From: Qian Cai <cai@lca.pw>
To: akpm@linux-foundation.org
Cc: dennis@kernel.org, tj@kernel.org, cl@linux.com, elver@google.com,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Qian Cai <cai@lca.pw>
Subject: [PATCH] mm/util: fix a data race in __vm_enough_memory()
Date: Wed, 29 Jan 2020 21:51:33 -0500 [thread overview]
Message-ID: <20200130025133.5232-1-cai@lca.pw> (raw)
"vm_committed_as.count" could be accessed concurrently as reported by
KCSAN,
read to 0xffffffff923164f8 of 8 bytes by task 1268 on cpu 38:
__vm_enough_memory+0x43/0x280 mm/util.c:801
mmap_region+0x1b2/0xb90 mm/mmap.c:1726
do_mmap+0x45c/0x700
vm_mmap_pgoff+0xc0/0x130
vm_mmap+0x71/0x90
elf_map+0xa1/0x1b0
load_elf_binary+0x9de/0x2180
search_binary_handler+0xd8/0x2b0
__do_execve_file+0xb61/0x1080
__x64_sys_execve+0x5f/0x70
do_syscall_64+0x91/0xb47
entry_SYSCALL_64_after_hwframe+0x49/0xbe
write to 0xffffffff923164f8 of 8 bytes by task 1265 on cpu 41:
percpu_counter_add_batch+0x83/0xd0 lib/percpu_counter.c:91
exit_mmap+0x178/0x220 include/linux/mman.h:68
mmput+0x10e/0x270
flush_old_exec+0x572/0xfe0
load_elf_binary+0x467/0x2180
search_binary_handler+0xd8/0x2b0
__do_execve_file+0xb61/0x1080
__x64_sys_execve+0x5f/0x70
do_syscall_64+0x91/0xb47
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Since only the read is operating as lockless, fix it by using
READ_ONLY() for it to avoid any possible false warning due to load
tearing.
Signed-off-by: Qian Cai <cai@lca.pw>
---
mm/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/util.c b/mm/util.c
index 988d11e6c17c..58cd8f28651c 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -798,7 +798,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
{
long allowed;
- VM_WARN_ONCE(percpu_counter_read(&vm_committed_as) <
+ VM_WARN_ONCE(READ_ONCE(vm_committed_as.count) <
-(s64)vm_committed_as_batch * num_online_cpus(),
"memory commitment underflow");
--
2.21.0 (Apple Git-122.2)
next reply other threads:[~2020-01-30 2:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-30 2:51 Qian Cai [this message]
2020-01-30 4:20 ` [PATCH] mm/util: fix a data race in __vm_enough_memory() Matthew Wilcox
2020-01-30 11:50 ` Qian Cai
2020-01-30 12:35 ` Marco Elver
2020-01-30 12:35 ` Marco Elver
2020-01-31 2:18 ` Andrew Morton
2020-01-31 2:22 ` Qian Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200130025133.5232-1-cai@lca.pw \
--to=cai@lca.pw \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=dennis@kernel.org \
--cc=elver@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.