From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Qian Cai <cai@lca.pw>,
Andrew Morton <akpm@linux-foundation.org>,
Marco Elver <elver@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 40/64] percpu_counter: fix a data race at vm_committed_as
Date: Wed, 22 Apr 2020 11:57:24 +0200 [thread overview]
Message-ID: <20200422095020.115861367@linuxfoundation.org> (raw)
In-Reply-To: <20200422095008.799686511@linuxfoundation.org>
From: Qian Cai <cai@lca.pw>
[ Upstream commit 7e2345200262e4a6056580f0231cccdaffc825f3 ]
"vm_committed_as.count" could be accessed concurrently as reported by
KCSAN,
BUG: KCSAN: data-race in __vm_enough_memory / percpu_counter_add_batch
write to 0xffffffff9451c538 of 8 bytes by task 65879 on cpu 35:
percpu_counter_add_batch+0x83/0xd0
percpu_counter_add_batch at lib/percpu_counter.c:91
__vm_enough_memory+0xb9/0x260
dup_mm+0x3a4/0x8f0
copy_process+0x2458/0x3240
_do_fork+0xaa/0x9f0
__do_sys_clone+0x125/0x160
__x64_sys_clone+0x70/0x90
do_syscall_64+0x91/0xb05
entry_SYSCALL_64_after_hwframe+0x49/0xbe
read to 0xffffffff9451c538 of 8 bytes by task 66773 on cpu 19:
__vm_enough_memory+0x199/0x260
percpu_counter_read_positive at include/linux/percpu_counter.h:81
(inlined by) __vm_enough_memory at mm/util.c:839
mmap_region+0x1b2/0xa10
do_mmap+0x45c/0x700
vm_mmap_pgoff+0xc0/0x130
ksys_mmap_pgoff+0x6e/0x300
__x64_sys_mmap+0x33/0x40
do_syscall_64+0x91/0xb05
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The read is outside percpu_counter::lock critical section which results in
a data race. Fix it by adding a READ_ONCE() in
percpu_counter_read_positive() which could also service as the existing
compiler memory barrier.
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Marco Elver <elver@google.com>
Link: http://lkml.kernel.org/r/1582302724-2804-1-git-send-email-cai@lca.pw
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/percpu_counter.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/percpu_counter.h b/include/linux/percpu_counter.h
index 4f052496cdfd7..0a4f54dd4737b 100644
--- a/include/linux/percpu_counter.h
+++ b/include/linux/percpu_counter.h
@@ -78,9 +78,9 @@ static inline s64 percpu_counter_read(struct percpu_counter *fbc)
*/
static inline s64 percpu_counter_read_positive(struct percpu_counter *fbc)
{
- s64 ret = fbc->count;
+ /* Prevent reloads of fbc->count */
+ s64 ret = READ_ONCE(fbc->count);
- barrier(); /* Prevent reloads of fbc->count */
if (ret >= 0)
return ret;
return 0;
--
2.20.1
next prev parent reply other threads:[~2020-04-22 10:15 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 9:56 [PATCH 4.19 00/64] 4.19.118-rc1 review Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 01/64] arm, bpf: Fix offset overflow for BPF_MEM BPF_DW Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 02/64] objtool: Fix switch table detection in .text.unlikely Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 03/64] scsi: sg: add sg_remove_request in sg_common_write Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 04/64] ext4: use non-movable memory for superblock readahead Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 05/64] watchdog: sp805: fix restart handler Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 06/64] arm, bpf: Fix bugs with ALU64 {RSH, ARSH} BPF_K shift by 0 Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 07/64] ARM: dts: imx6: Use gpc for FEC interrupt controller to fix wake on LAN Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 08/64] netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 09/64] irqchip/mbigen: Free msi_desc on device teardown Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 10/64] ALSA: hda: Dont release card at firmware loading error Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 11/64] of: unittest: kmemleak on changeset destroy Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 12/64] of: unittest: kmemleak in of_unittest_platform_populate() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 13/64] of: unittest: kmemleak in of_unittest_overlay_high_level() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 14/64] of: overlay: kmemleak in dup_and_fixup_symbol_prop() Greg Kroah-Hartman
2020-04-22 9:56 ` [PATCH 4.19 15/64] x86/Hyper-V: Report crash register data or kmsg before running crash kernel Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 16/64] lib/raid6: use vdupq_n_u8 to avoid endianness warnings Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 17/64] video: fbdev: sis: Remove unnecessary parentheses and commented code Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 18/64] rbd: avoid a deadlock on header_rwsem when flushing notifies Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 19/64] rbd: call rbd_dev_unprobe() after unwatching and " Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 20/64] xsk: Add missing check on user supplied headroom size Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 21/64] x86/Hyper-V: Unload vmbus channel in hv panic callback Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 22/64] x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 