| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <32b9d3c0-e22a-4960-a5da-a3f21c990a3a@suse.cz>
Date: Tue, 25 Feb 2025 15:12:39 +0100
From: Vlastimil Babka <vbabka@...e.cz>
To: Uladzislau Rezki <urezki@...il.com>
Cc: Keith Busch <kbusch@...nel.org>, "Paul E. McKenney" <paulmck@...nel.org>,
Joel Fernandes <joel@...lfernandes.org>,
Josh Triplett <josh@...htriplett.org>, Boqun Feng <boqun.feng@...il.com>,
Christoph Lameter <cl@...ux.com>, David Rientjes <rientjes@...gle.com>,
Steven Rostedt <rostedt@...dmis.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Lai Jiangshan <jiangshanlai@...il.com>, Zqiang <qiang.zhang1211@...il.com>,
Julia Lawall <Julia.Lawall@...ia.fr>, Jakub Kicinski <kuba@...nel.org>,
"Jason A. Donenfeld" <Jason@...c4.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Roman Gushchin <roman.gushchin@...ux.dev>,
Hyeonggon Yoo <42.hyeyoo@...il.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, rcu@...r.kernel.org,
Alexander Potapenko <glider@...gle.com>, Marco Elver <elver@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>, kasan-dev@...glegroups.com,
Jann Horn <jannh@...gle.com>, Mateusz Guzik <mjguzik@...il.com>,
linux-nvme@...ts.infradead.org, leitao@...ian.org
Subject: Re: [PATCH v2 6/7] mm, slab: call kvfree_rcu_barrier() from
kmem_cache_destroy()
On 2/25/25 14:39, Uladzislau Rezki wrote:
> On Tue, Feb 25, 2025 at 10:57:38AM +0100, Vlastimil Babka wrote:
>> On 2/24/25 12:44, Uladzislau Rezki wrote:
>> > On Fri, Feb 21, 2025 at 06:28:49PM +0100, Vlastimil Babka wrote:
>> >> On 2/21/25 17:30, Keith Busch wrote:
>> >> > ------------[ cut here ]------------
>> >> > workqueue: WQ_MEM_RECLAIM nvme-wq:nvme_scan_work is flushing !WQ_MEM_RECLAIM events_unbound:kfree_rcu_work
>> >>
>> >> Maybe instead kfree_rcu_work should be using a WQ_MEM_RECLAIM workqueue? It
>> >> is after all freeing memory. Ulad, what do you think?
>> >>
>> > We reclaim memory, therefore WQ_MEM_RECLAIM seems what we need.
>> > AFAIR, there is an extra rescue worker, which can really help
>> > under a low memory condition in a way that we do a progress.
>> >
>> > Do we have a reproducer of mentioned splat?
>>
>> I tried to create a kunit test for it, but it doesn't trigger anything. Maybe
>> it's too simple, or racy, and thus we are not flushing any of the queues from
>> kvfree_rcu_barrier()?
>>
> See some comments below. I will try to reproduce it today. But from the
> first glance it should trigger it.
>
>> ----8<----
>> From 1e19ea78e7fe254034970f75e3b7cb705be50163 Mon Sep 17 00:00:00 2001
>> From: Vlastimil Babka <vbabka@...e.cz>
>> Date: Tue, 25 Feb 2025 10:51:28 +0100
>> Subject: [PATCH] add test for kmem_cache_destroy in a workqueue
>>
>> ---
>> lib/slub_kunit.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 48 insertions(+)
>>
>> diff --git a/lib/slub_kunit.c b/lib/slub_kunit.c
>> index f11691315c2f..5fe9775fba05 100644
>> --- a/lib/slub_kunit.c
>> +++ b/lib/slub_kunit.c
>> @@ -6,6 +6,7 @@
>> #include <linux/module.h>
>> #include <linux/kernel.h>
>> #include <linux/rcupdate.h>
>> +#include <linux/delay.h>
>> #include "../mm/slab.h"
>>
>> static struct kunit_resource resource;
>> @@ -181,6 +182,52 @@ static void test_kfree_rcu(struct kunit *test)
>> KUNIT_EXPECT_EQ(test, 0, slab_errors);
>> }
>>
>> +struct cache_destroy_work {
>> + struct work_struct work;
>> + struct kmem_cache *s;
>> +};
>> +
>> +static void cache_destroy_workfn(struct work_struct *w)
>> +{
>> + struct cache_destroy_work *cdw;
>> +
>> + cdw = container_of(w, struct cache_destroy_work, work);
>> +
>> + kmem_cache_destroy(cdw->s);
>> +}
>> +
>> +static void test_kfree_rcu_wq_destroy(struct kunit *test)
>> +{
>> + struct test_kfree_rcu_struct *p;
>> + struct cache_destroy_work cdw;
>> + struct workqueue_struct *wq;
>> + struct kmem_cache *s;
>> +
>> + if (IS_BUILTIN(CONFIG_SLUB_KUNIT_TEST))
>> + kunit_skip(test, "can't do kfree_rcu() when test is built-in");
>> +
>> + INIT_WORK_ONSTACK(&cdw.work, cache_destroy_workfn);
>> + wq = alloc_workqueue("test_kfree_rcu_destroy_wq", WQ_UNBOUND | WQ_MEM_RECLAIM, 0);
>>
> Maybe it is worth to add WQ_HIGHPRI also to be ahead?
I looked at what nvme_wq uses:
unsigned int wq_flags = WQ_UNBOUND | WQ_MEM_RECLAIM | WQ_SYSFS;
HIGHPRI wasn't there, and sysfs didn't seem important.
>> + if (!wq)
>> + kunit_skip(test, "failed to alloc wq");
>> +
>> + s = test_kmem_cache_create("TestSlub_kfree_rcu_wq_destroy",
>> + sizeof(struct test_kfree_rcu_struct),
>> + SLAB_NO_MERGE);
>> + p = kmem_cache_alloc(s, GFP_KERNEL);
>> +
>> + kfree_rcu(p, rcu);
>> +
>> + cdw.s = s;
>> + queue_work(wq, &cdw.work);
>> + msleep(1000);
> I am not sure it is needed. From the other hand it does nothing if
> i do not miss anything.
I've tried to add that in case it makes any difference (letting the
processing be done on its own instead of flushing immediately), but the
results was the same either way, no warning. AFAICS it also doesn't depend
on some debug CONFIG_ I could be missing, but maybe I'm wrong.
Hope you have more success :) Thanks.
>> + flush_work(&cdw.work);
>> +
>> + destroy_workqueue(wq);
>> +
>> + KUNIT_EXPECT_EQ(test, 0, slab_errors);
>> +}
>> +
>> static void test_leak_destroy(struct kunit *test)
>> {
>> struct kmem_cache *s = test_kmem_cache_create("TestSlub_leak_destroy",
>> @@ -254,6 +301,7 @@ static struct kunit_case test_cases[] = {
>> KUNIT_CASE(test_clobber_redzone_free),
>> KUNIT_CASE(test_kmalloc_redzone_access),
>> KUNIT_CASE(test_kfree_rcu),
>> + KUNIT_CASE(test_kfree_rcu_wq_destroy),
>> KUNIT_CASE(test_leak_destroy),
>> KUNIT_CASE(test_krealloc_redzone_zeroing),
>> {}
>> --
>> 2.48.1
>>
>>
>
> --
> Uladzislau Rezki
Powered by blists - more mailing lists