From: Shakeel Butt <shakeelb@google.com>
To: Muchun Song <songmuchun@bytedance.com>
Cc: Roman Gushchin <guro@fb.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Michal Hocko <mhocko@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Vladimir Davydov <vdavydov.dev@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
Linux MM <linux-mm@kvack.org>,
Xiongchun duan <duanxiongchun@bytedance.com>
Subject: Re: [PATCH v5 1/7] mm: memcontrol: slab: fix obtain a reference to a freeing memcg
Date: Fri, 19 Mar 2021 11:26:54 -0700 [thread overview]
Message-ID: <CALvZod73P5QORH58wRi4a2wNnhxCKsGWkFB8Ko79G8SNWr9fhg@mail.gmail.com> (raw)
In-Reply-To: <20210319163821.20704-2-songmuchun@bytedance.com>
On Fri, Mar 19, 2021 at 9:38 AM Muchun Song <songmuchun@bytedance.com> wrote:
>
> The rcu_read_lock/unlock only can guarantee that the memcg will not be
> freed, but it cannot guarantee the success of css_get (which is in the
> refill_stock when cached memcg changed) to memcg.
>
> rcu_read_lock()
> memcg = obj_cgroup_memcg(old)
> __memcg_kmem_uncharge(memcg)
> refill_stock(memcg)
> if (stock->cached != memcg)
> // css_get can change the ref counter from 0 back to 1.
> css_get(&memcg->css)
> rcu_read_unlock()
>
> This fix is very like the commit:
>
> eefbfa7fd678 ("mm: memcg/slab: fix use after free in obj_cgroup_charge")
>
> Fix this by holding a reference to the memcg which is passed to the
> __memcg_kmem_uncharge() before calling __memcg_kmem_uncharge().
>
> Fixes: 3de7d4f25a74 ("mm: memcg/slab: optimize objcg stock draining")
> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Good catch.
Reviewed-by: Shakeel Butt <shakeelb@google.com>
next prev parent reply other threads:[~2021-03-19 18:28 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-19 16:38 [PATCH v5 0/7] Use obj_cgroup APIs to charge kmem pages Muchun Song
2021-03-19 16:38 ` [PATCH v5 1/7] mm: memcontrol: slab: fix obtain a reference to a freeing memcg Muchun Song
2021-03-19 18:26 ` Shakeel Butt [this message]
2021-03-19 18:26 ` Shakeel Butt
2021-03-22 14:46 ` Johannes Weiner
2021-03-23 9:18 ` [External] " Muchun Song
2021-03-23 9:18 ` Muchun Song
2021-03-22 18:17 ` Roman Gushchin
2021-03-19 16:38 ` [PATCH v5 2/7] mm: memcontrol: introduce obj_cgroup_{un}charge_pages Muchun Song
2021-03-19 16:38 ` [PATCH v5 3/7] mm: memcontrol: directly access page->memcg_data in mm/page_alloc.c Muchun Song
2021-03-19 16:38 ` [PATCH v5 4/7] mm: memcontrol: change ug->dummy_page only if memcg changed Muchun Song
2021-03-19 16:38 ` [PATCH v5 5/7] mm: memcontrol: use obj_cgroup APIs to charge kmem pages Muchun Song
2021-03-19 18:27 ` Shakeel Butt
2021-03-19 18:27 ` Shakeel Butt
2021-03-22 18:13 ` Roman Gushchin
2021-03-19 16:38 ` [PATCH v5 6/7] mm: memcontrol: inline __memcg_kmem_{un}charge() into obj_cgroup_{un}charge_pages() Muchun Song
2021-03-19 18:41 ` Shakeel Butt
2021-03-19 18:41 ` Shakeel Butt
2021-03-22 14:34 ` Johannes Weiner
2021-03-22 18:14 ` Roman Gushchin
2021-03-19 16:38 ` [PATCH v5 7/7] mm: memcontrol: move PageMemcgKmem to the scope of CONFIG_MEMCG_KMEM Muchun Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALvZod73P5QORH58wRi4a2wNnhxCKsGWkFB8Ko79G8SNWr9fhg@mail.gmail.com \
--to=shakeelb@google.com \
--cc=akpm@linux-foundation.org \
--cc=duanxiongchun@bytedance.com \
--cc=guro@fb.com \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=songmuchun@bytedance.com \
--cc=vdavydov.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.