| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 May 2023 13:37:24 +0800
From: Qi Zheng <zhengqi.arch@...edance.com>
To: Joan Bruguera Micó <joanbrugueram@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>
Cc: Roman Gushchin <roman.gushchin@...ux.dev>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm: shrinkers: fix race condition on debugfs cleanup
On 2023/5/3 09:32, Joan Bruguera Micó wrote:
> When something registers and unregisters many shrinkers, such as:
> for x in $(seq 10000); do unshare -Ui true; done
>
> Sometimes the following error is printed to the kernel log:
> debugfs: Directory '...' with parent 'shrinker' already present!
>
> This occurs since commit badc28d4924b ("mm: shrinkers: fix deadlock in
> shrinker debugfs") / v6.2: Since the call to `debugfs_remove_recursive`
> was moved outside the `shrinker_rwsem`/`shrinker_mutex` lock, but the call
> to `ida_free` stayed inside, a newly registered shrinker can be
> re-assigned that ID and attempt to create the debugfs directory before
> the directory from the previous shrinker has been removed.
>
> The locking changes in commit f95bdb700bc6 ("mm: vmscan: make global slab
> shrink lockless") made the race condition more likely, though it existed
> before then.
>
> Commit badc28d4924b ("mm: shrinkers: fix deadlock in shrinker debugfs")
> could be reverted since the issue is addressed should no longer occur
> since the count and scan operations are lockless since commit 20cd1892fcc3
> ("mm: shrinkers: make count and scan in shrinker debugfs lockless").
> However, since this is a contended lock, prefer instead moving `ida_free`
> outside the lock to avoid the race.
>
> Fixes: badc28d4924b ("mm: shrinkers: fix deadlock in shrinker debugfs")
> Signed-off-by: Joan Bruguera Micó <joanbrugueram@...il.com>
> ---
> include/linux/shrinker.h | 13 +++++++++++--
> mm/shrinker_debug.c | 15 ++++++++++-----
> mm/vmscan.c | 5 +++--
> 3 files changed, 24 insertions(+), 9 deletions(-)
>
> diff --git a/include/linux/shrinker.h b/include/linux/shrinker.h
> index 7bde8e1c228a..224293b2dd06 100644
> --- a/include/linux/shrinker.h
> +++ b/include/linux/shrinker.h
> @@ -107,7 +107,10 @@ extern void synchronize_shrinkers(void);
>
> #ifdef CONFIG_SHRINKER_DEBUG
> extern int shrinker_debugfs_add(struct shrinker *shrinker);
> -extern struct dentry *shrinker_debugfs_remove(struct shrinker *shrinker);
> +extern struct dentry *shrinker_debugfs_detach(struct shrinker *shrinker,
> + int *debugfs_id);
> +extern void shrinker_debugfs_remove(struct dentry *debugfs_entry,
> + int debugfs_id);
> extern int __printf(2, 3) shrinker_debugfs_rename(struct shrinker *shrinker,
> const char *fmt, ...);
> #else /* CONFIG_SHRINKER_DEBUG */
> @@ -115,10 +118,16 @@ static inline int shrinker_debugfs_add(struct shrinker *shrinker)
> {
> return 0;
> }
> -static inline struct dentry *shrinker_debugfs_remove(struct shrinker *shrinker)
> +static inline struct dentry *shrinker_debugfs_detach(struct shrinker *shrinker,
> + int *debugfs_id)
> {
> + *debugfs_id = -1;
> return NULL;
> }
> +static inline void shrinker_debugfs_remove(struct dentry *debugfs_entry,
> + int debugfs_id)
> +{
> +}
> static inline __printf(2, 3)
> int shrinker_debugfs_rename(struct shrinker *shrinker, const char *fmt, ...)
> {
> diff --git a/mm/shrinker_debug.c b/mm/shrinker_debug.c
> index 3f83b10c5031..fe10436d9911 100644
> --- a/mm/shrinker_debug.c
> +++ b/mm/shrinker_debug.c
> @@ -237,7 +237,8 @@ int shrinker_debugfs_rename(struct shrinker *shrinker, const char *fmt, ...)
> }
> EXPORT_SYMBOL(shrinker_debugfs_rename);
>
> -struct dentry *shrinker_debugfs_remove(struct shrinker *shrinker)
> +struct dentry *shrinker_debugfs_detach(struct shrinker *shrinker,
> + int *debugfs_id)
> {
> struct dentry *entry = shrinker->debugfs_entry;
>
> @@ -246,14 +247,18 @@ struct dentry *shrinker_debugfs_remove(struct shrinker *shrinker)
> kfree_const(shrinker->name);
> shrinker->name = NULL;
>
> - if (entry) {
> - ida_free(&shrinker_debugfs_ida, shrinker->debugfs_id);
> - shrinker->debugfs_entry = NULL;
> - }
> + *debugfs_id = entry ? shrinker->debugfs_id : -1;
> + shrinker->debugfs_entry = NULL;
>
> return entry;
> }
>
> +void shrinker_debugfs_remove(struct dentry *debugfs_entry, int debugfs_id)
> +{
It would be better to add a check:
if (!debugfs_entry)
return;
> + debugfs_remove_recursive(debugfs_entry);
> + ida_free(&shrinker_debugfs_ida, debugfs_id);
> +}
> +
> static int __init shrinker_debugfs_init(void)
> {
> struct shrinker *shrinker;
> diff --git a/mm/vmscan.c b/mm/vmscan.c
> index 5bde07409303..c7d0faa343e0 100644
> --- a/mm/vmscan.c
> +++ b/mm/vmscan.c
> @@ -805,6 +805,7 @@ EXPORT_SYMBOL(register_shrinker);
> void unregister_shrinker(struct shrinker *shrinker)
> {
> struct dentry *debugfs_entry;
> + int debugfs_id;
>
> if (!(shrinker->flags & SHRINKER_REGISTERED))
> return;
> @@ -814,13 +815,13 @@ void unregister_shrinker(struct shrinker *shrinker)
> shrinker->flags &= ~SHRINKER_REGISTERED;
> if (shrinker->flags & SHRINKER_MEMCG_AWARE)
> unregister_memcg_shrinker(shrinker);
> - debugfs_entry = shrinker_debugfs_remove(shrinker);
> + debugfs_entry = shrinker_debugfs_detach(shrinker, &debugfs_id);
> mutex_unlock(&shrinker_mutex);
>
> atomic_inc(&shrinker_srcu_generation);
> synchronize_srcu(&shrinker_srcu);
>
> - debugfs_remove_recursive(debugfs_entry);
> + shrinker_debugfs_remove(debugfs_entry, debugfs_id);
>
> kfree(shrinker->nr_deferred);
> shrinker->nr_deferred = NULL;
--
Thanks,
Qi
Powered by blists - more mailing lists