[RHEL8,COMMIT] mm/tcache: restore missing rcu_read_lock() in tcache_detach_page() #PSBM-120802

Submitted by Konstantin Khorenko on Oct. 2, 2020, 3:25 p.m.

Details

Message ID 202010021525.092FPmD1140750@finist-co8.sw.ru
State New
Series "mm/tcache: restore missing rcu_read_lock() in tcache_detach_page()"
Headers show

Commit Message

Konstantin Khorenko Oct. 2, 2020, 3:25 p.m.
The commit is pushed to "branch-rh8-4.18.0-193.6.3.vz8.4.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-193.6.3.vz8.4.11
------>
commit f5360935ed2747e922dce38ea5fb9bf9aa94f589
Author: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
Date:   Fri Oct 2 18:25:48 2020 +0300

    mm/tcache: restore missing rcu_read_lock() in tcache_detach_page() #PSBM-120802
    
    Looks like rcu_read_lock() was lost in "out:" path of tcache_detach_page()
    when tcache was ported to VZ8. As a result, Syzkaller was able to hit
    the following warning:
    
      WARNING: bad unlock balance detected!
      4.18.0-193.6.3.vz8.4.7.syz+debug #1 Tainted: G        W        ---------r-  -
      -------------------------------------
      vcmmd/926 is trying to release lock (rcu_read_lock) at:
      [<ffffffff848ed2e0>] tcache_detach_page+0x530/0x750
      but there are no more locks to release!
    
      other info that might help us debug this:
      2 locks held by vcmmd/926:
       #0: ffff888036331f30 (&mm->mmap_sem){++++}, at: __do_page_fault+0x157/0x550
       #1: ffff8880567295f8 (&ei->i_mmap_sem){++++}, at: ext4_filemap_fault+0x82/0xc0 [ext4]
    
      stack backtrace:
      CPU: 0 PID: 926 Comm: vcmmd ve: /
                   Tainted: G        W        ---------r-  - 4.18.0-193.6.3.vz8.4.7.syz+debug #1 4.7
      Hardware name: Virtuozzo KVM, BIOS 1.11.0-2.vz7.2 04/01/2014
      Call Trace:
       dump_stack+0xd2/0x148
       print_unlock_imbalance_bug.cold.40+0xc8/0xd4
       lock_release+0x5e3/0x1360
       tcache_detach_page+0x559/0x750
       tcache_cleancache_get_page+0xe9/0x780
       __cleancache_get_page+0x212/0x320
       ext4_mpage_readpages+0x165d/0x1b90 [ext4]
       ext4_readpages+0xd6/0x110 [ext4]
       read_pages+0xff/0x5b0
       __do_page_cache_readahead+0x3fc/0x5b0
       filemap_fault+0x912/0x1b80
       ext4_filemap_fault+0x8a/0xc0 [ext4]
       __do_fault+0x110/0x410
       do_fault+0x622/0x1010
       __handle_mm_fault+0x980/0x1120
       handle_mm_fault+0x17f/0x610
       __do_page_fault+0x25d/0x550
       do_page_fault+0x38/0x290
       do_async_page_fault+0x5b/0xe0
       async_page_fault+0x1e/0x30
    
    Let us restore rcu_read_lock().
    
    https://jira.sw.ru/browse/PSBM-120802
    Fixes: a4831db86d48 ("mm: introduce transcendent file cache")
    Fix in vz7: 152239c6c3b2 ("mm/tcache: fix rcu_read_lock()/rcu_read_unlock()
    imbalance")
    
    Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
    Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 mm/tcache.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/mm/tcache.c b/mm/tcache.c
index c7c5008fdac8..c40cf5de2dd8 100644
--- a/mm/tcache.c
+++ b/mm/tcache.c
@@ -853,8 +853,10 @@  static struct page *tcache_detach_page(struct tcache_node *node, pgoff_t index,
 		 * in __tcache_page_tree_delete() fails, and
 		 * we have to repeat the cycle.
 		 */
-		if (!page)
+		if (!page) {
+			rcu_read_lock();
 			goto repeat;
+		}
 	}
 
 	return page;