Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp4001335ybg;
        Fri, 25 Oct 2019 11:56:13 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzWBNqEe3L2gKKaQyw80/Ra/j6vnYuoPL+1VW0isUEVeE2ZWtdHWVrpPcHvNDMsI3L2iGQW
X-Received: by 2002:a17:906:f90c:: with SMTP id lc12mr5103881ejb.208.1572029773043;
        Fri, 25 Oct 2019 11:56:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572029773; cv=none;
        d=google.com; s=arc-20160816;
        b=GbIMWMKQyHu6tZJwRswe5xEttlCe2CR9m69ovgwdMd7wJoD4NKmwi9PeVzDunhrc4z
         h4YlMyW1LVEUBuPjjKsbW9wbchUU0EZHxhBQqQlvYuY9j5TB/sKj/p71uoE/FBdXJ61N
         9tUoQiznFpwzBBVEBwgNjDrykTH7kHCuh/1iMWvdXw5JGbpCDaDTyAPoaeExICW7s04q
         /6oJ/jlaXbTrceG+j54X7SBCirXfjH65AqiQqbzJTRvtJmqjJqITFvy2PF83ZVIgkHJF
         YCxGI5xqNR9s+8GXfkyjwDEFSvKEpwmO+Uc+boCOBR+0i3B7s0dljM70NcULR11FTuHw
         IdJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=cZrSMPu/e6BXUdEIOUcOkTaeF4a2vUNu+HOk7EqusHk=;
        b=Vn/szhdp2UU/vywU4kyrTG7XKjWSCQj90KpLhke2acHqAWrHm0kdfcXxT/0NIWkhgP
         Boqqb1j25yrcy14K/ZyO+cQ7IffZH4SNaC8ENCwUD3DZxAJUQdgGLPrBeGiDYnwmBod6
         Apz0UcqBNEBDPjf4omlhYH0/9qhmt2cGmPePYM22p+5WymL9ardKGq/dF1cbFEGMbrgK
         5HvpbKOHVkR103LWTea//sDhBe+g0OMTWoChZLVmcVHhDLIsCQB32NfawNr5CmhlhdDy
         Js5UkFXsKUQfLXs+f2j8pMNnIYluvRGM5oWA0vq3Ul3cJ1afHqD3lswrj3W6Lj++36JF
         YaiA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ii2r79Jr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c28si1998888ede.3.2019.10.25.11.55.50;
        Fri, 25 Oct 2019 11:56:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ii2r79Jr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2394178AbfJXTAD (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Thu, 24 Oct 2019 15:00:03 -0400
Received: from mail-oi1-f195.google.com ([209.85.167.195]:46433 "EHLO
        mail-oi1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2390493AbfJXTAD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 Oct 2019 15:00:03 -0400
Received: by mail-oi1-f195.google.com with SMTP id k25so21543546oiw.13
        for <linux-kernel@vger.kernel.org>; Thu, 24 Oct 2019 12:00:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=cZrSMPu/e6BXUdEIOUcOkTaeF4a2vUNu+HOk7EqusHk=;
        b=ii2r79JrxO4W/+AltDDnipA6v8AYCjoTvxzErHC4fsMuwU9OX/JQYyCiHpt2/aWzSW
         JqTLXdd4d91DoApvs//Rxbn3y/lQW11BG4rQHthZ6CgoJ3HD6Ny5gvIuqafYl3TmKfpX
         x47weENDi9qMN3t+NcCkzsW8SkH31pCCwYZf1gFKNCeF1nYYRXtTp7KUyQaR+Tz8qNi+
         TRyeJjuzd2NCwhqqQJYRb45ngpf7IyVkjfNCPzkz1elc96gSPmVvm1N0yj8QijdaO14W
         amMnewlPycMv50LUh8nLAzeRNbK56XkDiD1fUImaIYbxv84SykH1djPoBcvZYysxFp26
         7Z2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=cZrSMPu/e6BXUdEIOUcOkTaeF4a2vUNu+HOk7EqusHk=;
        b=rMOaF+OgVbVMrkjN6zJNXJPRWsIGP/uHPzwKzL+zeuCquAy+BdP8ROjbf3qOGSUCOz
         jROw1upvb4KZdqgkAaOa0Xd9HwbtIarHVy+Vzt57daSqO9xw7BgoDeUp7KSYjlirab65
         x0FYQwCWeHRI/33oGpew8hgRSVGyyJpTrHgBF/xnkfYWgsRl98VIc//prWG1ro90epBx
         PnBQerlxAupixFkyPACvGoNUgcVDW3ymqmGk2zCvlWcW6pUf28eQPUGNkK0DNG3Y69dk
         ev8XC6xFqxNLSK4jj+02vBRdK7XhjpHYbD/4ZQZCUkWkFEqnX2AaKcSd7BpaEEIuOo0N
         BgLg==
X-Gm-Message-State: APjAAAUaCmIxMh2Ozmlao4cg8+rfvUwBj1aVrlLpajvXB7gnsfez+zh/
        Pxz7pBTY6P5SIJ4LsIN43igsHi08YJTBztBIRZR5AA==
X-Received: by 2002:aca:f17:: with SMTP id 23mr5693390oip.155.1571943601922;
 Thu, 24 Oct 2019 12:00:01 -0700 (PDT)
MIME-Version: 1.0
References: <000000000000b49e190595aa39fe@google.com> <20191024162432.GA4097@hirez.programming.kicks-ass.net>
In-Reply-To: <20191024162432.GA4097@hirez.programming.kicks-ass.net>
From:   Marco Elver <elver@google.com>
Date:   Thu, 24 Oct 2019 20:59:50 +0200
Message-ID: <CANpmjNPfTeMsdwghPiocjQDg6e0c_6Ks+jfKqh1Rqb4vm6edeA@mail.gmail.com>
Subject: Re: KCSAN: data-race in __rb_rotate_set_parents / vm_area_dup
To:     Peter Zijlstra <peterz@infradead.org>
