From: "Gong, Sishuai" <sishuai@purdue.edu>
To: Matthew Wilcox <willy@infradead.org>
Cc: "cl@linux.com" <cl@linux.com>,
"penberg@kernel.org" <penberg@kernel.org>,
"rientjes@google.com" <rientjes@google.com>,
"iamjoonsoo.kim@lge.com" <iamjoonsoo.kim@lge.com>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: Race: data race between shmem_getpage() and mapping_set_gfp_mask()
Date: Tue, 1 Dec 2020 20:33:14 +0000 [thread overview]
Message-ID: <8E9ED7E9-A601-4CBB-B1A3-0F06B4A39DC7@purdue.edu> (raw)
In-Reply-To: <20201130181630.GF4327@casper.infradead.org>
Thanks for your feedback. We are sorry that we didn’t send detailed reports as expected and the trouble we caused. We will try to provide more analysis for the ones we reported and to be reported in the next.
Our analysis shows this data race didn’t have explicit harmful impact in this case and we want to report our experience with the experiment.
------------------------------------------
Interleaving
We observed two interleavings of the two racy instructions. As shown below, the reader can see an inconsistent value but it is not used in both interleavings.
We are wondering if the xa_is_value() condition could be true. Possibly the inconsistent value will be passed to shmem_swapin_page() and cause some error.
Interleaving 1
Writer Reader
m->gfp_mask = mask;
// write value = 0x100c0a
return shmem_getpage_gfp(inode, index, pagep, sgp, mapping_gfp_mask(inode->i_mapping), NULL, NULL, NULL);
// read value = 0x100c0a
…
// in function shmem_getpage_gfp()
if (xa_is_value(page)) {
// condition is false, skip
error = shmem_swapin_page(inode, index, &page, sgp, gfp, vma, fault_type);
Interleaving 2
Writer Reader
return shmem_getpage_gfp(inode, index, pagep, sgp, mapping_gfp_mask(inode->i_mapping), NULL, NULL, NULL);
// read value = 0x100caa
m->gfp_mask = mask;
// write value = 0x100c0a
…
// in function shmem_getpage_gfp()
if (xa_is_value(page)) {
// condition is false, skip
error = shmem_swapin_page(inode, index, &page, sgp, gfp, vma, fault_type);
Thanks,
Sishuai
> On Nov 30, 2020, at 1:16 PM, Matthew Wilcox <willy@infradead.org> wrote:
>
> On Mon, Nov 30, 2020 at 06:14:29PM +0000, Gong, Sishuai wrote:
>> Hi,
>>
>> We found a data race in linux kernel 5.3.11 that we are able to reproduce in x86 under specific interleavings. Currently, we are not sure about the consequence of this race so we would like to confirm with the community if this can be a harmful bug.
>
> Are you going to be sending a lot of these? There's no shortage of
> actual bugs hit with syzcaller. What we're short on is people to review,
> analyse and fix bugs.
prev parent reply other threads:[~2020-12-01 20:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-30 18:14 Race: data race between shmem_getpage() and mapping_set_gfp_mask() Gong, Sishuai
2020-11-30 18:16 ` Matthew Wilcox
2020-12-01 20:33 ` Gong, Sishuai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8E9ED7E9-A601-4CBB-B1A3-0F06B4A39DC7@purdue.edu \
--to=sishuai@purdue.edu \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).