Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1946577AbbHGXrr (ORCPT ); Fri, 7 Aug 2015 19:47:47 -0400 Received: from hm8853-n-140.locaweb.com.br ([189.126.112.140]:25816 "EHLO hm8853-n-140.locaweb.com.br" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1946338AbbHGXro (ORCPT ); Fri, 7 Aug 2015 19:47:44 -0400 X-Greylist: delayed 903 seconds by postgrey-1.27 at vger.kernel.org; Fri, 07 Aug 2015 19:47:44 EDT X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-AuthUser: cesarb@cesarb.eti.br X-LocaWeb-COR: locaweb_2009_x-mail Subject: Re: Potential data race in SyS_swapon To: Andrey Konovalov , Andrew Morton , Michal Hocko , Johannes Weiner , Vladimir Davydov , Hugh Dickins , Miklos Szeredi , Jason Low , linux-mm@kvack.org, linux-kernel@vger.kernel.org References: Cc: Dmitry Vyukov , Kostya Serebryany , Alexander Potapenko From: Cesar Eduardo Barros Message-ID: <55C54010.4000904@cesarb.eti.br> Date: Fri, 7 Aug 2015 20:32:32 -0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=Lfey61vi c=1 sm=1 tr=0 a=pYliKAbn3Ok8/NNdPcCSvw==:117 a=tcb3u+hY9f79lJG4QOZo8A==:17 a=73n8slRhAAAA:8 a=VM7MXBOAAAAA:8 a=PHERetUGAAAA:8 a=UYzzzrP69T0A:10 a=IkcTkHD0fZMA:10 a=uRRa74qj2VoA:10 a=NEAV23lmAAAA:8 a=T5vR9Pn36rGNjUvoKIMA:9 a=QEXdDO2ut3YA:10 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2038 Lines: 57 Em 07-08-2015 13:14, Andrey Konovalov escreveu: > Hi! > > We are working on a dynamic data race detector for the Linux kernel > called KernelThreadSanitizer (ktsan) > (https://github.com/google/ktsan/wiki). > > While running ktsan on the upstream revision 21bdb584af8c with trinity > we got a few reports from SyS_swapon, here is one of them: [...] > The race is happening when accessing the swap_file field of a > swap_info_struct struct. > > 2392 for (i = 0; i < nr_swapfiles; i++) { > 2393 struct swap_info_struct *q = swap_info[i]; > 2394 > 2395 if (q == p || !q->swap_file) > 2396 continue; > 2397 if (mapping == q->swap_file->f_mapping) { > 2398 error = -EBUSY; > 2399 goto bad_swap; > 2400 } > 2401 } > > 2539 spin_lock(&swap_lock); > 2540 p->swap_file = NULL; > 2541 p->flags = 0; > 2542 spin_unlock(&swap_lock); There's another (more important) place which sets the swap_file field to NULL, it's within swapoff. It's also protected by swap_lock. > Since the swap_lock lock is not taken in the first snippet, it's > possible for q->swap_file to be assigned to NULL and reloaded between > executing lines 2395 and 2397, which might lead to a null pointer > dereference. I agree with that analysis. It should be possible to hit by racing swapon of a file with swapoff of another. > Looks like the swap_lock should be taken when iterating through the > swap_info array on lines 2392 - 2401. I'd take that lock a couple of lines earlier, so that every place that sets the swap_file field on a swap_info_struct is behind swap_lock, for simplicity. -- Cesar Eduardo Barros cesarb@cesarb.eti.br -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/