Cc:     syzbot <syzbot+c034966b0b02f94f7f34@syzkaller.appspotmail.com>,
        aarcange@redhat.com, Andrew Morton <akpm@linux-foundation.org>,
        christian@brauner.io, cyphar@cyphar.com, elena.reshetova@intel.com,
        guro@fb.com, Kees Cook <keescook@chromium.org>, ldv@altlinux.org,
        LKML <linux-kernel@vger.kernel.org>, luto@amacapital.net,
        mhocko@suse.com, Ingo Molnar <mingo@kernel.org>,
        syzkaller-bugs@googlegroups.com,
        Thomas Gleixner <tglx@linutronix.de>, viro@zeniv.linux.org.uk,
        wad@chromium.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 24 Oct 2019 at 18:25, Peter Zijlstra <peterz@infradead.org> wrote:
>
> On Thu, Oct 24, 2019 at 09:07:08AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    05f22368 x86, kcsan: Enable KCSAN for x86
> > git tree:       https://github.com/google/ktsan.git kcsan
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1060c47b600000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=87d111955f40591f
> > dashboard link: https://syzkaller.appspot.com/bug?extid=c034966b0b02f94f7f34
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+c034966b0b02f94f7f34@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KCSAN: data-race in __rb_rotate_set_parents / vm_area_dup
> >
> > read to 0xffff88811eef53e8 of 200 bytes by task 7738 on cpu 0:
> >  vm_area_dup+0x70/0xf0 kernel/fork.c:359
> >  __split_vma+0x88/0x350 mm/mmap.c:2678
> >  __do_munmap+0xb02/0xb60 mm/mmap.c:2803
> >  do_munmap mm/mmap.c:2856 [inline]
> >  mmap_region+0x165/0xd50 mm/mmap.c:1749
> >  do_mmap+0x6d4/0xba0 mm/mmap.c:1577
> >  do_mmap_pgoff include/linux/mm.h:2353 [inline]
> >  vm_mmap_pgoff+0x12d/0x190 mm/util.c:496
> >  ksys_mmap_pgoff+0x2d8/0x420 mm/mmap.c:1629
> >  __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline]
> >  __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline]
> >  __x64_sys_mmap+0x91/0xc0 arch/x86/kernel/sys_x86_64.c:91
> >  do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
> >  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >
> > write to 0xffff88811eef5440 of 8 bytes by task 7737 on cpu 1:
> >  __rb_rotate_set_parents+0x4d/0xf0 lib/rbtree.c:79
> >  __rb_insert lib/rbtree.c:215 [inline]
> >  __rb_insert_augmented+0x109/0x370 lib/rbtree.c:459
> >  rb_insert_augmented include/linux/rbtree_augmented.h:50 [inline]
> >  rb_insert_augmented_cached include/linux/rbtree_augmented.h:60 [inline]
> >  vma_interval_tree_insert+0x196/0x230 mm/interval_tree.c:23
> >  __vma_link_file+0xd9/0x110 mm/mmap.c:634
> >  __vma_adjust+0x1ac/0x12a0 mm/mmap.c:842
> >  vma_adjust include/linux/mm.h:2276 [inline]
> >  __split_vma+0x208/0x350 mm/mmap.c:2707
> >  split_vma+0x73/0xa0 mm/mmap.c:2736
> >  mprotect_fixup+0x43f/0x510 mm/mprotect.c:413
> >  do_mprotect_pkey+0x3eb/0x660 mm/mprotect.c:553
> >  __do_sys_mprotect mm/mprotect.c:578 [inline]
> >  __se_sys_mprotect mm/mprotect.c:575 [inline]
> >  __x64_sys_mprotect+0x51/0x70 mm/mprotect.c:575
> >  do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
> >  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> What is this thing trying to tell me? That the copy on alloc is racy,
> because at that point the object isn't exposed yet.

In vm_area_dup, *orig is being concurrently modified while being
copied into *new.

> How do you tell it to shut up?

We wanted to get feedback on what is happening here, as it didn't seem
straightforward to dismiss on our side.

Is it correct to assume that, the parts of the *orig struct that are
being modified while being copied, will subsequently be re-initialized
for *new?

If no explicit markings are useful (READ_ONCE would suppress it, but
seems strange if the above assumption is true), I will think of a way
to suppress these for now and no further action is needed here.

Many thanks,
-- Marco