From: Lorenzo Stoakes <ljs@kernel.org>
To: Xuewen Wang <wangxuewen@kylinos.cn>
Cc: akpm@linux-foundation.org, david@kernel.org, liam@infradead.org,
vbabka@kernel.org, rppt@kernel.org, surenb@google.com,
mhocko@suse.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] mm: fix data-race in folio_batch_count()
Date: Wed, 24 Jun 2026 15:23:05 +0100 [thread overview]
Message-ID: <ajvkK-vcVzgll2Tm@lucifer> (raw)
In-Reply-To: <20260624092606.1083449-1-wangxuewen@kylinos.cn>
On Wed, Jun 24, 2026 at 05:26:06PM +0800, Xuewen Wang wrote:
> KCSAN reports:
>
> BUG: KCSAN: data-race in __lru_add_drain_all / folio_batch_add_and_move
Where? A syzbot report? A local run? Please specify.
>
> write to 0xffff98fe74c015f8 of 1 bytes by task 45153 on cpu 2:
> folio_batch_add+0x30/0xe0
>
> read to 0xffff98fe74c015f8 of 1 bytes by task 45175 on cpu 0:
> folio_batch_count+0x0/0x10
> cpu_needs_drain+0x253/0x430
>
> The write side is a per-cpu local operation (folio_batch_add on the
> CPU that owns the per-cpu batch), while cpu_needs_drain() reads
> another CPU's per-cpu batch without locking. Reading a slightly stale
> value is harmless -- it only determines whether to schedule a drain,
Then why are we adding a READ_ONCE() in such a core helper?
> and a subsequent check will catch it.
Where? Which check? Be specific.
>
> Use READ_ONCE() to annotate the read and prevent load tearing, which
> also suppresses the KCSAN warning.
Tearing on a single byte? Which architecture tears a single byte?
I think you're actually more concerned about the value being optimised out on
assumption of it not being updated elsewhere right?
But acutally you're not, because everybody else uses a stack variable or _their
own_ per-CPU value?
Only cpu_needs_drain() is the odd one out right?
>
> Signed-off-by: Xuewen Wang <wangxuewen@kylinos.cn>
> ---
> include/linux/folio_batch.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/folio_batch.h b/include/linux/folio_batch.h
> index b45946adc50b..1e31e058e19d 100644
> --- a/include/linux/folio_batch.h
> +++ b/include/linux/folio_batch.h
> @@ -53,7 +53,7 @@ static inline void folio_batch_reinit(struct folio_batch *fbatch)
>
> static inline unsigned int folio_batch_count(const struct folio_batch *fbatch)
> {
> - return fbatch->nr;
> + return READ_ONCE(fbatch->nr);
This isn't free, you're breaking optimisations here by doing that...
It feels like the wrong level of abstraction, but actually I think every other
case is either stack or per-CPU _on its own CPU_ (please check), in which case
we _can_ suppress the check here but I think best done with data_race().
And see the kernel bug bot report, you need to add:
#include <linux/compiler.h>
Too for that.
> }
>
> static inline unsigned int folio_batch_space(const struct folio_batch *fbatch)
> --
> 2.25.1
>
Thanks, Lorenzo
next prev parent reply other threads:[~2026-06-24 14:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 9:26 [PATCH v1] mm: fix data-race in folio_batch_count() Xuewen Wang
2026-06-24 13:54 ` kernel test robot
2026-06-24 14:23 ` Lorenzo Stoakes [this message]
2026-06-24 14:38 ` David Hildenbrand (Arm)
2026-06-24 14:35 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajvkK-vcVzgll2Tm@lucifer \
--to=ljs@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=david@kernel.org \
--cc=liam@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=rppt@kernel.org \
--cc=surenb@google.com \
--cc=vbabka@kernel.org \
--cc=wangxuewen@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.