[rh7] mm/memcg: fix css_tryget(), css_put() imbalance

Details

Message ID	20200715132557.2249-1-aryabinin@virtuozzo.com
State	New
Series	"mm/memcg: fix css_tryget(), css_put() imbalance"
Headers	show Delivered-To: criupatchwork@gmail.com Received-SPF: pass (google.com: domain of devel-bounces@openvz.org designates 185.231.241.50 as permitted sender) client-ip=185.231.241.50; Received-SPF: Pass (protection.outlook.com: domain of virtuozzo.com designates 185.231.240.75 as permitted sender) receiver=protection.outlook.com; client-ip=185.231.240.75; helo=relay3.sw.ru; From: Andrey Ryabinin <aryabinin@virtuozzo.com> To: devel@openvz.org Date: Wed, 15 Jul 2020 16:25:57 +0300 Message-Id: <20200715132557.2249-1-aryabinin@virtuozzo.com> MIME-Version: 1.0 Subject: [Devel] [PATCH rh7] mm/memcg: fix css_tryget(), css_put() imbalance Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: devel-bounces@openvz.org Errors-To: devel-bounces@openvz.org

Message ID

20200715132557.2249-1-aryabinin@virtuozzo.com

State

New

Series

"mm/memcg: fix css_tryget(), css_put() imbalance"

