From: Glauber Costa <glommer@parallels.com>
To: JoonSoo Kim <js1304@gmail.com>
Cc: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
<cgroups@vger.kernel.org>, Mel Gorman <mgorman@suse.de>,
Tejun Heo <tj@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.cz>,
Johannes Weiner <hannes@cmpxchg.org>,
<kamezawa.hiroyu@jp.fujitsu.com>,
Christoph Lameter <cl@linux.com>,
"David Rientjes" <rientjes@google.com>,
Pekka Enberg <penberg@kernel.org>, <devel@openvz.org>,
Suleiman Souhlal <suleiman@google.com>,
Pekka Enberg <penberg@cs.helsinki.fi>
Subject: Re: [PATCH v5 13/18] memcg/sl[au]b Track all the memcg children of a kmem_cache.
Date: Tue, 30 Oct 2012 15:31:37 +0400 [thread overview]
Message-ID: <508FBA99.3010009@parallels.com> (raw)
In-Reply-To: <CAAmzW4MGdj-jL_FJ2Nkoa4Hx8KUDCeVK6HFidYQLauu_0vHhCg@mail.gmail.com>
On 10/29/2012 07:26 PM, JoonSoo Kim wrote:
> 2012/10/19 Glauber Costa <glommer@parallels.com>:
>> +void kmem_cache_destroy_memcg_children(struct kmem_cache *s)
>> +{
>> + struct kmem_cache *c;
>> + int i;
>> +
>> + if (!s->memcg_params)
>> + return;
>> + if (!s->memcg_params->is_root_cache)
>> + return;
>> +
>> + /*
>> + * If the cache is being destroyed, we trust that there is no one else
>> + * requesting objects from it. Even if there are, the sanity checks in
>> + * kmem_cache_destroy should caught this ill-case.
>> + *
>> + * Still, we don't want anyone else freeing memcg_caches under our
>> + * noses, which can happen if a new memcg comes to life. As usual,
>> + * we'll take the set_limit_mutex to protect ourselves against this.
>> + */
>> + mutex_lock(&set_limit_mutex);
>> + for (i = 0; i < memcg_limited_groups_array_size; i++) {
>> + c = s->memcg_params->memcg_caches[i];
>> + if (c)
>> + kmem_cache_destroy(c);
>> + }
>> + mutex_unlock(&set_limit_mutex);
>> +}
>
> It may cause NULL deref.
> Look at the following scenario.
>
> 1. some memcg slab caches has remained object.
> 2. start to destroy memcg.
> 3. schedule_delayed_work(kmem_cache_destroy_work_func, @delay 60hz)
> 4. all remained object is freed.
> 5. start to destroy root cache.
> 6. kmem_cache_destroy makes 's->memcg_params->memcg_caches[i]" NULL!!
> 7. Start delayed work function.
> 8. cachep in kmem_cache_destroy_work_func() may be NULL
>
> Thanks.
>
Thanks for spotting. This is the same problem we have in
memcg_cache_destroy(),
which I solved by not respawning the worker.
In here, I believe it should be possible to just cancel all remaining
pending work, since we are now in the process of deleting the caches
ourselves.
WARNING: multiple messages have this Message-ID (diff)
From: Glauber Costa <glommer@parallels.com>
To: JoonSoo Kim <js1304@gmail.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
cgroups@vger.kernel.org, Mel Gorman <mgorman@suse.de>,
Tejun Heo <tj@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.cz>,
Johannes Weiner <hannes@cmpxchg.org>,
kamezawa.hiroyu@jp.fujitsu.com, Christoph Lameter <cl@linux.com>,
David Rientjes <rientjes@google.com>,
Pekka Enberg <penberg@kernel.org>,
devel@openvz.org, Suleiman Souhlal <suleiman@google.com>,
Pekka Enberg <penberg@cs.helsinki.fi>
Subject: Re: [PATCH v5 13/18] memcg/sl[au]b Track all the memcg children of a kmem_cache.
Date: Tue, 30 Oct 2012 15:31:37 +0400 [thread overview]
Message-ID: <508FBA99.3010009@parallels.com> (raw)
In-Reply-To: <CAAmzW4MGdj-jL_FJ2Nkoa4Hx8KUDCeVK6HFidYQLauu_0vHhCg@mail.gmail.com>
On 10/29/2012 07:26 PM, JoonSoo Kim wrote:
> 2012/10/19 Glauber Costa <glommer@parallels.com>:
>> +void kmem_cache_destroy_memcg_children(struct kmem_cache *s)
>> +{
>> + struct kmem_cache *c;
>> + int i;
>> +
>> + if (!s->memcg_params)
>> + return;
>> + if (!s->memcg_params->is_root_cache)
>> + return;
>> +
>> + /*
>> + * If the cache is being destroyed, we trust that there is no one else
>> + * requesting objects from it. Even if there are, the sanity checks in
>> + * kmem_cache_destroy should caught this ill-case.