23/64] x86/Hyper-V: Trigger crash enlightenment only once during system crash Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 24/64] x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 25/64] x86/Hyper-V: Report crash data in die() when panic_on_oops is set Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 26/64] clk: at91: usb: continue if clk_hw_round_rate() return zero Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 27/64] power: supply: bq27xxx_battery: Silence deferred-probe error Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 28/64] clk: tegra: Fix Tegra PMC clock out parents Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 29/64] soc: imx: gpc: fix power up sequencing Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 30/64] rtc: 88pm860x: fix possible race condition Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 31/64] NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 32/64] NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context fails Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 33/64] s390/cpuinfo: fix wrong output when CPU0 is offline Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 34/64] powerpc/maple: Fix declaration made after definition Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 35/64] s390/cpum_sf: Fix wrong page count in error message Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 36/64] ext4: do not commit super on read-only bdev Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 37/64] um: ubd: Prevent buffer overrun on command completion Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 38/64] cifs: Allocate encryption header through kmalloc Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 39/64] include/linux/swapops.h: correct guards for non_swap_entry() Greg Kroah-Hartman
2020-04-22 9:57 ` Greg Kroah-Hartman [this message]
2020-04-22 9:57 ` [PATCH 4.19 41/64] compiler.h: fix error in BUILD_BUG_ON() reporting Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 42/64] KVM: s390: vsie: Fix possible race when shadowing region 3 tables Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 43/64] x86: ACPI: fix CPU hotplug deadlock Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 44/64] drm/amdkfd: kfree the wrong pointer Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 45/64] NFS: Fix memory leaks in nfs_pageio_stop_mirroring() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 46/64] f2fs: fix NULL pointer dereference in f2fs_write_begin() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 47/64] drm/vc4: Fix HDMI mode validation Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 48/64] iommu/vt-d: Fix mm reference leak Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 49/64] ext2: fix empty body warnings when -Wextra is used Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 50/64] ext2: fix debug reference to ext2_xattr_cache Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 51/64] power: supply: axp288_fuel_gauge: Broaden vendor check for Intel Compute Sticks Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 52/64] libnvdimm: Out of bounds read in __nd_ioctl() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 53/64] iommu/amd: Fix the configuration of GCR3 table root pointer Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 54/64] f2fs: fix to wait all node page writeback Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 55/64] net: dsa: bcm_sf2: Fix overflow checks Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 56/64] fbdev: potential information leak in do_fb_ioctl() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 57/64] iio: si1133: read 24-bit signed integer for measurement Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 58/64] tty: evh_bytechan: Fix out of bounds accesses Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 59/64] locktorture: Print ratio of acquisitions, not failures Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 60/64] mtd: spinand: Explicitly use MTD_OPS_RAW to write the bad block marker to OOB Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 61/64] mtd: lpddr: Fix a double free in probe() Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 62/64] mtd: phram: fix a double free issue in error path Greg Kroah-Hartman
2020-04-22 9:57 ` Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 63/64] KEYS: Dont write out to userspace while holding key semaphore Greg Kroah-Hartman
2020-04-22 9:57 ` [PATCH 4.19 64/64] bpf: fix buggy r0 retval refinement for tracing helpers Greg Kroah-Hartman
2020-04-22 11:10 ` [PATCH 4.19 00/64] 4.19.118-rc1 review Chris Paterson
2020-04-22 12:51 ` Greg Kroah-Hartman
2020-04-22 20:35 ` Guenter Roeck
2020-04-23 8:22 ` Naresh Kamboju
[not found] ` <20200422095008.799686511-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-04-23 10:22 ` Jon Hunter
2020-04-23 10:22 ` Jon Hunter
2020-04-24 16:39 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200422095020.115861367@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=cai@lca.pw \
--cc=elver@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.