From patchwork Mon Oct 7 07:06:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeongjun Park X-Patchwork-Id: 13824216 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC225CFB440 for ; Mon, 7 Oct 2024 07:06:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2BE4C6B0102; Mon, 7 Oct 2024 03:06:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 26F2D6B0103; Mon, 7 Oct 2024 03:06:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 15D446B0104; Mon, 7 Oct 2024 03:06:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id ED7A06B0102 for ; Mon, 7 Oct 2024 03:06:33 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 9F73D1A0F01 for ; Mon, 7 Oct 2024 07:06:32 +0000 (UTC) X-FDA: 82645923024.02.811D297 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by imf02.hostedemail.com (Postfix) with ESMTP id DAA5480018 for ; Mon, 7 Oct 2024 07:06:30 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="UTav55/X"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf02.hostedemail.com: domain of aha310510@gmail.com designates 209.85.216.48 as permitted sender) smtp.mailfrom=aha310510@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728284765; a=rsa-sha256; cv=none; b=b5+AFyP5ktDOppzpYUaz65GDVnCfX2pBZSNi+li2+x5e1eYkc/42B5UdMKVR2nygBacwcC rlF5p4h7PwKtTP0PbpfLMA2nWR3a0nPJwrtZXCpDje3z0r3OrXN94ZchIXqAlMRiV3+aWH dy3Y+6eEjI+POM4SMWf9c5zRtAcw408= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="UTav55/X"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf02.hostedemail.com: domain of aha310510@gmail.com designates 209.85.216.48 as permitted sender) smtp.mailfrom=aha310510@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728284765; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=AXdcYSBgFk717u+cFxiYU6BpkH6yI82U7KUgndIaZDk=; b=RUFgzWMtavqjGJi+9dRyiQx/76ObIB4k/uWafoxBguZol0KYLlmM9zfZWlgt3EUIx+jJng jENvUwSVGHm/gnqkr+qI3SkO2WcTIN+PIaybrEUbif377hvnEZcE5N5Q7MyeoN7lY18193 KcOYq3FiPnnS0XKon1XCi4k1FhJE9TQ= Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-2e0b9bca173so2910775a91.0 for ; Mon, 07 Oct 2024 00:06:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728284789; x=1728889589; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=AXdcYSBgFk717u+cFxiYU6BpkH6yI82U7KUgndIaZDk=; b=UTav55/X+rDz5SStX6vDUkOR7vr9p3uSiGj/a86aP9ohdxRlj663fsilJ++ceJDmPc Gzb5n8PJ30KHiGW58gBnFxu2rR6p85YScQnRV7rc8Jr8TJj96/NuFE8vBMmJ1I9THW6I 0+YxCZznFKn0LTtjGFmKyjuYOimL83299bEPgTThkc6vUX9s6n42M8ny9WvAFDXZm4Dc ErPOVTYJUZ4qfYSpePjHOkkWXNWK7OFkkt+a1RI3GcNkyp0em7+LY2eCQ/n0xMb2zlVZ DvZ5yTZU5AjedNY5+OxjjINZk82otoKO0TfW7gKpPjBf3zxalXC9nTol61KaCSWfiuwB 1BQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728284789; x=1728889589; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AXdcYSBgFk717u+cFxiYU6BpkH6yI82U7KUgndIaZDk=; b=NCviNMXbR1KifRTVyPBUZGlovJ0NSmXGsA6dBfkQOtkJc75E7+F3qQuR9tt0j4Ftrs LIFwC474seb7wufe7CJ6Vc/fnLooGwHpb9IVVOV4eY9KzA7KD7KVSZWzodfYh3IV+A+Y 0dGcCESYSZ8hu74GP6MVpyRBhj7ANdF4swPwOt/iG0ryI9iDLp9tdR+Im5fP5XfpStij 2x0RyM/lBADrR8VoYu3uArNN4zIzr4cHfS9ViXkUERBlRz+r638e440WffaLT4M84AvD O1RG1LFMHaIRzfCHaSpRAlgJ6y2QRS9ifjrsBC6SN8gimdYUQ2dazDvstNpxxbeWvE8i B3cg== X-Forwarded-Encrypted: i=1; AJvYcCV/JJ/YHPhvrg2v1UxCpp1cqao0juyyvymSGKR/IMbbXXdG+CC8UafK3XlJj/1+291Izmbvbg37dQ==@kvack.org X-Gm-Message-State: AOJu0YyV1rXZ4dyHjgt1mD0OkVjby2zKJOuq2S3gYaNrQsxtl/vPLfYm sgo0Liuibt9k34gy6RU7qA7qFXtuIfhDltmvt1Gs3AKhx/xBmFog X-Google-Smtp-Source: AGHT+IEPv8d7zsOCOMruREtYLEajSg4cLxNN7LodM5DIZwlRj9z75EHh2vpKy9joAT9mBtOdHEuHjw== X-Received: by 2002:a17:90a:3002:b0:2e0:a28a:ef88 with SMTP id 98e67ed59e1d1-2e1e63bc02bmr10403056a91.41.1728284789452; Mon, 07 Oct 2024 00:06:29 -0700 (PDT) Received: from kernelexploit-virtual-machine.localdomain ([121.185.186.233]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2e20b0f7690sm4568033a91.42.2024.10.07.00.06.