mm/swap_state: fix a data race in swapin_nr_pages

[ Upstream commit d6c1f098f2a7ba62627c9bc17cda28f534ef9e4a ] "prev_offset" is a static variable in swapin_nr_pages() that can be accessed concurrently with only mmap_sem held in read mode as noticed by KCSAN, BUG: KCSAN: data-race in swap_cluster_readahead / swap_cluster_readahead write to 0xffffffff92763830 of 8 bytes by task 14795 on cpu 17: swap_cluster_readahead+0x2a6/0x5e0 swapin_readahead+0x92/0x8dc do_swap_page+0x49b/0xf20 __handle_mm_fault+0xcfb/0xd70 handle_mm_fault+0xfc/0x2f0 do_page_fault+0x263/0x715 page_fault+0x34/0x40 1 lock held by (dnf)/14795: #0: ffff897bd2e98858 (&mm->mmap_sem#2){++++}-{3:3}, at: do_page_fault+0x143/0x715 do_user_addr_fault at arch/x86/mm/fault.c:1405 (inlined by) do_page_fault at arch/x86/mm/fault.c:1535 irq event stamp: 83493 count_memcg_event_mm+0x1a6/0x270 count_memcg_event_mm+0x119/0x270 __do_softirq+0x365/0x589 irq_exit+0xa2/0xc0 read to 0xffffffff92763830 of 8 bytes by task 1 on cpu 22: swap_cluster_readahead+0xfd/0x5e0 swapin_readahead+0x92/0x8dc do_swap_page+0x49b/0xf20 __handle_mm_fault+0xcfb/0xd70 handle_mm_fault+0xfc/0x2f0 do_page_fault+0x263/0x715 page_fault+0x34/0x40 1 lock held by systemd/1: #0: ffff897c38f14858 (&mm->mmap_sem#2){++++}-{3:3}, at: do_page_fault+0x143/0x715 irq event stamp: 43530289 count_memcg_event_mm+0x1a6/0x270 count_memcg_event_mm+0x119/0x270 __do_softirq+0x365/0x589 irq_exit+0xa2/0xc0 Signed-off-by: Qian Cai <cai@lca.pw> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: Marco Elver <elver@google.com> Cc: Hugh Dickins <hughd@google.com> Link: http://lkml.kernel.org/r/20200402213748.2237-1-cai@lca.pw Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Qian Cai <cai@lca.pw> 2020-06-01 21:48:40 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-10-01 13:14:47 +0200
commit: 8cc3afd53d8d967a3839b7f59e962e76cda2720b (patch)
tree: baf73e55aa022da3ea02656b4cbb764ce30294d7 /mm
parent: c42c61e98251d5de390434181092ce9e7a9c5719 (diff)
download: linux-stable-8cc3afd53d8d967a3839b7f59e962e76cda2720b.tar.gz
linux-stable-8cc3afd53d8d967a3839b7f59e962e76cda2720b.tar.bz2
linux-stable-8cc3afd53d8d967a3839b7f59e962e76cda2720b.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/mm/swap_state.c b/mm/swap_state.c
index 09731f4174c7..3febffe0fca4 100644
--- a/mm/swap_state.c
+++ b/mm/swap_state.c
@@ -537,10 +537,11 @@ static unsigned long swapin_nr_pages(unsigned long offset)
 		return 1;
 
 	hits = atomic_xchg(&swapin_readahead_hits, 0);
-	pages = __swapin_nr_pages(prev_offset, offset, hits, max_pages,
+	pages = __swapin_nr_pages(READ_ONCE(prev_offset), offset, hits,
+				  max_pages,
 				  atomic_read(&last_readahead_pages));
 	if (!hits)
-		prev_offset = offset;
+		WRITE_ONCE(prev_offset, offset);
 	atomic_set(&last_readahead_pages, pages);
 
 	return pages;
author	Qian Cai <cai@lca.pw>	2020-06-01 21:48:40 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-10-01 13:14:47 +0200
commit	8cc3afd53d8d967a3839b7f59e962e76cda2720b (patch)
tree	baf73e55aa022da3ea02656b4cbb764ce30294d7 /mm
parent	c42c61e98251d5de390434181092ce9e7a9c5719 (diff)
download	linux-stable-8cc3afd53d8d967a3839b7f59e962e76cda2720b.tar.gz linux-stable-8cc3afd53d8d967a3839b7f59e962e76cda2720b.tar.bz2 linux-stable-8cc3afd53d8d967a3839b7f59e962e76cda2720b.zip