lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANpmjNOdFsU9gg7FSv7Pue0L2eAQ+5UHHaz9bgZ83r94prA4vQ@mail.gmail.com>
Date:   Wed, 29 Jan 2020 13:21:49 +0100
From:   Marco Elver <elver@...gle.com>
To:     Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc:     Qian Cai <cai@....pw>, Dmitry Vyukov <dvyukov@...gle.com>,
        Michal Hocko <mhocko@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Johannes Weiner <hannes@...xchg.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] mm/page_counter: fix various data races

On Wed, 29 Jan 2020 at 13:13, Tetsuo Handa
<penguin-kernel@...ove.sakura.ne.jp> wrote:
>
> On 2020/01/29 21:03, Michal Hocko wrote:
> >> Fixes: 3e32cb2e0a12 ("mm: memcontrol: lockless page counters")
> >> Signed-off-by: Qian Cai <cai@....pw>
> >
> > Acked-by: Michal Hocko <mhocko@...e.com>
>
> Please include
>
> Reported-by: syzbot+f36cfe60b1006a94f9dc@...kaller.appspotmail.com
>
> for https://syzkaller.appspot.com/bug?id=744097b8b91cecd8b035a6f746bb12e4efc7669f .
>
> By the way, can READ_ONCE()/WRITE_ONCE() really solve this warning?
> The link above says read/write on the same location ( mm/page_counter.c:129 ).
> I don't know how READ_ONCE()/WRITE_ONCE() can solve the race.

It avoids the *data* race, with *_ONCE telling the compiler to not
optimize the accesses in concurrency-unfriendly ways.  Since *_ONCE is
used, it conveys clear intent that the code here is meant to be
concurrent, and KCSAN stops complaining (and assumes that the *logic*
is correct).

The race itself is still there, but as per comment in the file,
apparently fine and not a logic bug.

> >
> >> ---
> >>  mm/page_counter.c | 8 ++++----
> >>  1 file changed, 4 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/mm/page_counter.c b/mm/page_counter.c
> >> index de31470655f6..a17841150906 100644
> >> --- a/mm/page_counter.c
> >> +++ b/mm/page_counter.c
> >> @@ -82,8 +82,8 @@ void page_counter_charge(struct page_counter *counter, unsigned long nr_pages)
> >>               * This is indeed racy, but we can live with some
> >>               * inaccuracy in the watermark.
> >>               */
> >> -            if (new > c->watermark)
> >> -                    c->watermark = new;
> >> +            if (new > READ_ONCE(c->watermark))
> >> +                    WRITE_ONCE(c->watermark, new);
> >>      }
> >>  }
> >>
> >> @@ -135,8 +135,8 @@ bool page_counter_try_charge(struct page_counter *counter,
> >>               * Just like with failcnt, we can live with some
> >>               * inaccuracy in the watermark.
> >>               */
> >> -            if (new > c->watermark)
> >> -                    c->watermark = new;
> >> +            if (new > READ_ONCE(c->watermark))
> >> +                    WRITE_ONCE(c->watermark, new);
> >>      }
> >>      return true;
> >>
> >> --
> >> 2.21.0 (Apple Git-122.2)
> >
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