From: Peng Zhang <zhangpeng.00@bytedance.com>
To: Liam.Howlett@oracle.com
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
maple-tree@lists.infradead.org,
Peng Zhang <zhangpeng.00@bytedance.com>
Subject: [PATCH 3/4] maple_tree: Fix a potential concurrency bug in RCU mode
Date: Fri, 10 Mar 2023 22:08:46 +0800 [thread overview]
Message-ID: <20230310140848.94485-4-zhangpeng.00@bytedance.com> (raw)
In-Reply-To: <20230310140848.94485-1-zhangpeng.00@bytedance.com>
There is a concurrency bug that may cause the wrong value to be loaded
when a CPU is modifying the maple tree.
CPU1:
mtree_insert_range()
mas_insert()
mas_store_root()
...
mas_root_expand()
...
rcu_assign_pointer(mas->tree->ma_root, mte_mk_root(mas->node));
ma_set_meta(node, maple_leaf_64, 0, slot); <---IP
CPU2:
mtree_load()
mtree_lookup_walk()
ma_data_end();
When CPU1 is about to execute the instruction pointed to by IP,
the ma_data_end() executed by CPU2 may return the wrong end position,
which will cause the value loaded by mtree_load() to be wrong.
An example of triggering the bug:
Add mdelay(100) between rcu_assign_pointer() and ma_set_meta() in
mas_root_expand().
static DEFINE_MTREE(tree);
int work(void *p) {
unsigned long val;
for (int i = 0 ; i< 30; ++i) {
val = (unsigned long)mtree_load(&tree, 8);
mdelay(5);
pr_info("%lu",val);
}
return 0;
}
mt_init_flags(&tree, MT_FLAGS_USE_RCU);
mtree_insert(&tree, 0, (void*)12345, GFP_KERNEL);
run_thread(work)
mtree_insert(&tree, 1, (void*)56789, GFP_KERNEL);
In RCU mode, mtree_load() should always return the value before or after
the data structure is modified, and in this example mtree_load(&tree, 8)
may return 56789 which is not expected, it should always return NULL.
Fix it by put ma_set_meta() before rcu_assign_pointer().
Signed-off-by: Peng Zhang <zhangpeng.00@bytedance.com>
---
lib/maple_tree.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/maple_tree.c b/lib/maple_tree.c
index 4d15202a0692..de43ff19da72 100644
--- a/lib/maple_tree.c
+++ b/lib/maple_tree.c
@@ -3635,10 +3635,9 @@ static inline int mas_root_expand(struct ma_state *mas, void *entry)
slot++;
mas->depth = 1;
mas_set_height(mas);
-
+ ma_set_meta(node, maple_leaf_64, 0, slot);
/* swap the new root into the tree */
rcu_assign_pointer(mas->tree->ma_root, mte_mk_root(mas->node));
- ma_set_meta(node, maple_leaf_64, 0, slot);
return slot;
}
--
2.20.1
next prev parent reply other threads:[~2023-03-10 14:11 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-10 14:08 [PATCH 0/4] Some fixes and cleanup for maple tree Peng Zhang
2023-03-10 14:08 ` [PATCH 1/4] maple_tree: Fix get wrong data_end in mtree_lookup_walk() Peng Zhang
2023-03-10 17:58 ` Liam R. Howlett
2023-03-10 18:53 ` Peng Zhang
2023-03-10 19:28 ` Liam R. Howlett
2023-03-10 14:08 ` [PATCH 2/4] maple_tree: Simplify mas_wr_node_walk() Peng Zhang
2023-03-10 19:20 ` Liam R. Howlett
2023-03-13 14:07 ` Peng Zhang
2023-03-10 14:08 ` Peng Zhang [this message]
2023-03-10 18:27 ` [PATCH 3/4] maple_tree: Fix a potential concurrency bug in RCU mode Liam R. Howlett
2023-03-10 19:03 ` Peng Zhang
2023-03-10 19:29 ` Liam R. Howlett
2023-03-10 14:08 ` [PATCH 4/4] maple_tree: Simplify the code of mas_mab_cp() Peng Zhang
2023-03-10 18:45 ` Liam R. Howlett
2023-03-10 17:54 ` [PATCH 0/4] Some fixes and cleanup for maple tree Liam R. Howlett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230310140848.94485-4-zhangpeng.00@bytedance.com \
--to=zhangpeng.00@bytedance.com \
--cc=Liam.Howlett@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maple-tree@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.