lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2d44a1bd-eb80-7724-ff4e-a0fc3bfd8b72@bytedance.com>
Date:   Wed, 3 May 2023 13:37:24 +0800
From:   Qi Zheng <zhengqi.arch@...edance.com>
To:     Joan Bruguera Micó <joanbrugueram@...il.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc:     Roman Gushchin <roman.gushchin@...ux.dev>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm: shrinkers: fix race condition on debugfs cleanup



On 2023/5/3 09:32, Joan Bruguera Micó wrote:
> When something registers and unregisters many shrinkers, such as:
>      for x in $(seq 10000); do unshare -Ui true; done
> 
> Sometimes the following error is printed to the kernel log:
>      debugfs: Directory '...' with parent 'shrinker' already present!
> 
> This occurs since commit badc28d4924b ("mm: shrinkers: fix deadlock in
> shrinker debugfs") / v6.2: Since the call to `debugfs_remove_recursive`
> was moved outside the `shrinker_rwsem`/`shrinker_mutex` lock, but the call
>   to `ida_free` stayed inside, a newly registered shrinker can be
>   re-assigned that ID and attempt to create the debugfs directory before
> the directory from the previous shrinker has been removed.
> 
> The locking changes in commit f95bdb700bc6 ("mm: vmscan: make global slab
> shrink lockless") made the race condition more likely, though it existed
> before then.
> 
> Commit badc28d4924b ("mm: shrinkers: fix deadlock in shrinker debugfs")
> could be reverted since the issue is addressed should no longer occur
> since the count and scan operations are lockless since commit 20cd1892fcc3
> ("mm: shrinkers: make count and scan in shrinker debugfs lockless").
> However, since this is a contended lock, prefer instead moving `ida_free`
> outside the lock to avoid the race.
> 
> Fixes: badc28d4924b ("mm: shrinkers: fix deadlock in shrinker debugfs")
> Signed-off-by: Joan Bruguera Micó <joanbrugueram@...il.com>
> ---
>   include/linux/shrinker.h | 13 +++++++++++--
>   mm/shrinker_debug.c      | 15 ++++++++++-----
>   mm/vmscan.c              |  5 +++--
>   3 files changed, 24 insertions(+), 9 deletions(-)
> 
> diff --git a/include/linux/shrinker.h b/include/linux/shrinker.h
> index 7bde8e1c228a..224293b2dd06 100644
> --- a/include/linux/shrinker.h
> +++ b/include/linux/shrinker.h
> @@ -107,7 +107,10 @@ extern void synchronize_shrinkers(void);
>   
>   #ifdef CONFIG_SHRINKER_DEBUG
>   extern int shrinker_debugfs_add(struct shrinker *shrinker);
> -extern struct dentry *shrinker_debugfs_remove(struct shrinker *shrinker);
> +extern struct dentry *shrinker_debugfs_detach(struct shrinker *shrinker,
> +					      int *debugfs_id);
> +extern void shrinker_debugfs_remove(struct dentry *debugfs_entry,
> +				    int debugfs_id);
>   extern int __printf(2, 3) shrinker_debugfs_rename(struct shrinker *shrinker,
>   						  const char *fmt, ...);
>   #else /* CONFIG_SHRINKER_DEBUG */
> @@ -115,10 +118,16 @@ static inline int shrinker_debugfs_add(struct shrinker *shrinker)
>   {
>   	return 0;
>   }
> -static inline struct dentry *shrinker_debugfs_remove(struct shrinker *shrinker)
> +static inline struct dentry *shrinker_debugfs_detach(struct shrinker *shrinker,
> +						     int *debugfs_id)
>   {
> +	*debugfs_id = -1;
>   	return NULL;
>   }
> +static inline void shrinker_debugfs_remove(struct dentry *debugfs_entry,
> +					   int debugfs_id)
> +{
> +}
>   static inline __printf(2, 3)
>   int shrinker_debugfs_rename(struct shrinker *shrinker, const char *fmt, ...)
>   {
> diff --git a/mm/shrinker_debug.c b/mm/shrinker_debug.c
> index 3f83b10c5031..fe10436d9911 100644
> --- a/mm/shrinker_debug.c
> +++ b/mm/shrinker_debug.c
> @@ -237,7 +237,8 @@ int shrinker_debugfs_rename(struct shrinker *shrinker, const char *fmt, ...)
>   }
>   EXPORT_SYMBOL(shrinker_debugfs_rename);
>   
> -struct dentry *shrinker_debugfs_remove(struct shrinker *shrinker)
> +struct dentry *shrinker_debugfs_detach(struct shrinker *shrinker,
> +				       int *debugfs_id)
>   {
>   	struct dentry *entry = shrinker->debugfs_entry;
>   
> @@ -246,14 +247,18 @@ struct dentry *shrinker_debugfs_remove(struct shrinker *shrinker)
>   	kfree_const(shrinker->name);
>   	shrinker->name = NULL;
>   
> -	if (entry) {
> -		ida_free(&shrinker_debugfs_ida, shrinker->debugfs_id);
> -		shrinker->debugfs_entry = NULL;
> -	}
> +	*debugfs_id = entry ? shrinker->debugfs_id : -1;
> +	shrinker->debugfs_entry = NULL;
>   
>   	return entry;
>   }
>   
> +void shrinker_debugfs_remove(struct dentry *debugfs_entry, int debugfs_id)
> +{

It would be better to add a check:

	if (!debugfs_entry)
		return;

> +	debugfs_remove_recursive(debugfs_entry);
> +	ida_free(&shrinker_debugfs_ida, debugfs_id);
> +}
> +
>   static int __init shrinker_debugfs_init(void)
>   {
>   	struct shrinker *shrinker;
> diff --git a/mm/vmscan.c b/mm/vmscan.c
> index 5bde07409303..c7d0faa343e0 100644
> --- a/mm/vmscan.c
> +++ b/mm/vmscan.c
> @@ -805,6 +805,7 @@ EXPORT_SYMBOL(register_shrinker);
>   void unregister_shrinker(struct shrinker *shrinker)
>   {
>   	struct dentry *debugfs_entry;
> +	int debugfs_id;
>   
>   	if (!(shrinker->flags & SHRINKER_REGISTERED))
>   		return;
> @@ -814,13 +815,13 @@ void unregister_shrinker(struct shrinker *shrinker)
>   	shrinker->flags &= ~SHRINKER_REGISTERED;
>   	if (shrinker->flags & SHRINKER_MEMCG_AWARE)
>   		unregister_memcg_shrinker(shrinker);
> -	debugfs_entry = shrinker_debugfs_remove(shrinker);
> +	debugfs_entry = shrinker_debugfs_detach(shrinker, &debugfs_id);
>   	mutex_unlock(&shrinker_mutex);
>   
>   	atomic_inc(&shrinker_srcu_generation);
>   	synchronize_srcu(&shrinker_srcu);
>   
> -	debugfs_remove_recursive(debugfs_entry);
> +	shrinker_debugfs_remove(debugfs_entry, debugfs_id);
>   
>   	kfree(shrinker->nr_deferred);
>   	shrinker->nr_deferred = NULL;

-- 
Thanks,
Qi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