>> + *
>> + * Still, we don't want anyone else freeing memcg_caches under our
>> + * noses, which can happen if a new memcg comes to life. As usual,
>> + * we'll take the set_limit_mutex to protect ourselves against this.
>> + */
>> + mutex_lock(&set_limit_mutex);
>> + for (i = 0; i < memcg_limited_groups_array_size; i++) {
>> + c = s->memcg_params->memcg_caches[i];
>> + if (c)
>> + kmem_cache_destroy(c);
>> + }
>> + mutex_unlock(&set_limit_mutex);
>> +}
>
> It may cause NULL deref.
> Look at the following scenario.
>
> 1. some memcg slab caches has remained object.
> 2. start to destroy memcg.
> 3. schedule_delayed_work(kmem_cache_destroy_work_func, @delay 60hz)
> 4. all remained object is freed.
> 5. start to destroy root cache.
> 6. kmem_cache_destroy makes 's->memcg_params->memcg_caches[i]" NULL!!
> 7. Start delayed work function.
> 8. cachep in kmem_cache_destroy_work_func() may be NULL
>
> Thanks.
>
Thanks for spotting. This is the same problem we have in
memcg_cache_destroy(),
which I solved by not respawning the worker.
In here, I believe it should be possible to just cancel all remaining
pending work, since we are now in the process of deleting the caches
ourselves.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Glauber Costa <glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
To: JoonSoo Kim <js1304-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Mel Gorman <mgorman-l3A5Bk7waGM@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Michal Hocko <mhocko-AlSwsSmVLrQ@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org,
Christoph Lameter <cl-vYTEC60ixJUAvxtiuMwx3w@public.gmane.org>,
David Rientjes <rientjes-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Pekka Enberg <penberg-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
devel-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org,
Suleiman Souhlal
<suleiman-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Pekka Enberg <penberg-bbCR+/B0CizivPeTLB3BmA@public.gmane.org>
Subject: Re: [PATCH v5 13/18] memcg/sl[au]b Track all the memcg children of a kmem_cache.
Date: Tue, 30 Oct 2012 15:31:37 +0400 [thread overview]
Message-ID: <508FBA99.3010009@parallels.com> (raw)
In-Reply-To: <CAAmzW4MGdj-jL_FJ2Nkoa4Hx8KUDCeVK6HFidYQLauu_0vHhCg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On 10/29/2012 07:26 PM, JoonSoo Kim wrote:
> 2012/10/19 Glauber Costa <glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>:
>> +void kmem_cache_destroy_memcg_children(struct kmem_cache *s)
>> +{
>> + struct kmem_cache *c;
>> + int i;
>> +
>> + if (!s->memcg_params)
>> + return;
>> + if (!s->memcg_params->is_root_cache)
>> + return;
>> +
>> + /*
>> + * If the cache is being destroyed, we trust that there is no one else
>> + * requesting objects from it. Even if there are, the sanity checks in
>> + * kmem_cache_destroy should caught this ill-case.
>> + *
>> + * Still, we don't want anyone else freeing memcg_caches under our
>> + * noses, which can happen if a new memcg comes to life. As usual,
>> + * we'll take the set_limit_mutex to protect ourselves against this.
>> + */
>> + mutex_lock(&set_limit_mutex);
>> + for (i = 0; i < memcg_limited_groups_array_size; i++) {
>> + c = s->memcg_params->memcg_caches[i];
>> + if (c)
>> + kmem_cache_destroy(c);
>> + }
>> + mutex_unlock(&set_limit_mutex);
>> +}
>
> It may cause NULL deref.
> Look at the following scenario.
>
> 1. some memcg slab caches has remained object.
> 2. start to destroy memcg.
> 3. schedule_delayed_work(kmem_cache_destroy_work_func, @delay 60hz)
> 4. all remained object is freed.
> 5. start to destroy root cache.
> 6. kmem_cache_destroy makes 's->memcg_params->memcg_caches[i]" NULL!!
> 7. Start delayed work function.
> 8. cachep in kmem_cache_destroy_work_func() may be NULL
>
> Thanks.
>
Thanks for spotting. This is the same problem we have in
memcg_cache_destroy(),
which I solved by not respawning the worker.
In here, I believe it should be possible to just cancel all remaining
pending work, since we are now in the process of deleting the caches
ourselves.
