• Qian Cai's avatar
    mm/swapfile: fix and annotate various data races · a449bf58
    Qian Cai authored
    swap_info_struct si.highest_bit, si.swap_map[offset] and si.flags could
    be accessed concurrently separately as noticed by KCSAN,
    
    === si.highest_bit ===
    
     write to 0xffff8d5abccdc4d4 of 4 bytes by task 5353 on cpu 24:
      swap_range_alloc+0x81/0x130
      swap_range_alloc at mm/swapfile.c:681
      scan_swap_map_slots+0x371/0xb90
      get_swap_pages+0x39d/0x5c0
      get_swap_page+0xf2/0x524
      add_to_swap+0xe4/0x1c0
      shrink_page_list+0x1795/0x2870
      shrink_inactive_list+0x316/0x880
      shrink_lruvec+0x8dc/0x1380
      shrink_node+0x317/0xd80
      do_try_to_free_pages+0x1f7/0xa10
      try_to_free_pages+0x26c/0x5e0
      __alloc_pages_slowpath+0x458/0x1290
    
     read to 0xffff8d5abccdc4d4 of 4 bytes by task 6672 on cpu 70:
      scan_swap_map_slots+0x4a6/0xb90
      scan_swap_map_slots at mm/swapfile.c:892
      get_swap_pages+0x39d/0x5c0
      get_swap_page+0xf2/0x524
      add_to_swap+0xe4/0x1c0
      shrink_page_list+0x1795/0x2870
      shrink_inactive_list+0x316/0x880
      shrink_lruvec+0x8dc/0x1380
      shrink_node+0x317/0xd80
      do_try_to_free_pages+0x1f7/0xa10
      try_to_free_pages+0x26c/0x5e0
      __alloc_pages_slowpath+0x458/0x1290
    
     Reported by Kernel Concurrency Sanitizer on:
     CPU: 70 PID: 6672 Comm: oom01 Tainted: G        W    L 5.5.0-next-20200205+ #3
     Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019
    
    === si.swap_map[offset] ===
    
     write to 0xffffbc370c29a64c of 1 bytes by task 6856 on cpu 86:
      __swap_entry_free_locked+0x8c/0x100
      __swap_entry_free_locked at mm/swapfile.c:1209 (discriminator 4)
      __swap_entry_free.constprop.20+0x69/0xb0
      free_swap_and_cache+0x53/0xa0
      unmap_page_range+0x7f8/0x1d70
      unmap_single_vma+0xcd/0x170
      unmap_vmas+0x18b/0x220
      exit_mmap+0xee/0x220
      mmput+0x10e/0x270
      do_exit+0x59b/0xf40
      do_group_exit+0x8b/0x180
    
     read to 0xffffbc370c29a64c of 1 bytes by task 6855 on cpu 20:
      _swap_info_get+0x81/0xa0
      _swap_info_get at mm/swapfile.c:1140
      free_swap_and_cache+0x40/0xa0
      unmap_page_range+0x7f8/0x1d70
      unmap_single_vma+0xcd/0x170
      unmap_vmas+0x18b/0x220
      exit_mmap+0xee/0x220
      mmput+0x10e/0x270
      do_exit+0x59b/0xf40
      do_group_exit+0x8b/0x180
    
    === si.flags ===
    
     write to 0xffff956c8fc6c400 of 8 bytes by task 6087 on cpu 23:
      scan_swap_map_slots+0x6fe/0xb50
      scan_swap_map_slots at mm/swapfile.c:887
      get_swap_pages+0x39d/0x5c0
      get_swap_page+0x377/0x524
      add_to_swap+0xe4/0x1c0
      shrink_page_list+0x1795/0x2870
      shrink_inactive_list+0x316/0x880
      shrink_lruvec+0x8dc/0x1380
      shrink_node+0x317/0xd80
      do_try_to_free_pages+0x1f7/0xa10
      try_to_free_pages+0x26c/0x5e0
      __alloc_pages_slowpath+0x458/0x1290
    
     read to 0xffff956c8fc6c400 of 8 bytes by task 6207 on cpu 63:
      _swap_info_get+0x41/0xa0
      __swap_info_get at mm/swapfile.c:1114
      put_swap_page+0x84/0x490
      __remove_mapping+0x384/0x5f0
      shrink_page_list+0xff1/0x2870
      shrink_inactive_list+0x316/0x880
      shrink_lruvec+0x8dc/0x1380
      shrink_node+0x317/0xd80
      do_try_to_free_pages+0x1f7/0xa10
      try_to_free_pages+0x26c/0x5e0
      __alloc_pages_slowpath+0x458/0x1290
    
    The writes are under si->lock but the reads are not. For si.highest_bit
    and si.swap_map[offset], data race could trigger logic bugs, so fix them
    by having WRITE_ONCE() for the writes and READ_ONCE() for the reads
    except those isolated reads where they compare against zero which a data
    race would cause no harm. Thus, annotate them as intentional data races
    using the data_race() macro.
    
    For si.flags, the readers are only interested in a single bit where a
    data race there would cause no issue there.
    
    [cai@lca.pw: add a missing annotation for si->flags in memory.c]
      Link: http://lkml.kernel.org/r/1581612647-5958-1-git-send-email-cai@lca.pwSigned-off-by: default avatarQian Cai <cai@lca.pw>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Cc: Marco Elver <elver@google.com>
    Cc: Hugh Dickins <hughd@google.com>
    Link: http://lkml.kernel.org/r/1581095163-12198-1-git-send-email-cai@lca.pwSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    a449bf58
memory.c 137 KB