Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5709163ybv;
        Tue, 18 Feb 2020 02:30:28 -0800 (PST)
X-Google-Smtp-Source: APXvYqyvYF4U2Zz2OyS1cA1VmDDrvKzv8a+IQxeKPRkRxNl2l7sxDz6fStH6cXAdHXhKqoe8WYk9
X-Received: by 2002:a9d:7f98:: with SMTP id t24mr16061229otp.338.1582021828079;
        Tue, 18 Feb 2020 02:30:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582021828; cv=none;
        d=google.com; s=arc-20160816;
        b=wjwLqf7F7za58nNuGA7SFJ6Iqzxe9HmYHBMNKlG5A2SDT3VfZ6yiR7oxTSNzlzGLjO
         XkZe2YCKEM+MVfWW+noXX1OVWGWOpPr/zkKRDVUl2Eb/+6D5wE+E3inZKnFPG+AyRw72
         LumdMTcMwWa1T8cjsXUVEHlYLjnb26e0RBXNltxG6GNgY06HLhHnSdGj3invsxr2OTzn
         kVaicoUPvd2B/LCo+COx2SBiSRdJ+dgWfmQsp/uP1Dk0xNVA3vqRZ09zMh0k0rzfI0Pw
         7Fivilyj2M3GI6AD2aHoyIKmEFnrp5oJMYaKIF2Cwoqtp58lHEYJmQggScOSHOhNq/eG
         Vlbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=s+I8pj7DDW7+MEIcYQaGsLXCKLqSSyhyC6U6vjGcY3Y=;
        b=zsxltXGNOysqq48k3tn1sZCFcZ7bTqzB++iqC/hXHeSNaLJgpgLQ9w69Kg8a6WHSHt
         /2e4rnkfgeBFuaGwxPGEQo3dqt422EDSXSys/G7E3eun1FlXRArg8RxCTQ+VtG0wJN0y
         eiXkBFGtp0NqjeQHs6BA1ZODqSdr6pPzwJJyAfsnCT4X9T8gK9xMs3Unmw0Wqy0b0ygQ
         CzZxThGQRq36PR50V9BqSUXedNBzkRQ9x+d8/oCAtIa879bdyb7JGMfFJJZR/H9mHnsn
         e9my8ZPZW3O04iJ85ma/jI+4yvUA+meYuQFRJaTGMLaknypIcFfKYGmGT13P3MmM/tuu
         0ypA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@shutemov-name.20150623.gappssmtp.com header.s=20150623 header.b=FzFE0W+U;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l28si1700631otd.276.2020.02.18.02.30.15;
        Tue, 18 Feb 2020 02:30:28 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@shutemov-name.20150623.gappssmtp.com header.s=20150623 header.b=FzFE0W+U;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726521AbgBRK3j (ORCPT <rfc822;sbrunau@gmail.com> + 99 others);
        Tue, 18 Feb 2020 05:29:39 -0500
Received: from mail-lj1-f169.google.com ([209.85.208.169]:32835 "EHLO
        mail-lj1-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726193AbgBRK3j (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Feb 2020 05:29:39 -0500
Received: by mail-lj1-f169.google.com with SMTP id y6so22325172lji.0
        for <linux-kernel@vger.kernel.org>; Tue, 18 Feb 2020 02:29:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=shutemov-name.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:content-transfer-encoding:in-reply-to;
        bh=s+I8pj7DDW7+MEIcYQaGsLXCKLqSSyhyC6U6vjGcY3Y=;
        b=FzFE0W+UiHz1mbo6S9YKAeko2ypDGCUCA9ezE4SgAQI+9W3ZOhB7sCDgtSRGsbtiwi
         WHZsz3Ox+UF79hDY/VMkWmHo8Ylh6afm7d6jEMM4QkPq8OxyIbGj8kaVffWRHnB9Z+gd
         bDwvsnrR7OxysvPw6GY+SYBGvFfHxfqSAfiYwoKx/bHuUYCBpPHjG/TBRUB4sKfDohAb
         ajJ6baDqYQgGGcVaKMuzuzxKAHyhP11EuHwX2aObJUIy7DDpX+zlSF72Sby7L3f7qQyo
         ypJmiBrIUWebmMoik0zRHK+cC4QiX6NBnxcTPdyBUAIpfG219xIdk/K0+0N/PnViW+8i
         hTAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to;
        bh=s+I8pj7DDW7+MEIcYQaGsLXCKLqSSyhyC6U6vjGcY3Y=;
        b=dW6/8lLh0thY9l8Y7VGHWjdPbBTX2aEeT31B7sVhkPb6P0jpFfxJCLxt2Bs5tVFUAv
         ABBiprnNlinW1nVLieFRLvTYk61qvfojaCrIYt6lrbCOacwwutvuxtClM/bAO3mIfEuy
         bmlhQlQjoFQ6bMnCaG+tdqyi2aAHbSGTclbIv6miz0JImbvuTnVgwwV3afS1iu1UEfc/
