2020-02-06 03:58:09

by Qian Cai

[permalink] [raw]
Subject: [PATCH -next] mm/swap_state: mark an intentional data race

swap_cache_info.find_total could be accessed concurrently as noticed by
KCSAN,

BUG: KCSAN: data-race in lookup_swap_cache / lookup_swap_cache

write to 0xffffffff85517318 of 8 bytes by task 94138 on cpu 101:
lookup_swap_cache+0x12e/0x460
lookup_swap_cache at mm/swap_state.c:322
do_swap_page+0x112/0xeb0
__handle_mm_fault+0xc7a/0xd00
handle_mm_fault+0xfc/0x2f0
do_page_fault+0x263/0x6f9
page_fault+0x34/0x40

read to 0xffffffff85517318 of 8 bytes by task 91655 on cpu 100:
lookup_swap_cache+0x117/0x460
lookup_swap_cache at mm/swap_state.c:322
shmem_swapin_page+0xc7/0x9e0
shmem_getpage_gfp+0x2ca/0x16c0
shmem_fault+0xef/0x3c0
__do_fault+0x9e/0x220
do_fault+0x4a0/0x920
__handle_mm_fault+0xc69/0xd00
handle_mm_fault+0xfc/0x2f0
do_page_fault+0x263/0x6f9
page_fault+0x34/0x40

Reported by Kernel Concurrency Sanitizer on:
CPU: 100 PID: 91655 Comm: systemd-journal Tainted: G W O L 5.5.0-next-20200204+ #6
Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019

Both the read and write are done as lockless. Since INC_CACHE_INFO() is
only used for swap_cache_info.find_total and
swap_cache_info.find_success which both are information counters, even
if any of them missed a few incremental due to data races, it will be
harmless, so just mark it as an intentional data race using the
data_race() macro.

While at it, fix a checkpatch.pl warning,

WARNING: Single statement macros should not use a do {} while (0) loop

Signed-off-by: Qian Cai <[email protected]>
---
mm/swap_state.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/swap_state.c b/mm/swap_state.c
index 8e7ce9a9bc5e..b964c1391362 100644
--- a/mm/swap_state.c
+++ b/mm/swap_state.c
@@ -58,8 +58,8 @@ static bool enable_vma_readahead __read_mostly = true;
#define GET_SWAP_RA_VAL(vma) \
(atomic_long_read(&(vma)->swap_readahead_info) ? : 4)

-#define INC_CACHE_INFO(x) do { swap_cache_info.x++; } while (0)
-#define ADD_CACHE_INFO(x, nr) do { swap_cache_info.x += (nr); } while (0)
+#define INC_CACHE_INFO(x) data_race(swap_cache_info.x++)
+#define ADD_CACHE_INFO(x, nr) (swap_cache_info.x += (nr))

static struct {
unsigned long add_total;
--
2.21.0 (Apple Git-122.2)


2020-02-06 20:32:56

by Qian Cai

[permalink] [raw]
Subject: Re: [PATCH -next] mm/swap_state: mark an intentional data race

Please disregard this patch. I found more data races in this file, so will send a new
patch to have them at once.

> On Feb 5, 2020, at 10:55 PM, Qian Cai <[email protected]> wrote:
>
> swap_cache_info.find_total could be accessed concurrently as noticed by
> KCSAN,
>
> BUG: KCSAN: data-race in lookup_swap_cache / lookup_swap_cache
>
> write to 0xffffffff85517318 of 8 bytes by task 94138 on cpu 101:
> lookup_swap_cache+0x12e/0x460
> lookup_swap_cache at mm/swap_state.c:322
> do_swap_page+0x112/0xeb0
> __handle_mm_fault+0xc7a/0xd00
> handle_mm_fault+0xfc/0x2f0
> do_page_fault+0x263/0x6f9
> page_fault+0x34/0x40
>
> read to 0xffffffff85517318 of 8 bytes by task 91655 on cpu 100:
> lookup_swap_cache+0x117/0x460
> lookup_swap_cache at mm/swap_state.c:322
> shmem_swapin_page+0xc7/0x9e0
> shmem_getpage_gfp+0x2ca/0x16c0
> shmem_fault+0xef/0x3c0
> __do_fault+0x9e/0x220
> do_fault+0x4a0/0x920
> __handle_mm_fault+0xc69/0xd00
> handle_mm_fault+0xfc/0x2f0
> do_page_fault+0x263/0x6f9
> page_fault+0x34/0x40
>
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 100 PID: 91655 Comm: systemd-journal Tainted: G W O L 5.5.0-next-20200204+ #6
> Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019
>
> Both the read and write are done as lockless. Since INC_CACHE_INFO() is
> only used for swap_cache_info.find_total and
> swap_cache_info.find_success which both are information counters, even
> if any of them missed a few incremental due to data races, it will be
> harmless, so just mark it as an intentional data race using the
> data_race() macro.
>
> While at it, fix a checkpatch.pl warning,
>
> WARNING: Single statement macros should not use a do {} while (0) loop
>
> Signed-off-by: Qian Cai <[email protected]>
> ---
> mm/swap_state.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mm/swap_state.c b/mm/swap_state.c
> index 8e7ce9a9bc5e..b964c1391362 100644
> --- a/mm/swap_state.c
> +++ b/mm/swap_state.c
> @@ -58,8 +58,8 @@ static bool enable_vma_readahead __read_mostly = true;
> #define GET_SWAP_RA_VAL(vma) \
> (atomic_long_read(&(vma)->swap_readahead_info) ? : 4)
>
> -#define INC_CACHE_INFO(x) do { swap_cache_info.x++; } while (0)
> -#define ADD_CACHE_INFO(x, nr) do { swap_cache_info.x += (nr); } while (0)
> +#define INC_CACHE_INFO(x) data_race(swap_cache_info.x++)
> +#define ADD_CACHE_INFO(x, nr) (swap_cache_info.x += (nr))
>
> static struct {
> unsigned long add_total;
> --
> 2.21.0 (Apple Git-122.2)
>