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Oct 2024 00:06:29 -0700 (PDT) From: Jeongjun Park To: akpm@linux-foundation.org Cc: kasong@tencent.com, ryncsn@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com, Jeongjun Park Subject: [PATCH v2] mm: swap: prevent possible data-race in __try_to_reclaim_swap Date: Mon, 7 Oct 2024 16:06:23 +0900 Message-Id: <20241007070623.23340-1-aha310510@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Rspam-User: X-Stat-Signature: kd9eiso7j5fbr3auyjxrpiix8jqyuyya X-Rspamd-Queue-Id: DAA5480018 X-Rspamd-Server: rspam02 X-HE-Tag: 1728284790-232443 X-HE-Meta: U2FsdGVkX1/U+Jj55hvAb9mFmC2kGWIOfQ2INx7mSNPE4+DwAHSNAaljsISgcFE9WWAZ7Ciys3C0zQG881Rxkm8QV7ALC0himtLfdOjieHndn/rAQjgBOzdRHC/6SomiEc4Cu1HnLsICnW/09Z+8waFDMDbzGbzprp62abMFMPHCwe91ZPFocVJ5x+1w7idZA1pX4EVIfRpNVuLa/lSe4TK97bJns6pdjG14CigA2a8twz0KlGG0UIxYeortqsF42XSJ6ii4zPi8556ttuUGaL0DVsHt5YZLlVMjCzadeKN2dfqOqmrV2wmBy3QHiIdXaBmx/6NAlW0pnhfwf2syogsjY3sm9wTWtQC1WcP6S5KOtCxp9Eb72O2fqSbzodVT7wFY5Id3AFNlq1jYofCyMT99GCfLKD38DyNz9h1LQtJoIrwHHqHZ6MkeZCvDqTkPDgq/TfWWwJUGVLRXUqZJHSlt+eukoFONi/OmOXPWUm+1Pf6TuYjVJBldSm6gvGNlk5NNvt6GLJLMV1gCx2TLPZYJ/DVmBIHjb1ZdKlM61KFcEIZ2gm3u7XLbcUTgvqca+4D7uwLpg5zwJ3XGJXzUkAnwu73yHZ1EjMhfE93qEgpDWNbppwqRTS5P48F6wHhVWc7oOlGODXyY0KPvC0WlVj1mUVQoAGKLjh3BWaLxra+ZOFSnwazDM1meMOz6Sx+WP+HnPXxfFMK2n/oQpz2B5dyFc0QHL0dhOBsGjG2Ll0GDZ6pRF3AGqpvwjyyt5lOP+P7oaKOF650xF7aRadN4dld5IElWk4VLAAqnOaWp9Yd4gEUqnu80vZEN3XakA5Fdw8qbOJHF8XFPkaW4+BNVjwNqTwfOszDnxG7UdbXBmPnzB/may2CEm6QM+vEIEdJACU8hYpAqdOrnu0babM/MLV58d7TtVLC9ZxBt5Kn91B89/WAHcsIfMVZpIHmXsiduf/uqR9wvFHQyEKE8Cpz eqYbUazy PX78MwPg33HB6TDw5mUpqxVFiMUq8FheiGUXyVR6aIWlD24/mZMgt2PxTqRahNr8EhUh1TLOQnBOmOuO4iCbUSj5p1UvwAmSnfLZE2Ye31Tz6VH40ngxqmsem79PmCN1TPMhjXR6BPygWlGmptkJ6bS2VTDWPFwH0/lQ2FigdiTlDlvy1HfpD4r97Trdiwic3Kvy8KvQS790iwMjjdRui73LWeTgxK6cByo0U2eajQFf549v/LKj1FWxHNK3Dp8O6GidCcNgXxs0SKpLoLjc5qSI4f21uJdy6U1bAu+HqAjfXbV1PC1l4OBIlsDF7L9aypdmCEPZlkYQtH9hXtbvF6o1w6gZwRlmwkUNNK/5r3jBB/+RKWlRnB6DV7EI+8x0PSIRXeQDMcVe5+mNDQtWD4M9SWyIbrabOdjFhouRP4hegFLcJhGUbk5zR6C0kDKranuOzJ8HOTKxbLsSPCdJBUplI6domAmxNjyiaaBdOXWo5Q+5AaaccqCH2F9W67XwRJGoHixBVM1QEQD7U9r6obmkn+Ya3fxyDiIztTOuwlk0hMdxaQUP75rb3RBfOdNxR7l3LsPvhqg3LmXY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: A report [1] was uploaded from syzbot. In the previous commit 862590ac3708 ("mm: swap: allow cache reclaim to skip slot cache"), the __try_to_reclaim_swap() function reads offset and folio->entry from folio without folio_lock protection. In the currently reported KCSAN log, it is assumed that the actual data-race will not occur because the calltrace that does WRITE already obtains the folio_lock and then writes. However, the existing __try_to_reclaim_swap() function was already implemented to perform reads under folio_lock protection [1], and there is a risk of a data-race occurring through a function other than the one shown in the KCSAN log. Therefore, I think it is appropriate