From patchwork Fri Oct 4 14:25:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeongjun Park X-Patchwork-Id: 13822469 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2F6CCF8842 for ; Fri, 4 Oct 2024 14:26:28 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 87F7A6B0406; Fri, 4 Oct 2024 10:26:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 82FF06B0407; Fri, 4 Oct 2024 10:26:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6F7736B0408; Fri, 4 Oct 2024 10:26:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 4DB3D6B0406 for ; Fri, 4 Oct 2024 10:26:28 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id CFB3B40F6E for ; Fri, 4 Oct 2024 14:26:27 +0000 (UTC) X-FDA: 82636145214.20.1244940 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by imf24.hostedemail.com (Postfix) with ESMTP id 0DD79180025 for ; Fri, 4 Oct 2024 14:26:25 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="gcknV/2A"; spf=pass (imf24.hostedemail.com: domain of aha310510@gmail.com designates 209.85.214.175 as permitted sender) smtp.mailfrom=aha310510@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728051919; a=rsa-sha256; cv=none; b=EUC6A9lRHprDFXa1smkKuzuk//c/NkqhYd5ZsVoaTDyrhmqo6/cJ3ryY45ElkvjGc0l1nR NZtAP23VU1hVxW43SDkj8UNKu14dAGRFgIIuMhBJd9VucrYfhUKdKBmnkyJ2xZMN4uHA/6 Ob/8JYicgc2SsAHz/meXXJQDcrHHMaQ= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="gcknV/2A"; spf=pass (imf24.hostedemail.com: domain of aha310510@gmail.com designates 209.85.214.175 as permitted sender) smtp.mailfrom=aha310510@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728051919; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=BqAmAYZW4h1IpzXArIG4D9TOPIIXqqCyLd+mnm6+QOk=; b=JKZ8rhgMJL1qexDQ4j92Mwtqrui/FP8Yl4Etq9G3tYAcEc0Opmr4IV7QmsqGxWR2+grgKy X6ju3gOmJVMCyb3Pvfzy5sYXzfynrMZNxpx9XlkIxiVWH8SGv26LActKud/m1E6WuarE8T eq/eCAhxWE6LXJfad3fvUrNld8D5nEg= Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-20b1335e4e4so21428395ad.0 for ; Fri, 04 Oct 2024 07:26:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728051984; x=1728656784; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=BqAmAYZW4h1IpzXArIG4D9TOPIIXqqCyLd+mnm6+QOk=; b=gcknV/2A66+k0m2wTaNMRzpTY4ITX2wbdSoR6U+DcTD9NFYDC9cT6WXq77VAwDduPy 6nl6kYWvs5O9kVbeiYaSUVLdGfjTaiZnEMugwuOPn4DXtZRcq0gLW85myTmlZjTqjhEg kiOGOg6L2+OQ32snNOEpwVpLwtXSy9usX7awDao9h5RXeSD28fAfPBZLlwrqfn80YYd3 +jRAr35Op6QSGjccdTjbaprLDDjRWcAhmt08c/TzgesZuglXleQThx8X1jP1NaGZmkNL M8G1NdKgZ7Kn2XDpklDyutMntl13pF+ItGIu5iTCZUqQbUkDfqMbGk7twnF3hEJRuMIh 9zWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728051984; x=1728656784; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BqAmAYZW4h1IpzXArIG4D9TOPIIXqqCyLd+mnm6+QOk=; b=KEKRVvQtB75cgzxru1VoigWR4QO/68c0zTla3AiO830PWMXJeZZ1C99gXgfnkbCRRy i/B6//c8NoL32L2YlnegxYTFEQYVn3+gJLbFYIBM64RwmEzIJ6TSmG/17+/ICjEuofxX BC23OJwpOQja2QEtqmWNe+U8xFoT45NWJHMzfFv0luCeQ51zqrycnG1K6/LKXhsxQjpA ykMmC5yVon6Fd6CCl+myA9WWRe6RQeWrgNSoppuUlTWMAI/RjV8y1l4+sOLfUkdE+QeG KozLtwXBpqjlIoveWVwpQnrhtmgWHsZxsf61NZJ1mmVQ32crT7iEgHKka4cZ4jdwjMfr cyFw== X-Forwarded-Encrypted: i=1; AJvYcCUT5NOI/E52OEzM0lU7FkU7k5c5+Io/pD/EDoWkXPzOlbS3FqxPPlNfBe7I2otGfg9E1+M5+6gzuA==@kvack.org X-Gm-Message-State: AOJu0Yxl9itlc81T0/PPbUpd+WpH3aLVv661imugtesT/azdKE8Bkgej fwnoYU8xcYrTvL5naUy8zhWQ9nRF+zlv+wJth43sFzkHmaZU9UZI X-Google-Smtp-Source: AGHT+IGslST/zpYraHv9EyvdMJno1O23Q/9gT9H3qesnxYgFQvTKjX2xZEbm8Ei5ysk/xwg6BRbg5w== X-Received: by 2002:a17:903:11d0:b0:20b:6bf4:4acf with SMTP id d9443c01a7336-20bff074b06mr54117605ad.48.1728051984404; Fri, 04 Oct 2024 07:26:24 -0700 (PDT) Received: from localhost.localdomain ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20beefad02asm24448445ad.201.2024.10.04.07.26.