Headers

show

Delivered-To: criupatchwork@gmail.com
Received: from imap.gmail.com [74.125.140.109]
	by patchwork.criu.org with IMAP (fetchmail-6.3.26)
	for <root@localhost> (single-drop);
	Wed, 15 Jul 2020 15:26:47 +0200 (CEST)
Received: by 2002:a5e:a91a:0:0:0:0:0 with SMTP id c26csp589899iod;
	Wed, 15 Jul 2020 06:26:41 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxpBzXDH5uKcgZmqthtl3xH4wxVKsPDcYoGfiPUbggCCaJujxaF9t00yt0PQPKXXEzy+n1q
X-Received: by 2002:a05:651c:502:: with SMTP id
	o2mr4634068ljp.434.1594819600930;
	Wed, 15 Jul 2020 06:26:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1594819600; cv=none; d=google.com;
	s=arc-20160816;
	b=uQDBnr5bP8lUdk6CEZYTLJ5n96JTGKCpuNj1mvGoW0Msuzgz5uhk96jyRxtbZKHkIe
	jPiZzwgJ5/DmKZOlr5C2W0mqshBRog991F6BLGsJh6vny2TzsdD0ZTYApABHTaqdKIiH
	gj2R+Xx7Anu0K2EptEVKN/11GLjomJEfY2smwx2jGV2wxARl/uMM82MafTMKJDQa6Ion
	miSEWaG+bScReETVfxWiYdCL9ZPIEuvzAmMDWEmfV3GPHv4DyK7IN68EQSNlBDczrP9u
	Gk0ThhJbrnC5x3JBfoCAe2aphuZ7vGZFv6OTk0G4RubrwND5aL11OwYJo5TWLrU1jh5J
	j3uA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help
	:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
	:mime-version:message-id:date:to:from;
	bh=V5ycfVxVQ6BgPPJEkq5MPf+9iTYnpJYDEBnTP1X1eAM=;
	b=qApsn9qK6QDbhQy/BsTg9ciMs7mqpJ39Xb+BwoZ1VXCzPcNYpyH0j1ixVxiyEaUo/s
	qKN3M5YzjqnaWZAxEXvYUNtHFD/XuWsVi53QeNk3NZItOqihMw4/kK8AzFg6iWqQeFkq
	XWhQUCTeFzAtGcd4EkNghCuNhJSjtTzbOLfmV4Fm4q5oe3W99W1IdEd/MBqQ35KHY/UM
	I7OzgW/aMiByFSmgJyTUaS6fRLnR7N+elNWoPWjgI4KjKdB0S+ll4nTwJSdxEfa5S5Ce
	gsUPdjh7EJJw8sQE+V1M9b/Y46F7Sre9Xio833deoaDtuEH/EwlNoLuwwx+uCOK1x77+
	UbQA==
ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain
	of devel-bounces@openvz.org designates
	185.231.241.50 as permitted sender)
	smtp.mailfrom=devel-bounces@openvz.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE)
	header.from=virtuozzo.com
Return-Path: <devel-bounces@openvz.org>
Received: from mail.openvz.org (mail.openvz.org. [185.231.241.50]) by
	mx.google.com with ESMTPS id r14si1278325ljj.511.2020.07.15.06.26.39
	(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 15 Jul 2020 06:26:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of devel-bounces@openvz.org designates
	185.231.241.50 as permitted sender) client-ip=185.231.241.50;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
	devel-bounces@openvz.org designates 185.231.241.50 as permitted
	sender) smtp.mailfrom=devel-bounces@openvz.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE)
	header.from=virtuozzo.com
Received: from localhost.localdomain (localhost [127.0.0.1]) by
	mail.openvz.org (8.14.4/8.14.4) with ESMTP id 06FDQ4bc010570;
	Wed, 15 Jul 2020 16:26:08 +0300
Received: from EUR01-VE1-obe.outbound.protection.outlook.com
	(mail-ve1eur01lp2050.outbound.protection.outlook.com [104.47.1.50])
	by mail.openvz.org (8.14.4/8.14.4) with ESMTP id 06FDQ2vQ010567 for
	<devel@openvz.org>; Wed, 15 Jul 2020 16:26:02 +0300
Received: from AM6PR08CA0031.eurprd08.prod.outlook.com (2603:10a6:20b:c0::19)
	by DB8PR08MB5051.eurprd08.prod.outlook.com (2603:10a6:10:bf::14) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.20;
	Wed, 15 Jul 2020 13:26:04 +0000
Received: from HE1EUR01FT061.eop-EUR01.prod.protection.outlook.com
	(2603:10a6:20b:c0:cafe::18) by AM6PR08CA0031.outlook.office365.com
	(2603:10a6:20b:c0::19) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.18 via
	Frontend Transport; Wed, 15 Jul 2020 13:26:04 +0000
Authentication-Results: spf=pass (sender IP is 185.231.240.75)
	smtp.mailfrom=virtuozzo.com; openvz.org;
	dkim=none (message not signed)
	header.d=none; openvz.org;
	dmarc=pass action=none header.from=virtuozzo.com; 
Received-SPF: Pass (protection.outlook.com: domain of virtuozzo.com
	designates
	185.231.240.75 as permitted sender) receiver=protection.outlook.com; 
	client-ip=185.231.240.75; helo=relay3.sw.ru;
Received: from relay3.sw.ru (185.231.240.75) by
	HE1EUR01FT061.mail.protection.outlook.com (10.152.1.6) with Microsoft
	SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
