lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20170727143604.GB31031@dhcp22.suse.cz>
Date:   Thu, 27 Jul 2017 16:36:04 +0200
From:   Michal Hocko <mhocko@...nel.org>
To:     Wenwei Tao <wenwei.tww@...il.com>
Cc:     stable@...r.kernel.org, hannes@...xchg.org, bsingharora@...il.com,
        kamezawa.hiroyu@...fujitsu.com, cgroups@...r.kernel.org,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        wenwei.tww@...baba-inc.com, yuwang.yuwang@...baba-inc.com,
        Glauber Costa <glommer@...allels.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH stable 3.10] mm: memcontrol: factor out reclaim iterator
 loading and updating

On Thu 27-07-17 21:59:06, Wenwei Tao wrote:
> From: Johannes Weiner <hannes@...xchg.org>
> 
> commit 519ebea3bf6df45439e79c54bda1d9e29fe13a64 upstream
> 
> It turned out that this is actually a bug fix which prevents a double
> css_put on last_visited memcg which results in kernel BUG at kernel/cgroup.c:893!
> See http://lkml.kernel.org/r/20170726130742.5976-1-wenwei.tww@gmail.com
> for more details.
> 
> mem_cgroup_iter() is too hard to follow.  Factor out the lockless reclaim
> iterator loading and updating so it's easier to follow the big picture.
> 
> Also document the iterator invalidation mechanism a bit more extensively.
> 
> Signed-off-by: Johannes Weiner <hannes@...xchg.org>
> Reported-by: Tejun Heo <tj@...nel.org>
> Reviewed-by: Tejun Heo <tj@...nel.org>
> Acked-by: Michal Hocko <mhocko@...e.cz>
> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com>
> Cc: Glauber Costa <glommer@...allels.com>
> Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
> [wt: Backported to linux-3.10.y: adjusted context]
> Signed-off-by: Wenwei Tao <wenwei.tww@...baba-inc.com>

Yes this looks ok and rebases on top of ecc736fc3c71 ("memcg: fix
endless loop caused by mem_cgroup_iter") backport properly.

Thanks!

