lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Oct 2016 18:21:37 -0700 From: Linus Torvalds <torvalds@...ux-foundation.org> To: Johannes Weiner <hannes@...xchg.org> Cc: Andrew Morton <akpm@...ux-foundation.org>, Antonio SJ Musumeci <trapexit@...wn.link>, Miklos Szeredi <miklos@...redi.hu>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, stable <stable@...r.kernel.org> Subject: Re: BUG_ON() in workingset_node_shadows_dec() triggers On Tue, Oct 4, 2016 at 2:32 AM, Johannes Weiner <hannes@...xchg.org> wrote: > > In the workingset code, if we detect radix tree nodes in a state in > which they shouldn't be on the shadow node LRU, we could simply warn, > abort the reclaim process and leave them off the LRU. Something like > the below patch. I don't hate that patch, but I wonder why the counts get corrupted and the workingset_node_shadows_dec() thing triggered in the first place. So I do think that the BUG_ON()'s there in shadow_lru_isolate() should be removed, but since they haven't triggered I worry more abut the one that has. I've tried to follow the counting, and I don't see any obvious bugs in the counting per se. I went as far as look where we even initialize node->count. Btw, whoever wrote that code liked the whole SLAB desctructor model a lot too much. Initializing the fields as you free something is rather silly from a cache use standpoint. You're just touching cachelines that are almost guaranteed to be wasted. Why isn't that init code just done at allocation time instead of in that radix_tree_node_rcu_free() destructor? But I couldn't see anything actively *buggy*, even if I think the code is oddly structured. So to debug that, I'd actually like to see something that adds a few more warnings to try to catch *where* the count goes bad For example, is it actually valid to free a radix_tree_node that has a non-zero count? Shouldn't all the shadow entries have been removed? The problem with the BUG_ON() at workingset_node_shadows_dec() time isn't just that it killed the machine, it also doesn't actually give very much information. The count has presumably been mis-done long before.. Linus
Powered by blists - more mailing lists