lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5ce45c874d6a05ca69abed3961d413c4a4360e79.camel@mediatek.com>
Date:   Fri, 2 Sep 2022 14:40:59 +0800
From:   Kuyo Chang <kuyo.chang@...iatek.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
CC:     <major.chen@...sung.com>, Ingo Molnar <mingo@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Juri Lelli <juri.lelli@...hat.com>,
        Vincent Guittot <vincent.guittot@...aro.org>,
        Dietmar Eggemann <dietmar.eggemann@....com>,
        Steven Rostedt <rostedt@...dmis.org>,
        Ben Segall <bsegall@...gle.com>,
        "Mel Gorman" <mgorman@...e.de>,
        Daniel Bristot de Oliveira <bristot@...hat.com>,
        Valentin Schneider <vschneid@...hat.com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        <wsd_upstream@...iatek.com>, <hongfei.tang@...sung.com>,
        <linux-kernel@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>,
        <linux-mediatek@...ts.infradead.org>
Subject: Re: [PATCH 1/1] sched/debug: fix dentry leak in
 update_sched_domain_debugfs

On Fri, 2022-09-02 at 07:26 +0200, Greg Kroah-Hartman wrote:
> On Fri, Sep 02, 2022 at 11:15:15AM +0800, Kuyo Chang wrote:
> > From: kuyo chang <kuyo.chang@...iatek.com>
> > 
> > [Syndrome]
> > Lowmemorykiller triggered while doing hotplug stress test as below
> > cmd:
> > echo [0/1] > /sys/devices/system/cpu/cpu${index}/online
> > 
> > Rootcause:
> > Call trace of the slab owner & usage as below after hotplug stress
> > test(4hr).
> > There exists dentry leak at update_sched_domain_debugfs.
> > 
> > Total size : 322000KB
> > <prep_new_page+44>:
> > <get_page_from_freelist+672>:
> > <__alloc_pages+304>:
> > <allocate_slab+144>:
> > <___slab_alloc+404>:
> > <__slab_alloc+60>:
> > <kmem_cache_alloc+1204>:
> > <alloc_inode+100>:
> > <new_inode+40>:
> > <__debugfs_create_file+172>:
> > <update_sched_domain_debugfs+824>:
> > <partition_sched_domains_locked+1292>:
> > <rebuild_sched_domains_locked+576>:
> > <cpuset_hotplug_workfn+1052>:
> > <process_one_work+584>:
> > <worker_thread+1008>:
> > 
> > [Solution]
> > Provided by Major Chen <major.chen@...sung.com> as below link.
> > 
https://lore.kernel.org/lkml/20220711030341epcms5p173848e98b13c09eb2fcdf2fd7287526a@epcms5p1/
> > update_sched_domain_debugfs() uses debugfs_lookup() to find wanted
> > dentry(which has
> > been created by debugfs_create_dir() before), but not call dput()
> > to return this dentry
> > back. This result in dentry leak even debugfs_remove() is called.
> > 
> > [Test result]
> > Using below commands to check inode_cache & dentry leak.
> > cat /proc/slabinfo | grep -w inode_cache
> > cat /proc/slabinfo | grep -w dentry
> > 
> > With the patch, the inode_cache & dentry stays consistent
> > so the lowmemorykiller will not triggered anymore.
> > 
> > Fixes: 8a99b6833c88 ("sched: Move SCHED_DEBUG sysctl to debugfs")
> > 
> > Signed-off-by: Major Chen <major.chen@...sung.com>
> > Signed-off-by: kuyo chang <kuyo.chang@...iatek.com>
> > Tested-by: kuyo chang <kuyo.chang@...iatek.com>
> > 
> > ---
> >  kernel/sched/debug.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c
> > index bb3d63bdf4ae..4ffea2dc01da 100644
> > --- a/kernel/sched/debug.c
> > +++ b/kernel/sched/debug.c
> > @@ -412,11 +412,14 @@ void update_sched_domain_debugfs(void)
> >  
> >  	for_each_cpu(cpu, sd_sysctl_cpus) {
> >  		struct sched_domain *sd;
> > -		struct dentry *d_cpu;
> > +		struct dentry *d_cpu, *d_lookup;
> >  		char buf[32];
> >  
> >  		snprintf(buf, sizeof(buf), "cpu%d", cpu);
> > -		debugfs_remove(debugfs_lookup(buf, sd_dentry));
> > +		d_lookup = debugfs_lookup(buf, sd_dentry);
> > +		debugfs_remove(d_lookup);
> > +		if (!IS_ERR_OR_NULL(d_lookup))
> > +			dput(d_lookup);
> 
> That's odd, and means that something else is removing this file right
> after we looked it up?  Is there a missing lock here that should be
> used
> instead?
> 
> thanks,
> 
> greg k-h


While doing cpu hotlug, the cpu_active_mask is changed, 
so it need to update_sched_domain_debugfs.

The original design is to recreate sd_dentry, so it doing
debugfs_remove and then debugfs_create_dir.
However, by debugfs_lookup function usage.
The returned dentry must be passed to dput() when it is no longer
needed to avoid dentry leak.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