYWk9Us5A= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1725803448; a=rsa-sha256; cv=none; b=b0cbnJh2qYAc5BymuwFad+QcBH1hzGd7Vzd4L1viPQ11uLifVJS+vbqF210fqPDrMSiV2J Ct+9ieGWSwoINL5SYcuv6JE0ml8soIrHQ8Wsct+g3lFDayCNWqECQq+rPmSdjwvfn8YpEC EbVkukuo5966OzkW30qJaYZIY++6NIk= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=cXai65IN; spf=pass (imf20.hostedemail.com: domain of aha310510@gmail.com designates 209.85.215.182 as permitted sender) smtp.mailfrom=aha310510@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-7c3ebba7fbbso2834153a12.1 for ; Sun, 08 Sep 2024 06:52:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725803546; x=1726408346; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=nRtQePYubzq2zFYVdCNEp/e+db/4uKbZNZ9nWI93Mo0=; b=cXai65ININafGfCwbI+0AMLAOIqKqCeabk3lNMeaceoTmBGEeO6KvWzfl1B5mH6nfr OpaomLk6vWVyLv8rDyg1CMcoXVTBLvSAhZsZZfjikuO8V2pkX/JZqUSLaBDkPl3czW4G SZCBzjj4EO18YyS/pDdqr2Z/NH077ckI+L27orgw0EZtzcqfps9cCW0xFWFDK/GTtHLA 1ahXGpo3oeA16vxRxe6RdytYGQ159bAqbceNUrBfoQunZkBRohbqZ3dNeN2MvUrMZht5 f++UkT11peJqAnRla9x0Mqg+TM9nsu670+6jYCzfLIRW0uy0WEec+3jtMcn8X7zPVoJW Y+zQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725803546; x=1726408346; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nRtQePYubzq2zFYVdCNEp/e+db/4uKbZNZ9nWI93Mo0=; b=hP1tYax7VlL5utZ8u30XXKiAU3fY1WYhs9OLVRbupDkL1PTPKZUV+EJElTmgfKgvxn 7SB6hkgfHwtYOEz4J+FvOt4ROFIctfxRRmgFkADzauAEY1JWoxUOOANtpSnQabmdj+C4 XltlhAz43/DJ2C3wdruydHgU7upBGQhzCDY33zX085p5TEZXQTSz6daqIrxSt3i7i36J WmPHprXyuK1fnxpE7fhE3Nc1VlpxKMsrj31IIzSXIkABz6PV61qXXSvLMxoSIUQh3UYC I9CPqmvvoLjkJDmcq6rgJ9d3WpRsxJtONYsD5Rm98kaBy1zj6xjV5T5YY05J8zAjVlQH GT/g== X-Gm-Message-State: AOJu0YxglfNdi1HKR/N4cUa2SnO11hqRu/b+YTnvassfFg9DTvtPIEiz R24jv8kg0cPs/EnfQM135zPEkrigFE0pAwRwTDbjVO3HTEgZB4IX X-Google-Smtp-Source: AGHT+IGIiT7c2oY2Doiyvu+I7gqM00x8umYv0eZPrV82EkJaCahBK/0KVXb0PSzKWbMjZwuY4mZE0Q== X-Received: by 2002:a17:902:d488:b0:206:d6ac:85e1 with SMTP id d9443c01a7336-206f04c9a1fmr122855095ad.2.1725803545996; Sun, 08 Sep 2024 06:52:25 -0700 (PDT) Received: from kernelexploit-virtual-machine.localdomain ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20710f1f469sm20241105ad.223.2024.09.08.06.52.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Sep 2024 06:52:25 -0700 (PDT) From: Jeongjun Park To: dennis@kernel.org, tj@kernel.org, cl@linux.com, akpm@linux-foundation.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot , Jeongjun Park Subject: [PATCH] percpu: fix data race in pcpu_alloc_noprof() and extend spinlock protection area Date: Sun, 8 Sep 2024 22:52:10 +0900 Message-Id: <20240908135209.15159-1-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Rspamd-Queue-Id: 7B03D1C000A X-Stat-Signature: ermeqdft9r6q1rc9iw4zd9o8bfx96yzd X-Rspamd-Server: rspam09 X-Rspam-User: X-HE-Tag: 1725803547-679281 X-HE-Meta: