From: Wei Yang <richard.weiyang@gmail.com>
To: Qian Cai <cai@lca.pw>
Cc: akpm@linux-foundation.org, elver@google.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm/swapfile: fix data races in try_to_unuse()
Date: Mon, 2 Mar 2020 13:42:40 +0000 [thread overview]
Message-ID: <20200302134240.6i32e4qmgvqiztz2@master> (raw)
In-Reply-To: <1582578903-29294-1-git-send-email-cai@lca.pw>
On Mon, Feb 24, 2020 at 04:15:03PM -0500, Qian Cai wrote:
>si->inuse_pages could be accessed concurrently as noticed by KCSAN,
>
> write to 0xffff98b00ebd04dc of 4 bytes by task 82262 on cpu 92:
> swap_range_free+0xbe/0x230
> swap_range_free at mm/swapfile.c:719
> swapcache_free_entries+0x1be/0x250
> free_swap_slot+0x1c8/0x220
> __swap_entry_free.constprop.19+0xa3/0xb0
> free_swap_and_cache+0x53/0xa0
> unmap_page_range+0x7e0/0x1ce0
> unmap_single_vma+0xcd/0x170
> unmap_vmas+0x18b/0x220
> exit_mmap+0xee/0x220
> mmput+0xe7/0x240
> do_exit+0x598/0xfd0
> do_group_exit+0x8b/0x180
> get_signal+0x293/0x13d0
> do_signal+0x37/0x5d0
> prepare_exit_to_usermode+0x1b7/0x2c0
> ret_from_intr+0x32/0x42
>
> read to 0xffff98b00ebd04dc of 4 bytes by task 82499 on cpu 46:
> try_to_unuse+0x86b/0xc80
> try_to_unuse at mm/swapfile.c:2185
> __x64_sys_swapoff+0x372/0xd40
> do_syscall_64+0x91/0xb05
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
>The plain reads in try_to_unuse() are outside si->lock critical section
>which result in data races that could be dangerous to be used in a loop.
>Fix them by adding READ_ONCE().
>
>Signed-off-by: Qian Cai <cai@lca.pw>
>---
> mm/swapfile.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
>diff --git a/mm/swapfile.c b/mm/swapfile.c
>index a65622eec66f..36fd1536a83d 100644
>--- a/mm/swapfile.c
>+++ b/mm/swapfile.c
>@@ -2137,7 +2137,7 @@ int try_to_unuse(unsigned int type, bool frontswap,
> swp_entry_t entry;
> unsigned int i;
>
>- if (!si->inuse_pages)
>+ if (!READ_ONCE(si->inuse_pages))
> return 0;
>
> if (!frontswap)
>@@ -2153,7 +2153,7 @@ int try_to_unuse(unsigned int type, bool frontswap,
>
> spin_lock(&mmlist_lock);
> p = &init_mm.mmlist;
>- while (si->inuse_pages &&
>+ while (READ_ONCE(si->inuse_pages) &&
The change is not wrong. But since it is not protected by the lock, some
status in swap_info_struct could still be modified after we test this
inuse_pages is not zero. Would this be some problem?
--
Wei Yang
Help you, Help me
prev parent reply other threads:[~2020-03-02 13:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-24 21:15 [PATCH] mm/swapfile: fix data races in try_to_unuse() Qian Cai
2020-03-02 13:42 ` Wei Yang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200302134240.6i32e4qmgvqiztz2@master \
--to=richard.weiyang@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=cai@lca.pw \
--cc=elver@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.