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Oct 2024 07:26:23 -0700 (PDT) From: Jeongjun Park To: akpm@linux-foundation.org Cc: kasong@tencent.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com, Jeongjun Park Subject: [PATCH] mm: swap: prevent possible data-race in __try_to_reclaim_swap Date: Fri, 4 Oct 2024 23:25:04 +0900 Message-Id: <20241004142504.4379-1-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Stat-Signature: xemjbcpqteubzf3ataft1zx83kpmwgir X-Rspamd-Queue-Id: 0DD79180025 X-Rspam-User: X-Rspamd-Server: rspam10 X-HE-Tag: 1728051985-312982 X-HE-Meta: U2FsdGVkX1/pVEOUywSerZJAE3fOpAk77Vq7p4wbq64OxxTudC54KmZkAfDJjWvm2lxSXycNDgTBKe+JUvbI9dflOMtdjwJX+ubrjQsxpdRVv1BdRRglFej1u9qyt8UGQb4oZAeR/SXeOzW+U+9axGVrMJKh6ajA5Wt1vA2TFd0uQci9mptLEQVJf1rA1PP8+C8LSF+/JKsM3gyazQ3rhrHyIScN/Zlx15NzAAB4er9yzAASbbS9rXO2AhBHRdvYeIoc5lkBA+qjk2XOSUNMJCBzPeQAWkLHuSRN296WxLUDqHt95OViwxRA5C5NTrQGqpGdeE9DXNLLYB/p3QAt3l/RiG14P4AN6Nuflch2IvAzju9BwtRJdfQgl6dplaQvLoX/JL99PMCR7dRLgDrNs9UYX3bKjHfgBWVw2jhuMKR4G0xkP8EMqv1Mcacjfc+wl0zdeowIL7nfJmQoRkDZx1ZwLFchZFgjb/9iYmwfLKTbsI3IW4c26dFb1EOasrX2Wua683QBICVfduLvQlaFV3yjQAtgxMuuMDev8M0hM0MLvWYT9yxbf5+yp9CWm2w/hgX013okuOQ3g+Ct5IuP/DxxSE7mdhA/zS1m9maWVJZFZ1Qq+PH07019VwKN68AxEsVU9g0/8GNCtMhmapR9NmiGib7WDRlRTzK2Un1bcEYDWEm7QVxFKtDjiMgyomQyJoZoiWdonWzxFzNNdQSe2YRtczXEYp2wY0ky8nUiBuc5m9Rin5cBsXiPetwrPQHnpDXN/PVc5l7eMzzavoI2iWA97cOxcBJ+RbBpObzX28zbnzqj190fddMV+X15yYQk/2MeiCp1gxJxC3QbZzVRVKMwLf68bqO/kx8JO+JR6UZ8+5bgvovb3idABKa4dOPGtQTBCyQt0AZ6uzqrx7tn71J1KFHngRlh4MVCSamUvqSR4Yw+X/tUbZC2TllN6swx7tfkRvVn1diNTHhAkJz TU3M9XJc gtdINL7DLb2O6ZuE0Y52OJooUyx3lsl/2nsv0zhqHOA116bTMIbpZ6goTX9Q11i1p+PytYZbZuq3Iq/0ucWDTG5hyfp+Jdl4+28FP42lwXjDVZmK6KOTuEsuiKwIT+dC/4bcbTqd6CcvqyoSJsvh/fL44du1qcFQUCzhEGjgepbzWq/Clgo6URD9lRqD4Kzda7kA8994G5CrBV7zPx/Yh5tmTeScL/V4fKusXvObTXkD+rLgIPuwiruujbhY6QgQw/vzIS4F5vPdbzGbHQODX9nWjG3Q0s6fYmBvyutdqrprvM9cjud9ur4OO4Oz6s/To8xukLj8ki7I0xEZfeaCmfsvB8Z/64GPMWRvMsHzSMGZxZtcdKVe6xHUuYKvd3BuaRpuZ7oTMmbkj+WQOZaDAu/RnaY+YhZTxKhWB2w6UrlULdgSNo5+5sXxacUg94b4GJhSri7dY+ljHzuttQu3Pr8Cw1ZVslYsC5Y9Fq/y1+xOXRcvUI7ZAvBF9NLBYzKDuIDbeCwhb1K/7HwY5UMbdyT43Y5c3qTxOafHbXihmENBaJ+43EjxRs8BOXxNdUxtdYMH6PaZXQi6EehI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: A report [1] was uploaded from syzbot. In the previous commit 862590ac3708 ("mm: swap: allow cache reclaim to skip slot cache"), the __try_to_reclaim_swap() function reads offset and nr_pages from folio without folio_lock protection. In the currently reported KCSAN log, it is assumed that the actual data-race will not occur because the calltrace that does WRITE already obtains the folio_lock and then writes. However, the existing __try_to_reclaim_swap() function was already implemented to perform reads under folio_lock protection [1], and there is a risk of a data-race occurring through a function other than the one shown in the KCSAN log. Therefore, I think it is appropriate to change all read operations for folio to be performed under folio_lock. [1] ================================================================== BUG: KCSAN: data-race in __delete_from_swap_cache / __try_to_reclaim_swap write to 0xffffea0004c90328 of 8 bytes by task 5186 on cpu 0: __delete_from_swap_cache+0x1f0/0x290 mm/swap_state.c:163 delete_from_swap_cache+0x72/0xe0 mm/swap_state.c:243 folio_free_swap+0x1d8/0x1f0 mm/swapfile.c:1850 free_swap_cache mm/swap_state.c:293 [inline] free_pages_and_swap_cache+0x1fc/0x410 mm/swap_state.c:325 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] tlb_flush_mmu+0x2cf/0x440 mm/mmu_gather.c:373 zap_pte_range mm/memory.c:1700 [inline] zap_pmd_range mm/memory.c:1739 [inline] zap_pud_range mm/memory.c:1768 [inline] zap_p4d_range mm/memory.c:1789 [inline] unmap_page_range+0x1f3c/0x22d0 mm/memory.c:1810 unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 exit_mmap+0x18a/0x690 mm/mmap.c:1864 __mmput+0x28/0x1b0 kernel/fork.c:1347 mmput+0x4c/0x60 kernel/fork.c:1369 exit_mm+0xe4/0x190 kernel/exit.c:571 do_exit+0x55e/0x17f0 kernel/exit.c:926 do_group_exit+0x102/0x150 kernel/exit.c:1088 get_signal+0xf2a/0x1070 kernel/signal.c:2917 arch_do_signal_or_restart+0x95/0x4b0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x59/0x130 kernel/entry/common.c:218 do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffffea0004c90328 of 8 bytes by task 5189 on cpu 1: __try_to_reclaim_swap+0x9d/0x510 mm/swapfile.c:198 free_swap_and_cache_nr+0x45d/0x8a0 mm/swapfile.c:1915 zap_pte_range mm/memory.c:1656 [inline] zap_pmd_range mm/memory.c:1739 [inline] zap_pud_range mm/memory.c:1768 [inline] zap_p4d_range mm/memory.c:1789 [inline] unmap_page_range+0xcf8/0x22d0 mm/memory.c:1810 unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 exit_mmap+0x18a/0x690 mm/mmap.c:1864 __mmput+0x28/0x1b0 kernel/fork.c:1347 mmput+0x4c/0x60 kernel/fork.c:1369 exit_mm+0xe4/0x190 kernel/exit.c:571 do_exit+0x55e/0x17f0 kernel/exit.c:926 __do_sys_exit kernel/exit.c:1055 [inline] __se_sys_exit kernel/exit.c:1053 [inline] __x64_sys_exit+0x1f/0x20 kernel/exit.c:1053 x64_sys_call+0x2d46/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:61 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x0000000000000242 -> 0x0000000000000000 Reported-by: syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com Fixes: 862590ac3708 ("mm: swap: allow cache reclaim to skip slot cache") Signed-off-by: Jeongjun Park --- mm/swapfile.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) -- diff --git a/mm/swapfile.c b/mm/swapfile.c index 0cded32414a1..904c21256fc2 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -193,13 +193,6 @@ static int __try_to_reclaim_swap(struct swap_info_struct *si, folio = filemap_get_folio(address_space, swap_cache_index(entry)); if (IS_ERR(folio)) return 0; - - /* offset could point to the middle of a large folio */ - entry = folio->swap; - offset = swp_offset(entry); - nr_pages = folio_nr_pages(folio); - ret = -nr_pages; - /* * When this function is called from scan_swap_map_slots() and it's * called by vmscan.c at reclaiming folios. So we hold a folio lock @@ -210,6 +203,12 @@ static int __try_to_reclaim_swap(struct swap_info_struct *si, if (!folio_trylock(folio)) goto out; + /* offset could point to the middle of a large folio */ + entry = folio->swap; + offset = swp_offset(entry); + nr_pages = folio_nr_pages(folio); + ret = -nr_pages; + need_reclaim = ((flags & TTRS_ANYWAY) || ((flags & TTRS_UNMAPPED) && !folio_mapped(folio)) || ((flags & TTRS_FULL) && mem_cgroup_swap_full(folio)));