         kY456SqXSClie3jkmaDKUx9Kaw62s5OXnM/tNfxL+zRk/A7AjNBx39su3bddyqIsVjJn
         MvlSovwKUoyM6ewl4fc3RCCbrboUW3Eq/IPvxqC7x03DwR1stVyWTXIbW2jDf/WtK7Gd
         BaCg==
X-Gm-Message-State: APjAAAWyqYFXUYFL0AkSbDKIWQll7ywfLUkim7EKzLN/wKV+oeXQROlk
        vlEMtlJGyXqLY2VFCDo1Rh+WQw==
X-Received: by 2002:a2e:a551:: with SMTP id e17mr12742787ljn.86.1582021777270;
        Tue, 18 Feb 2020 02:29:37 -0800 (PST)
Received: from box.localdomain ([86.57.175.117])
        by smtp.gmail.com with ESMTPSA id a10sm1922743lfr.94.2020.02.18.02.29.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 18 Feb 2020 02:29:36 -0800 (PST)
Received: by box.localdomain (Postfix, from userid 1000)
        id 1C99A100F9D; Tue, 18 Feb 2020 13:30:02 +0300 (+03)
Date:   Tue, 18 Feb 2020 13:30:02 +0300
From:   "Kirill A. Shutemov" <kirill@shutemov.name>
To:     Qian Cai <cai@lca.pw>
Cc:     Andrew Morton <akpm@linux-foundation.org>, elver@google.com,
        linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        peterz@infradead.org,
        syzbot+c034966b0b02f94f7f34@syzkaller.appspotmail.com,
        syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH -next] fork: annotate a data race in vm_area_dup()
Message-ID: <20200218103002.6rtjreyqjepo3yxe@box>
References: <20200217223138.doaph66iwprbwhw5@box>
 <EAD6E54D-8A57-4494-94F2-2EEEC3265560@lca.pw>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <EAD6E54D-8A57-4494-94F2-2EEEC3265560@lca.pw>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 17, 2020 at 10:59:47PM -0500, Qian Cai wrote:
> 
> 
> > On Feb 17, 2020, at 5:31 PM, Kirill A. Shutemov <kirill@shutemov.name> wrote:
> > 
> > I'm confused. AFAICS both sides hold mmap_sem on write:
> > 
> > - vm_mmap_pgoff() takes mmap_sem for the write on the write side
> > 
> > - do_mprotect_pkey() takes mmap_sem for the write on the read side
> > 
> > 
> > What do I miss?
> 
> Ah, good catch. I missed the locking for the read there. This is interesting because Marco
> did confirmed that the concurrency could happen,
> 
> https://lore.kernel.org/lkml/20191025173511.181416-1-elver@google.com/
> 
> If that means KCSAN is not at fault, then I could think of two things,
> 
> 1) someone downgrades the lock.
> 
> I don’t think that a case here. Only __do_munmap() will do that but I did not see how
> it will affect us here.
> 
> 2) the reader and writer are two different processes.
> 
> So, they held a different mmap_sem, but I can’t see how could two processes shared
> the same vm_area_struct. Also, file->f_mapping->i_mmap was also stored in the
> writer, but I can’t see how it was also loaded in the reader.
> 
> Any ideas?

I think I've got this:

vm_area_dup() blindly copies all fields of orignal VMA to the new one.
This includes coping vm_area_struct::shared.rb which is normally protected
by i_mmap_lock. But this is fine because the read value will be
overwritten on the following __vma_link_file() under proper protectection.

So the fix is correct, but justificaiton is lacking.

Also, I would like to more fine-grained annotation: marking with
data_race() 200 bytes copy may hide other issues.

-- 
 Kirill A. Shutemov