to change read operations for folio to be performed under folio_lock. [1] ================================================================== BUG: KCSAN: data-race in __delete_from_swap_cache / __try_to_reclaim_swap write to 0xffffea0004c90328 of 8 bytes by task 5186 on cpu 0: __delete_from_swap_cache+0x1f0/0x290 mm/swap_state.c:163 delete_from_swap_cache+0x72/0xe0 mm/swap_state.c:243 folio_free_swap+0x1d8/0x1f0 mm/swapfile.c:1850 free_swap_cache mm/swap_state.c:293 [inline] free_pages_and_swap_cache+0x1fc/0x410 mm/swap_state.c:325 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] tlb_flush_mmu+0x2cf/0x440 mm/mmu_gather.c:373 zap_pte_range mm/memory.c:1700 [inline] zap_pmd_range mm/memory.c:1739 [inline] zap_pud_range mm/memory.c:1768 [inline] zap_p4d_range mm/memory.c:1789 [inline] unmap_page_range+0x1f3c/0x22d0 mm/memory.c:1810 unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 exit_mmap+0x18a/0x690 mm/mmap.c:1864 __mmput+0x28/0x1b0 kernel/fork.c:1347 mmput+0x4c/0x60 kernel/fork.c:1369 exit_mm+0xe4/0x190 kernel/exit.c:571 do_exit+0x55e/0x17f0 kernel/exit.c:926 do_group_exit+0x102/0x150 kernel/exit.c:1088 get_signal+0xf2a/0x1070 kernel/signal.c:2917 arch_do_signal_or_restart+0x95/0x4b0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x59/0x130 kernel/entry/common.c:218 do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffffea0004c90328 of 8 bytes by task 5189 on cpu 1: __try_to_reclaim_swap+0x9d/0x510 mm/swapfile.c:198 free_swap_and_cache_nr+0x45d/0x8a0 mm/swapfile.c:1915 zap_pte_range mm/memory.c:1656 [inline] zap_pmd_range mm/memory.c:1739 [inline] zap_pud_range mm/memory.c:1768 [inline] zap_p4d_range mm/memory.c:1789 [inline] unmap_page_range+0xcf8/0x22d0 mm/memory.c:1810 unmap_single_vma+0x142/0x1d0 mm/memory.c:1856 unmap_vmas+0x18d/0x2b0 mm/memory.c:1900 exit_mmap+0x18a/0x690 mm/mmap.c:1864 __mmput+0x28/0x1b0 kernel/fork.c:1347 mmput+0x4c/0x60 kernel/fork.c:1369 exit_mm+0xe4/0x190 kernel/exit.c:571 do_exit+0x55e/0x17f0 kernel/exit.c:926 __do_sys_exit kernel/exit.c:1055 [inline] __se_sys_exit kernel/exit.c:1053 [inline] __x64_sys_exit+0x1f/0x20 kernel/exit.c:1053 x64_sys_call+0x2d46/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:61 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0x0000000000000242 -> 0x0000000000000000 Reported-by: syzbot+fa43f1b63e3aa6f66329@syzkaller.appspotmail.com Fixes: 862590ac3708 ("mm: swap: allow cache reclaim to skip slot cache") Signed-off-by: Jeongjun Park Acked-by: Chris Li Reviewed-by: Kairui Song --- mm/swapfile.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) -- diff --git a/mm/swapfile.c b/mm/swapfile.c index 0cded32414a1..eb782fcd5627 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -194,9 +194,6 @@ static int __try_to_reclaim_swap(struct swap_info_struct *si, if (IS_ERR(folio)) return 0; - /* offset could point to the middle of a large folio */ - entry = folio->swap; - offset = swp_offset(entry); nr_pages = folio_nr_pages(folio); ret = -nr_pages; @@ -210,6 +207,10 @@ static int __try_to_reclaim_swap(struct swap_info_struct *si, if (!folio_trylock(folio)) goto out; + /* offset could point to the middle of a large folio */ + entry = folio->swap; + offset = swp_offset(entry); + need_reclaim = ((flags & TTRS_ANYWAY) || ((flags & TTRS_UNMAPPED) && !folio_mapped(folio)) || ((flags & TTRS_FULL) && mem_cgroup_swap_full(folio)));