next prev parent reply other threads:[~2012-10-30 11:32 UTC|newest]
Thread overview: 132+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-19 14:20 [PATCH v5 00/18] slab accounting for memcg Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 01/18] move slabinfo processing to slab_common.c Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-24 6:43 ` Pekka Enberg
2012-10-24 6:43 ` Pekka Enberg
2012-10-24 6:43 ` Pekka Enberg
2012-10-19 14:20 ` [PATCH v5 02/18] move print_slabinfo_header " Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 03/18] sl[au]b: process slabinfo_show in common code Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 04/18] slab: don't preemptively remove element from list in cache destroy Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 19:34 ` Christoph Lameter
2012-10-19 19:34 ` Christoph Lameter
2012-10-19 19:34 ` Christoph Lameter
2012-10-22 8:40 ` Glauber Costa
2012-10-22 8:40 ` Glauber Costa
2012-10-22 8:40 ` Glauber Costa
2012-10-24 6:54 ` Pekka Enberg
2012-10-24 6:54 ` Pekka Enberg
2012-10-24 6:54 ` Pekka Enberg
2012-10-24 16:19 ` Glauber Costa
2012-10-24 16:19 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 05/18] slab/slub: struct memcg_params Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-23 17:25 ` JoonSoo Kim
2012-10-23 17:25 ` JoonSoo Kim
2012-10-23 17:25 ` JoonSoo Kim
2012-10-24 8:42 ` Glauber Costa
2012-10-24 8:42 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 06/18] consider a memcg parameter in kmem_create_cache Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-23 17:50 ` JoonSoo Kim
2012-10-23 17:50 ` JoonSoo Kim
2012-10-23 17:50 ` JoonSoo Kim
2012-10-24 8:42 ` Glauber Costa
2012-10-24 8:42 ` Glauber Costa
2012-10-24 8:42 ` Glauber Costa
2012-10-25 13:42 ` Glauber Costa
2012-10-25 13:42 ` Glauber Costa
2012-10-25 13:42 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 07/18] Allocate memory for memcg caches whenever a new memcg appears Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 08/18] memcg: infrastructure to match an allocation to the right cache Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-24 18:10 ` JoonSoo Kim
2012-10-24 18:10 ` JoonSoo Kim
2012-10-25 11:05 ` Glauber Costa
2012-10-25 11:05 ` Glauber Costa
2012-10-25 11:05 ` Glauber Costa
2012-10-25 18:06 ` Tejun Heo
2012-10-25 18:06 ` Tejun Heo
2012-10-25 18:06 ` Tejun Heo
2012-10-25 18:08 ` Tejun Heo
2012-10-25 18:08 ` Tejun Heo
2012-10-19 14:20 ` [PATCH v5 09/18] memcg: skip memcg kmem allocations in specified code regions Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 10/18] sl[au]b: always get the cache from its page in kfree Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 19:44 ` Christoph Lameter
2012-10-19 19:44 ` Christoph Lameter
2012-10-19 19:44 ` Christoph Lameter
2012-10-22 10:13 ` Glauber Costa
2012-10-22 10:13 ` Glauber Costa
2012-10-22 10:13 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 11/18] sl[au]b: Allocate objects from memcg cache Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 19:46 ` Christoph Lameter
2012-10-19 19:46 ` Christoph Lameter
2012-10-19 19:46 ` Christoph Lameter
2012-10-29 15:14 ` JoonSoo Kim
2012-10-29 15:14 ` JoonSoo Kim
2012-10-29 15:14 ` JoonSoo Kim
2012-10-29 15:19 ` Glauber Costa
2012-10-29 15:19 ` Glauber Costa
2012-10-29 15:19 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 12/18] memcg: destroy memcg caches Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 13/18] memcg/sl[au]b Track all the memcg children of a kmem_cache Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-29 15:26 ` JoonSoo Kim
2012-10-29 15:26 ` JoonSoo Kim
2012-10-29 15:26 ` JoonSoo Kim
2012-10-30 11:31 ` Glauber Costa [this message]
2012-10-30 11:31 ` Glauber Costa
2012-10-30 11:31 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 14/18] memcg/sl[au]b: shrink dead caches Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 19:47 ` Christoph Lameter
2012-10-19 19:47 ` Christoph Lameter
2012-10-19 19:47 ` Christoph Lameter
2012-10-22 7:37 ` Glauber Costa
2012-10-22 7:37 ` Glauber Costa
2012-10-22 7:37 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 15/18] Aggregate memcg cache values in slabinfo Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 19:50 ` Christoph Lameter
2012-10-19 19:50 ` Christoph Lameter
2012-10-22 15:11 ` Glauber Costa
2012-10-22 15:11 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 16/18] slab: propagate tunables values Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 19:51 ` Christoph Lameter
2012-10-19 19:51 ` Christoph Lameter
2012-10-22 7:48 ` Glauber Costa
2012-10-22 7:48 ` Glauber Costa
2012-10-23 20:44 ` Christoph Lameter
2012-10-23 20:44 ` Christoph Lameter
2012-10-19 14:20 ` [PATCH v5 17/18] slub: slub-specific propagation changes Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` [PATCH v5 18/18] Add slab-specific documentation about the kmem controller Glauber Costa
2012-10-19 14:20 ` Glauber Costa
2012-10-19 14:20 ` Glauber Costa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=508FBA99.3010009@parallels.com \
--to=glommer@parallels.com \
--cc=akpm@linux-foundation.org \
--cc=cgroups@vger.kernel.org \
--cc=cl@linux.com \
--cc=devel@openvz.org \
--cc=hannes@cmpxchg.org \
--cc=js1304@gmail.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mgorman@suse.de \
--cc=mhocko@suse.cz \
--cc=penberg@cs.helsinki.fi \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=suleiman@google.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.