> ---
>  mm/memcontrol.c | 97 ++++++++++++++++++++++++++++++++++++++++-----------------
>  1 file changed, 68 insertions(+), 29 deletions(-)
> 
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 437ae2c..fcde430 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -1149,6 +1149,68 @@ skip_node:
>  	return NULL;
>  }
>  
> +static void mem_cgroup_iter_invalidate(struct mem_cgroup *root)
> +{
> +	/*
> +	 * When a group in the hierarchy below root is destroyed, the
> +	 * hierarchy iterator can no longer be trusted since it might
> +	 * have pointed to the destroyed group.  Invalidate it.
> +	 */
> +	atomic_inc(&root->dead_count);
> +}
> +
> +static struct mem_cgroup *
> +mem_cgroup_iter_load(struct mem_cgroup_reclaim_iter *iter,
> +		     struct mem_cgroup *root,
> +		     int *sequence)
> +{
> +	struct mem_cgroup *position = NULL;
> +	/*
> +	 * A cgroup destruction happens in two stages: offlining and
> +	 * release.  They are separated by a RCU grace period.
> +	 *
> +	 * If the iterator is valid, we may still race with an
> +	 * offlining.  The RCU lock ensures the object won't be
> +	 * released, tryget will fail if we lost the race.
> +	 */
> +	*sequence = atomic_read(&root->dead_count);
> +	if (iter->last_dead_count == *sequence) {
> +		smp_rmb();
> +		position = iter->last_visited;
> +
> +		/*
> +		 * We cannot take a reference to root because we might race
> +		 * with root removal and returning NULL would end up in
> +		 * an endless loop on the iterator user level when root
> +		 * would be returned all the time.
> +		 */
> +		if (position && position != root &&
> +				!css_tryget(&position->css))
> +			position = NULL;
> +	}
> +	return position;
> +}
> +
> +static void mem_cgroup_iter_update(struct mem_cgroup_reclaim_iter *iter,
> +				   struct mem_cgroup *last_visited,
> +				   struct mem_cgroup *new_position,
> +				   struct mem_cgroup *root,
> +				   int sequence)
> +{
> +	/* root reference counting symmetric to mem_cgroup_iter_load */
> +	if (last_visited && last_visited != root)
> +		css_put(&last_visited->css);
> +	/*
> +	 * We store the sequence count from the time @last_visited was
> +	 * loaded successfully instead of rereading it here so that we
> +	 * don't lose destruction events in between.  We could have
> +	 * raced with the destruction of @new_position after all.
> +	 */
> +	iter->last_visited = new_position;
> +	smp_wmb();
> +	iter->last_dead_count = sequence;
> +}
> +
>  /**
>   * mem_cgroup_iter - iterate over memory cgroup hierarchy
>   * @root: hierarchy root
> @@ -1172,7 +1234,6 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
>  {
>  	struct mem_cgroup *memcg = NULL;
>  	struct mem_cgroup *last_visited = NULL;
> -	unsigned long uninitialized_var(dead_count);
>  
>  	if (mem_cgroup_disabled())
>  		return NULL;
> @@ -1192,6 +1253,7 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
>  	rcu_read_lock();
>  	while (!memcg) {
>  		struct mem_cgroup_reclaim_iter *uninitialized_var(iter);
> +		int uninitialized_var(seq);
>  
>  		if (reclaim) {
>  			int nid = zone_to_nid(reclaim->zone);
> @@ -1205,37 +1267,14 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
>  				goto out_unlock;
>  			}
>  
> -			/*
> -			 * If the dead_count mismatches, a destruction
> -			 * has happened or is happening concurrently.
> -			 * If the dead_count matches, a destruction
> -			 * might still happen concurrently, but since
> -			 * we checked under RCU, that destruction
> -			 * won't free the object until we release the
> -			 * RCU reader lock.  Thus, the dead_count
> -			 * check verifies the pointer is still valid,
> -			 * css_tryget() verifies the cgroup pointed to
> -			 * is alive.
> -			 */
> -			dead_count = atomic_read(&root->dead_count);
> -			if (dead_count == iter->last_dead_count) {
> -				smp_rmb();
> -				last_visited = iter->last_visited;
> -				if (last_visited && last_visited != root &&
> -				    !css_tryget(&last_visited->css))
> -					last_visited = NULL;
> -			}
> +			last_visited = mem_cgroup_iter_load(iter, root, &seq);
>  		}
>  
>  		memcg = __mem_cgroup_iter_next(root, last_visited);
>  
>  		if (reclaim) {
> -			if (last_visited && last_visited != root)
> -				css_put(&last_visited->css);
> -
> -			iter->last_visited = memcg;
> -			smp_wmb();
> -			iter->last_dead_count = dead_count;
> +			mem_cgroup_iter_update(iter, last_visited, memcg, root,
> +					seq);
>  
>  			if (!memcg)
>  				iter->generation++;
> @@ -6346,14 +6385,14 @@ static void mem_cgroup_invalidate_reclaim_iterators(struct mem_cgroup *memcg)
>  	struct mem_cgroup *parent = memcg;
>  
>  	while ((parent = parent_mem_cgroup(parent)))
> -		atomic_inc(&parent->dead_count);
> +		mem_cgroup_iter_invalidate(parent);
>  
>  	/*
>  	 * if the root memcg is not hierarchical we have to check it
>  	 * explicitely.
>  	 */
>  	if (!root_mem_cgroup->use_hierarchy)
> -		atomic_inc(&root_mem_cgroup->dead_count);
> +		mem_cgroup_iter_invalidate(root_mem_cgroup);
>  }
>  
>  static void mem_cgroup_css_offline(struct cgroup *cont)
> -- 
> 1.8.3.1
> 
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@...ck.org.  For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@...ck.org"> email@...ck.org </a>

-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