	15.20.3195.18 via Frontend Transport; Wed, 15 Jul 2020 13:26:03 +0000
Received: from [192.168.15.76] (helo=localhost.sw.ru) by relay3.sw.ru with
	esmtp (Exim 4.93) (envelope-from <aryabinin@virtuozzo.com>) id
	1jvhQA-00007l-6x; Wed, 15 Jul 2020 16:26:02 +0300
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
To: devel@openvz.org
Date: Wed, 15 Jul 2020 16:25:57 +0300
Message-Id: <20200715132557.2249-1-aryabinin@virtuozzo.com>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:185.231.240.75; CTRY:RU; LANG:en; SCL:-1;
	SRV:; IPV:CAL; SFV:SKN; H:relay3.sw.ru; PTR:relay.sw.ru; CAT:NONE;
	SFTY:; SFS:; DIR:INB; SFP:;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 142bc430-3782-40af-f4e0-08d828c29f80
X-MS-TrafficTypeDiagnostic: DB8PR08MB5051:
X-MS-Oob-TLC-OOBClassifiers: OLM:4941;
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?8X4XsD9OCzhfLAkuMg58iyjsMe1rnTcdsTF7Esu/Ugov17xomtDFpRSy0L+G?=
	=?us-ascii?Q?VCP4k/CHTIUFaEYSUcN7JbAqzPDdeLwYr75B7aIMxvytQqK4Ej/SlWVYodyM?=
	=?us-ascii?Q?yM1rcHmhe0Jso1OIlAw+5fZexfNebIMKi3NnH3F67f52cyoCzDK2Ibk8fTDy?=
	=?us-ascii?Q?HtQNIr863Mo6uYvaQ18jZNQVUS2R9qhFNjJFnlw/UVszJkZ5Zr85dIuoxjO5?=
	=?us-ascii?Q?IdFV6VTBROVCRQVCjstUv3M0xkeL9nDho5RQMMTBJBUYzTSFHVLtCxboAElQ?=
	=?us-ascii?Q?vUdGBd5QOiPERXtOfKqhBkzFfrGI/UNSMl7l3zx+ZgNVeo/6VAsLynMTk84k?=
	=?us-ascii?Q?V5LOsjMSg+KbIlwjhmeI8fSjL7CCB5C8hmOkv9Np083s7l8JSD2V5+yGum3e?=
	=?us-ascii?Q?4MAmDeykrYitLe4nA08oTTDWqkZZSKCyh01V1Nk+uNAq4RJfS0OADpZiTqNq?=
	=?us-ascii?Q?/JIpVy/E9IftyokauD6e6kxIqdkBYz2mjNSm9RkWDR03Y9TFByXKs7wBvsOE?=
	=?us-ascii?Q?7XuDavxvCWqAxetwiyvIKJW8Uh/H7j/lztqh9mGTuHd6/UTVxbGr1vLARif9?=
	=?us-ascii?Q?MJ1nv9gfKCZ7X/mhZWuivLtpDUrkloZSLklYlQRHJ51YYqZdxHRr5s+wSilw?=
	=?us-ascii?Q?6F1sSp1fV1giksGSktemrnvF/gCqDzYzyoLRB5Jn5ZfhTt1WoW4Y0ZwHPGyz?=
	=?us-ascii?Q?yiRP18LDwWaB4FNjVod6Z27KW8yMfJpiJgKzv+jFYbYlaJd86+cxc3cCXm1p?=
	=?us-ascii?Q?Zs8pvjjxwuU1t6EvLJDKSsKRlBULlXhlJpoWOUSymvpYxUgYiisP0TqPrH1/?=
	=?us-ascii?Q?ZvKCuArVsNdlpy5Hdqt9U3fKeh9Y5K7qlPopHU/U6Br1S7JO6cJhoZLI64Q2?=
	=?us-ascii?Q?PMS7Wk01JW8uUJL8hqRju6G6u4HFmTS5d36axHL7xwrEwwWBcphYOlnx4TWw?=
	=?us-ascii?Q?Xrzw6PlAQvjO/hr0MTk0r9Vx4qyF1Rs0Sp06COuSgh23iDjnQrTDMrwMQs1A?=
	=?us-ascii?Q?kqTPLsVWMvuJQBD91TbhOmOyYadL32Xo5WQ70uTjZpBSIuL6UepyDOLWoPrv?=
	=?us-ascii?Q?b+tSjp2p1A8gXpiCCupYucN+2WiRCTL/yicpWUqU+p5X2GTRSxaZFcyKhRct?=
	=?us-ascii?Q?PkE3yCzxJiNc/BXhNhIiyWznHil3qZ5c97sFsNJoL72g0YTEkzQf+Hb/b7fx?=
	=?us-ascii?Q?YKbQ24h25c+KLvsX4EuEoZ9ZboMnf6a85BeHL/TLtHkRTzw5xQtfnNrMWvx1?=
	=?us-ascii?Q?9iQ6V0pMLqDwqgpYXfAW19wwBafG8dLr5X11P/7dkpiOgBikgb+lGuX03otx?=
	=?us-ascii?Q?Qdg=3D?=
X-OriginatorOrg: virtuozzo.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jul 2020 13:26:03.7450
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 142bc430-3782-40af-f4e0-08d828c29f80
X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=0bc7f26d-0264-416e-a6fc-8352af79c58f; 
	Ip=[185.231.240.75]; Helo=[relay3.sw.ru]
X-MS-Exchange-CrossTenant-AuthSource: HE1EUR01FT061.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB5051
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 185.231.240.75
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-AuthSource: HE1EUR01FT061.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Anonymous
X-MS-Exchange-CrossPremises-SCL: -1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: DB8PR08MB5051.eurprd08.prod.outlook.com
Subject: [Devel] [PATCH rh7] mm/memcg: fix css_tryget(), css_put() imbalance
X-BeenThere: devel@openvz.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OpenVZ development <devel.openvz.org>
List-Unsubscribe: <https://lists.openvz.org/mailman/options/devel>,
	<mailto:devel-request@openvz.org?subject=unsubscribe>
List-Archive: <http://lists.openvz.org/pipermail/devel/>
List-Post: <mailto:devel@openvz.org>
List-Help: <mailto:devel-request@openvz.org?subject=help>
List-Subscribe: <https://lists.openvz.org/mailman/listinfo/devel>,
	<mailto:devel-request@openvz.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: devel-bounces@openvz.org
Errors-To: devel-bounces@openvz.org

