From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, cai@lca.pw, elver@google.com,
linux-mm@kvack.org, mm-commits@vger.kernel.org, oleg@redhat.com,
tj@kernel.org, torvalds@linux-foundation.org
Subject: [patch 29/39] mm/mempool: fix a data race in mempool_free()
Date: Fri, 14 Aug 2020 17:31:44 -0700 [thread overview]
Message-ID: <20200815003144.W9sDmznsN%akpm@linux-foundation.org> (raw)
In-Reply-To: <20200814172939.55d6d80b6e21e4241f1ee1f3@linux-foundation.org>
From: Qian Cai <cai@lca.pw>
Subject: mm/mempool: fix a data race in mempool_free()
mempool_t pool.curr_nr could be accessed concurrently as noticed by
KCSAN,
BUG: KCSAN: data-race in mempool_free / remove_element
write to 0xffffffffa937638c of 4 bytes by task 6359 on cpu 113:
remove_element+0x4a/0x1c0
remove_element at mm/mempool.c:132
mempool_alloc+0x102/0x210
(inlined by) mempool_alloc at mm/mempool.c:399
bio_alloc_bioset+0x106/0x2c0
get_swap_bio+0x49/0x230
__swap_writepage+0x680/0xc30
swap_writepage+0x9c/0xf0
pageout+0x33e/0xae0
shrink_page_list+0x1f57/0x2870
shrink_inactive_list+0x316/0x880
shrink_lruvec+0x8dc/0x1380
shrink_node+0x317/0xd80
do_try_to_free_pages+0x1f7/0xa10
try_to_free_pages+0x26c/0x5e0
__alloc_pages_slowpath+0x458/0x1290
<snip>
read to 0xffffffffa937638c of 4 bytes by interrupt on cpu 64:
mempool_free+0x3e/0x150
mempool_free at mm/mempool.c:492
bio_free+0x192/0x280
bio_put+0x91/0xd0
end_swap_bio_write+0x1d8/0x280
bio_endio+0x2c2/0x5b0
dec_pending+0x22b/0x440 [dm_mod]
clone_endio+0xe4/0x2c0 [dm_mod]
bio_endio+0x2c2/0x5b0
blk_update_request+0x217/0x940
scsi_end_request+0x6b/0x4d0
scsi_io_completion+0xb7/0x7e0
scsi_finish_command+0x223/0x310
scsi_softirq_done+0x1d5/0x210
blk_mq_complete_request+0x224/0x250
scsi_mq_done+0xc2/0x250
pqi_raid_io_complete+0x5a/0x70 [smartpqi]
pqi_irq_handler+0x150/0x1410 [smartpqi]
__handle_irq_event_percpu+0x90/0x540
handle_irq_event_percpu+0x49/0xd0
handle_irq_event+0x85/0xca
handle_edge_irq+0x13f/0x3e0
do_IRQ+0x86/0x190
<snip>
Since the write is under pool->lock but the read is done as lockless.
Even though the commit 5b990546e334 ("mempool: fix and document
synchronization and memory barrier usage") introduced the smp_wmb() and
smp_rmb() pair to improve the situation, it is adequate to protect it
from data races which could lead to a logic bug, so fix it by adding
READ_ONCE() for the read.
Link: http://lkml.kernel.org/r/1581446384-2131-1-git-send-email-cai@lca.pw
Signed-off-by: Qian Cai <cai@lca.pw>
Cc: Marco Elver <elver@google.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
mm/mempool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/mempool.c~mm-mempool-fix-a-data-race-in-mempool_free
+++ a/mm/mempool.c
@@ -489,7 +489,7 @@ void mempool_free(void *element, mempool
* ensures that there will be frees which return elements to the
* pool waking up the waiters.
