From: paulmck@kernel.org
To: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
kernel-team@fb.com, mingo@kernel.org
Cc: elver@google.com, andreyknvl@google.com, glider@google.com,
dvyukov@google.com, cai@lca.pw, boqun.feng@gmail.com,
"Paul E . McKenney" <paulmck@kernel.org>
Subject: [PATCH tip/core/rcu 01/10] fork: Annotate a data race in vm_area_dup()
Date: Mon, 22 Jun 2020 17:43:24 -0700 [thread overview]
Message-ID: <20200623004333.27227-1-paulmck@kernel.org> (raw)
In-Reply-To: <20200623003731.GA26717@paulmck-ThinkPad-P72>
From: Qian Cai <cai@lca.pw>
struct vm_area_struct could be accessed concurrently as noticed by
KCSAN,
write to 0xffff9cf8bba08ad8 of 8 bytes by task 14263 on cpu 35:
vma_interval_tree_insert+0x101/0x150:
rb_insert_augmented_cached at include/linux/rbtree_augmented.h:58
(inlined by) vma_interval_tree_insert at mm/interval_tree.c:23
__vma_link_file+0x6e/0xe0
__vma_link_file at mm/mmap.c:629
vma_link+0xa2/0x120
mmap_region+0x753/0xb90
do_mmap+0x45c/0x710
vm_mmap_pgoff+0xc0/0x130
ksys_mmap_pgoff+0x1d1/0x300
__x64_sys_mmap+0x33/0x40
do_syscall_64+0x91/0xc44
entry_SYSCALL_64_after_hwframe+0x49/0xbe
read to 0xffff9cf8bba08a80 of 200 bytes by task 14262 on cpu 122:
vm_area_dup+0x6a/0xe0
vm_area_dup at kernel/fork.c:362
__split_vma+0x72/0x2a0
__split_vma at mm/mmap.c:2661
split_vma+0x5a/0x80
mprotect_fixup+0x368/0x3f0
do_mprotect_pkey+0x263/0x420
__x64_sys_mprotect+0x51/0x70
do_syscall_64+0x91/0xc44
entry_SYSCALL_64_after_hwframe+0x49/0xbe
vm_area_dup() blindly copies all fields of original VMA to the new one.
This includes coping vm_area_struct::shared.rb which is normally
protected by i_mmap_lock. But this is fine because the read value will
be overwritten on the following __vma_link_file() under proper
protection. Thus, mark it as an intentional data race and insert a few
assertions for the fields that should not be modified concurrently.
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
---
kernel/fork.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 142b236..bba10fb 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -359,7 +359,13 @@ struct vm_area_struct *vm_area_dup(struct vm_area_struct *orig)
struct vm_area_struct *new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
if (new) {
- *new = *orig;
+ ASSERT_EXCLUSIVE_WRITER(orig->vm_flags);
+ ASSERT_EXCLUSIVE_WRITER(orig->vm_file);
+ /*
+ * orig->shared.rb may be modified concurrently, but the clone
+ * will be reinitialized.
+ */
+ *new = data_race(*orig);
INIT_LIST_HEAD(&new->anon_vma_chain);
new->vm_next = new->vm_prev = NULL;
}
--
2.9.5
next prev parent reply other threads:[~2020-06-23 0:43 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-23 0:37 [PATCH tip/core/rcu 0/23] Torture-test updates for v5.9 Paul E. McKenney
2020-06-23 0:37 ` [PATCH tip/core/rcu 01/23] torture: Remove qemu dependency on EFI firmware paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 02/23] torture: Add script to smoke-test commits in a branch paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 03/23] locktorture: Use true and false to assign to bool variables paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 04/23] rcutorture: Add races with task-exit processing paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 05/23] torture: Set configfile variable to current scenario paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 06/23] rcutorture: Handle non-statistic bang-string error messages paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 07/23] rcutorture: NULL rcu_torture_current earlier in cleanup code paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 08/23] torture: Remove whitespace from identify_qemu_vcpus output paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 09/23] torture: Add --allcpus argument to the kvm.sh script paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 10/23] rcu/rcutorture: Replace 0 with false paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 11/23] torture: Create qemu-cmd in --buildonly runs paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 12/23] torture: Add a stop-run capability paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 13/23] torture: Abstract out console-log error detection paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 14/23] rcutorture: Check for unwatched readers paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 15/23] torture: Pass --kmake-arg to all make invocations paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 16/23] torture: Correctly summarize build-only runs paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 17/23] torture: Improve diagnostic for KCSAN-incapable compilers paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 18/23] torture: Add more tracing crib notes to kvm.sh paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 19/23] torture: Add kvm-tranform.sh script for qemu-cmd files paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 20/23] torture: Dump ftrace at shutdown only if requested paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 21/23] torture: Avoid duplicate specification of qemu command paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 22/23] torture: Remove obsolete "cd $KVM" paulmck
2020-06-23 0:37 ` [PATCH tip/core/rcu 23/23] rcutorture: Remove KCSAN stubs paulmck
2020-06-23 0:43 ` paulmck [this message]
2020-06-23 0:43 ` [PATCH tip/core/rcu 02/10] x86/mm/pat: Mark an intentional data race paulmck
2020-06-23 0:43 ` [PATCH tip/core/rcu 03/10] rculist: Add ASSERT_EXCLUSIVE_ACCESS() to __list_splice_init_rcu() paulmck
2020-06-23 0:43 ` [PATCH tip/core/rcu 04/10] kcsan: Add test suite paulmck
2020-06-23 0:43 ` [PATCH tip/core/rcu 05/10] locking/osq_lock: Annotate a data race in osq_lock paulmck
2020-06-23 0:43 ` [PATCH tip/core/rcu 06/10] kcsan: Prefer '__no_kcsan inline' in test paulmck
2020-06-23 0:43 ` [PATCH tip/core/rcu 07/10] kcsan: Silence -Wmissing-prototypes warning with W=1 paulmck
2020-06-23 0:43 ` [PATCH tip/core/rcu 08/10] kcsan: Rename test.c to selftest.c paulmck
2020-06-23 0:43 ` [PATCH tip/core/rcu 09/10] kcsan: Remove existing special atomic rules paulmck
2020-06-23 0:43 ` [PATCH tip/core/rcu 10/10] kcsan: Add jiffies test to test suite paulmck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200623004333.27227-1-paulmck@kernel.org \
--to=paulmck@kernel.org \
--cc=andreyknvl@google.com \
--cc=boqun.feng@gmail.com \
--cc=cai@lca.pw \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kernel-team@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).