Commit Message

Andrey Ryabinin July 15, 2020, 1:25 p.m.

If mem_cgroup_iter_load() goes to retry after failed read_seqretry():

retry:
	seq = read_seqbegin(&iter->last_visited_lock);
	if (iter->last_dead_count == *sequence) {
		position = READ_ONCE(iter->last_visited);

		if (read_seqretry(&iter->last_visited_lock, seq))
			goto retry:

and the condition is (iter->last_dead_count == *sequence) false,
mem_cgroup_iter_load() will return non-NULL position, without doing
css_tryget(). This leads to extra css_put() in mem_cgroup_iter_update()
and kernel crash later.

Fix this by NULLifying 'position' on each retry.

https://jira.sw.ru/browse/PSBM-98148
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 mm/memcontrol.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 34c9c4745594..d989111f8d18 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -1520,7 +1520,7 @@  mem_cgroup_iter_load(struct mem_cgroup_reclaim_iter *iter,
 		     struct mem_cgroup *root,
 		     int *sequence)
 {
-	struct mem_cgroup *position = NULL;
+	struct mem_cgroup *position;
 	unsigned seq;
 
 	/*
@@ -1533,6 +1533,7 @@  mem_cgroup_iter_load(struct mem_cgroup_reclaim_iter *iter,
 	 */
 	*sequence = atomic_read(&root->dead_count);
 retry:
+	position = NULL;
 	seq = read_seqbegin(&iter->last_visited_lock);
 	if (iter->last_dead_count == *sequence) {
 		position = READ_ONCE(iter->last_visited);

Comments

Konstantin Khorenko July 15, 2020, 3:11 p.m.

On 07/15/2020 04:25 PM, Andrey Ryabinin wrote:
> If mem_cgroup_iter_load() goes to retry after failed read_seqretry():
>
> retry:
> 	seq = read_seqbegin(&iter->last_visited_lock);
> 	if (iter->last_dead_count == *sequence) {
> 		position = READ_ONCE(iter->last_visited);
>
> 		if (read_seqretry(&iter->last_visited_lock, seq))
> 			goto retry:
>
> and the condition is (iter->last_dead_count == *sequence) false,
> mem_cgroup_iter_load() will return non-NULL position, without doing
> css_tryget(). This leads to extra css_put() in mem_cgroup_iter_update()
> and kernel crash later.
>
> Fix this by NULLifying 'position' on each retry.
>
> https://jira.sw.ru/browse/PSBM-98148
> Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>

Acked-by: Konstantin Khorenko <khorenko@virtuozzo.com>

> ---
>  mm/memcontrol.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 34c9c4745594..d989111f8d18 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -1520,7 +1520,7 @@ mem_cgroup_iter_load(struct mem_cgroup_reclaim_iter *iter,
>  		     struct mem_cgroup *root,
>  		     int *sequence)
>  {
> -	struct mem_cgroup *position = NULL;
> +	struct mem_cgroup *position;
>  	unsigned seq;
>
>  	/*
> @@ -1533,6 +1533,7 @@ mem_cgroup_iter_load(struct mem_cgroup_reclaim_iter *iter,
>  	 */
>  	*sequence = atomic_read(&root->dead_count);
>  retry:
> +	position = NULL;
>  	seq = read_seqbegin(&iter->last_visited_lock);
>  	if (iter->last_dead_count == *sequence) {
>  		position = READ_ONCE(iter->last_visited);
>