*/
- if (unlikely(pool->curr_nr < pool->min_nr)) {
+ if (unlikely(READ_ONCE(pool->curr_nr) < pool->min_nr)) {
spin_lock_irqsave(&pool->lock, flags);
if (likely(pool->curr_nr < pool->min_nr)) {
add_element(pool, element);
_
next prev parent reply other threads:[~2020-08-15 0:31 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-15 0:29 incoming Andrew Morton
2020-08-15 0:30 ` [patch 01/39] asm-generic: pgalloc.h: use correct #ifdef to enable pud_alloc_one() Andrew Morton
2020-08-15 0:30 ` [patch 02/39] Revert "mm/vmstat.c: do not show lowmem reserve protection information of empty zone" Andrew Morton
2020-08-15 0:30 ` [patch 03/39] lz4: fix kernel decompression speed Andrew Morton
2020-08-15 0:30 ` [patch 04/39] exec: restore EACCES of S_ISDIR execve() Andrew Morton
2020-08-15 0:30 ` [patch 05/39] selftests/exec: add file type errno tests Andrew Morton
2020-08-15 0:30 ` [patch 06/39] mailmap: add entry for Greg Kurz Andrew Morton
2020-08-15 0:30 ` [patch 07/39] mm: store compound_nr as well as compound_order Andrew Morton
2020-08-15 0:30 ` [patch 08/39] mm: move page-flags include to top of file Andrew Morton
2020-08-15 0:30 ` [patch 09/39] mm: add thp_order Andrew Morton
2020-08-15 0:30 ` [patch 10/39] mm: add thp_size Andrew Morton
2020-08-15 0:30 ` [patch 11/39] mm: replace hpage_nr_pages with thp_nr_pages Andrew Morton
2020-08-15 0:30 ` [patch 12/39] mm: add thp_head Andrew Morton
2020-08-15 0:30 ` [patch 13/39] mm: introduce offset_in_thp Andrew Morton
2020-08-15 0:30 ` [patch 14/39] fs: autofs: delete repeated words in comments Andrew Morton
2020-08-15 0:30 ` [patch 15/39] mm/madvise: pass task and mm to do_madvise Andrew Morton
2020-08-15 0:30 ` [patch 16/39] pid: move pidfd_get_pid() to pid.c Andrew Morton
2020-08-15 0:30 ` [patch 17/39] mm/madvise: introduce process_madvise() syscall: an external memory hinting API Andrew Morton
2020-08-16 8:12 ` Christian Brauner
2020-08-17 15:10 ` Minchan Kim
2020-08-15 0:31 ` [patch 18/39] mm/madvise: check fatal signal pending of target process Andrew Morton
2020-08-15 2:53 ` Linus Torvalds
2020-08-15 4:59 ` Minchan Kim
2020-08-15 14:57 ` Linus Torvalds
2020-08-15 18:34 ` Minchan Kim
2020-08-16 1:43 ` Linus Torvalds
2020-08-16 5:58 ` Minchan Kim
2020-08-15 0:31 ` [patch 19/39] all arch: remove system call sys_sysctl Andrew Morton
2020-08-15 0:31 ` [patch 20/39] mm/kmemleak: silence KCSAN splats in checksum Andrew Morton
2020-08-15 0:31 ` [patch 21/39] mm/frontswap: mark various intentional data races Andrew Morton
2020-08-15 0:31 ` [patch 22/39] mm/page_io: " Andrew Morton
2020-08-15 0:31 ` [patch 23/39] mm/swap_state: " Andrew Morton
2020-08-15 0:31 ` [patch 24/39] mm/filemap.c: fix a data race in filemap_fault() Andrew Morton
2020-08-15 0:31 ` [patch 25/39] mm/swapfile: fix and annotate various data races Andrew Morton
2020-08-15 0:31 ` [patch 26/39] mm/page_counter: fix various data races at memsw Andrew Morton
2020-08-15 0:31 ` [patch 27/39] mm/memcontrol: fix a data race in scan count Andrew Morton
2020-08-15 0:31 ` [patch 28/39] mm/list_lru: fix a data race in list_lru_count_one Andrew Morton
2020-08-15 0:31 ` Andrew Morton [this message]
2020-08-15 0:31 ` [patch 30/39] mm/rmap: annotate a data race at tlb_flush_batched Andrew Morton
2020-08-15 0:31 ` [patch 31/39] mm/swap.c: annotate data races for lru_rotate_pvecs Andrew Morton
2020-08-15 0:31 ` [patch 32/39] mm: annotate a data race in page_zonenum() Andrew Morton
2020-08-15 0:31 ` [patch 33/39] include/asm-generic/vmlinux.lds.h: align ro_after_init Andrew Morton
2020-08-15 0:32 ` [patch 34/39] sh: clkfwk: remove r8/r16/r32 Andrew Morton
2020-08-15 0:32 ` [patch 35/39] sh: use generic strncpy() Andrew Morton
2020-08-15 0:32 ` [patch 36/39] iomap: constify ioreadX() iomem argument (as in generic implementation) Andrew Morton
2020-08-15 0:32 ` [patch 37/39] rtl818x: " Andrew Morton
2020-08-15 0:32 ` [patch 38/39] ntb: intel: " Andrew Morton
2020-08-15 0:32 ` [patch 39/39] virtio: pci: " Andrew Morton
2020-08-19 23:09 ` mmotm 2020-08-19-16-09 uploaded Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200815003144.W9sDmznsN%akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=cai@lca.pw \
--cc=elver@google.com \
--cc=linux-mm@kvack.org \
--cc=mm-commits@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).