Re: [PATCH] mm: fix pgdat->kswap accessed concurrently

From: Muchun Song
Date: Wed Aug 24 2022 - 03:00:56 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.10 000/157] 5.10.138-rc3 review"
Previous message: Greg KH: "Re: Confirmation for subscribe linux-usb"
Next in thread: Muchun Song: "Re: [PATCH] mm: fix pgdat->kswap accessed concurrently"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Aug 21, 2022, at 04:59, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> On Sat, 20 Aug 2022 15:33:04 +0800 Muchun Song <muchun.song@xxxxxxxxx> wrote:
>
>>
>>
>>> + if (IS_ERR(t)) {
>>> /* failure at boot is fatal */
>>> BUG_ON(system_state < SYSTEM_RUNNING);
>>> pr_err("Failed to start kswapd on node %d\n", nid);
>>> - pgdat->kswapd = NULL;
>>> + WRITE_ONCE(pgdat->kswapd, NULL);
>>> + } else {
>>> + WRITE_ONCE(pgdat->kswapd, t);
>>> }
>>> }
>>
>> IIUC, the race is like the followings:
>>
>> CPU 0: CPU 1:
>>
>> kswapd_run()
>> pgdat->kswapd = kthread_run()
>> if (IS_ERR(pgdat->kswapd))
>> kswapd_is_running
>> // load pgdat->kswapd and it is NOT NULL.
>> pgdat->kswapd = NULL
>> task_is_running(pgdat->kswapd); // NULL pointer dereference
>>
>
> But don't we still have a bug? Sure, kswapd_is_running() will no
> longer deref a null pointer. But it now runs kswapd_is_running()
> against a task which has exited - a use-after-free?
>

Agree. I missed that.

Thanks,
Muchun

Next message: Greg Kroah-Hartman: "[PATCH 5.10 000/157] 5.10.138-rc3 review"
Previous message: Greg KH: "Re: Confirmation for subscribe linux-usb"
Next in thread: Muchun Song: "Re: [PATCH] mm: fix pgdat->kswap accessed concurrently"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]