U2FsdGVkX1/EX6MhJVfvw9Pk9uysELSGlTEf41/PXxQkmR85OBpcRqcgp3Fl0RdcNUL/25d3qwcrnWenDIN4ELlS7FNVm6GsyHPrdoXMu+/3Xp90t22XNu6yADnolOnS+mdS2b/aPUbS4tqQoAvNVyG8FT6bbuHgShT3fa2K3h86MHoKTlgoIpZtzmwesXSBl3j3hvA4Wz12fh7U2aVc+RiF4ttGaWNAo3jiLvAsPBi+4GPhKnTZ+iLMEFNu2cwkAwFHQzBwBArLpYRCwGUuD2f201GJNHEzDBa6KzOBvsFnV98J74g0eq1K9mkGlEiKogIXSZWasLXDM05oozVMlUFXtYzbMQ6A85a52K1BtbI1QUzrZKhOE0NPFBbL2bIIoUa/OSSfKF2pyFgmJgUJLhZuhOtF8Ja3B4JTTs5vvLJ2L116+o2eoHAL6qL34u71IfpardQ6KnH8sQ3vvoU/gQ0rT6ZTB+GwK8Cqr6VzpS/Q8EccZko6Ui69xPTr2qJ+5y3l05cWkeAoAZqDNVPGboNtQJ4Mb9FwW4QDiXEcnMAyx40WDb9sh+mIKVp2VpPv+iqPrAWf7clqeq3QMFuJt/bXOeqSRHvzyls6Q91wOIRYehhFTDEM5Bytw3BFY6I/GX5kM48Mbs2fMs6W448+n9xVF/kIVAYL4sV4gCMHF5ka/DYS7RUQO9S8rvEZy+zMiqSKEj1S7ViJtdjo1A9mHa2n4cz6dJXehSKnRBqRPd7ZGknh8Id9Dp4S7uaATEA3rJnXSqxP2Hm0x5n4frur6sOrrF5ssoWrpTBEkIQCf421BR2chrIFioHgtcWhtqDm2rZuI+TrWudnx8bwCu3zHEUq1vll/fkR0nsgfyGXYJxdpzAKjAYJ+HyW64F9iq0brcCjECDXK+548rSraPjLw93vSojj5O4KR0+OUnTNUIXuV6FsMiRIChGYGqAUWCoDgSRsZ/ASgLnAAIO6P3g o6SgxOWS l68qcbdN2KTUVo4k3Zhf073qoGDcbeVTo6otSD4j5pQxf2ib3gULJP89HnMigHZmjXMR8kWH3aPB6clwWnG+auQhVg93pMfyVr8reJ9BK8hNHtvthZntMyEK3jBw94SDGWUwcWKrgX8nTe/C4qKhJsDOx2uVgijBxxoLzVmLQgttRjMsIAAWZURWv3eoQ/aPoofR8iIHgb8WNsWkX9/khYMxpsFEygNtbybkRCb1naVBSYd6Gf7U9+kcXOm74aL+UglB4RvXUHF5H/kGF+heLpIu7fJuiF8IGUZjPUeX7J6nRlh7Phz++Ffg6WUZiIU8zfwElfbgWbFJz8EB0wV8h4WyKXnRbqje2wL61WFzw4o1194SVDuzu+T6MWtMAWVl5Dfj46ZmVihXN4C4sv7ymY5k8jEqdF6wIwXhoJ8t11n/YdAtlag+XWaFOyqS4QRFbTFsTKOgOIcAXiAYz+y2pFRkxKDObTMwv7jXy X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: I got the following KCSAN report during syzbot testing: ================================================================== BUG: KCSAN: data-race in pcpu_alloc_noprof / pcpu_free_area read-write to 0xffffffff883f872c of 4 bytes by task 3378 on cpu 0: pcpu_update_empty_pages mm/percpu.c:602 [inline] pcpu_block_update_hint_free mm/percpu.c:1044 [inline] pcpu_free_area+0x4dc/0x570 mm/percpu.c:1302 free_percpu+0x1c6/0xb30 mm/percpu.c:2277 xt_percpu_counter_free+0x63/0x80 net/netfilter/x_tables.c:1951 cleanup_entry+0x195/0x1c0 net/ipv6/netfilter/ip6_tables.c:671 __do_replace+0x470/0x580 net/ipv6/netfilter/ip6_tables.c:1099 do_replace net/ipv6/netfilter/ip6_tables.c:1158 [inline] do_ip6t_set_ctl+0x820/0x8c0 net/ipv6/netfilter/ip6_tables.c:1644 nf_setsockopt+0x195/0x1b0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x126/0x140 net/ipv6/ipv6_sockglue.c:998 tcp_setsockopt+0x93/0xb0 net/ipv4/tcp.c:3768 sock_common_setsockopt+0x64/0x80 net/core/sock.c:3735 do_sock_setsockopt net/socket.c:2324 [inline] __sys_setsockopt+0x1d8/0x250 net/socket.c:2347 __do_sys_setsockopt net/socket.c:2356 [inline] __se_sys_setsockopt net/socket.c:2353 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2353 x64_sys_call+0x278d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:55 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e read to 0xffffffff883f872c of 4 bytes by task 3374 on cpu 1: pcpu_alloc_noprof+0x9a5/0x10c0 mm/percpu.c:1894 xt_percpu_counter_alloc+0x79/0x110 net/netfilter/x_tables.c:1931 find_check_entry net/ipv4/netfilter/ip_tables.c:526 [inline] translate_table+0x921/0xf70 net/ipv4/netfilter/ip_tables.c:716 do_replace net/ipv4/netfilter/ip_tables.c:1137 [inline] do_ipt_set_ctl+0x7bd/0x8b0 net/ipv4/netfilter/ip_tables.c:1635 nf_setsockopt+0x195/0x1b0 net/netfilter/nf_sockopt.c:101 ip_setsockopt+0xea/0x100 net/ipv4/ip_sockglue.c:1424 tcp_setsockopt+0x93/0xb0 net/ipv4/tcp.c:3768 sock_common_setsockopt+0x64/0x80 net/core/sock.c:3735 do_sock_setsockopt net/socket.c:2324 [inline] __sys_setsockopt+0x1d8/0x250 net/socket.c:2347 __do_sys_setsockopt net/socket.c:2356 [inline] __se_sys_setsockopt net/socket.c:2353 [inline] __x64_sys_setsockopt+0x66/0x80 net/socket.c:2353 x64_sys_call+0x278d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:55 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e value changed: 0x00000005 -> 0x00000006 Reported by Kernel Concurrency Sanitizer on: CPU: 1 UID: 0 PID: 3374 Comm: syz-executor.3 Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ================================================================== The global variable pcpu_nr_empty_pop_pages can be protected by pcpu_lock, but since pcpu_alloc_noprof reads outside the spinlock protection section, a data race may occur and the branch of the conditional statement may change. Therefore, the reading of pcpu_nr_empty_pop_pages should be modified to be performed within the spinlock protection section. However, the for_each_clear_bitrange_from loop requires and uses a spinlock, but it repeatedly locks and unlocks the spinlock unnecessarily. Therefore, I think it is appropriate to remove the repeated spin_lock and spin_unlock in for_each_clear_bitrange_from and perform the operation of reading pcpu_nr_empty_pop_pages and then perform spin_unlock to postpone the point in time when the spin_unlock is performed. Reported-by: syzbot Fixes: e04d320838f5 ("percpu: indent the population block in pcpu_alloc()") Signed-off-by: Jeongjun Park --- mm/percpu.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) -- diff --git a/mm/percpu.c b/mm/percpu.c index 20d91af8c033..5c958a54da51 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -1864,7 +1864,6 @@ void __percpu *pcpu_alloc_noprof(size_t size, size_t align, bool reserved, area_found: pcpu_stats_area_alloc(chunk, size); - spin_unlock_irqrestore(&pcpu_lock, flags); /* populate if not all pages are already there */ if (!is_atomic) { @@ -1878,14 +1877,12 @@ void __percpu *pcpu_alloc_noprof(size_t size, size_t align, bool reserved, ret = pcpu_populate_chunk(chunk, rs, re, pcpu_gfp); - spin_lock_irqsave(&pcpu_lock, flags); if (ret) { pcpu_free_area(chunk, off); err = "failed to populate"; goto fail_unlock; } pcpu_chunk_populated(chunk, rs, re); - spin_unlock_irqrestore(&pcpu_lock, flags); } mutex_unlock(&pcpu_alloc_mutex); @@ -1894,6 +1891,8 @@ void __percpu *pcpu_alloc_noprof(size_t size, size_t align, bool reserved, if (pcpu_nr_empty_pop_pages < PCPU_EMPTY_POP_PAGES_LOW) pcpu_schedule_balance_work(); + spin_unlock_irqrestore(&pcpu_lock, flags); + /* clear the areas and return address relative to base address */ for_each_possible_cpu(cpu) memset((void *)pcpu_chunk_addr(chunk, cpu, 0) + off, 0, size);