From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754434AbcBCJof (ORCPT <rfc822;w@1wt.eu>);
	Wed, 3 Feb 2016 04:44:35 -0500
Received: from mx2.parallels.com ([199.115.105.18]:35823 "EHLO
	mx2.parallels.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753849AbcBCJoc (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 3 Feb 2016 04:44:32 -0500
Date: Wed, 3 Feb 2016 12:44:20 +0300
From: Vladimir Davydov <vdavydov@virtuozzo.com>
To: Dmitry Safonov <dsafonov@virtuozzo.com>
CC: <akpm@linux-foundation.org>, <cl@linux.com>, <penberg@kernel.org>,
        <rientjes@google.com>, <iamjoonsoo.kim@lge.com>, <linux-mm@kvack.org>,
        <linux-kernel@vger.kernel.org>, <0x7f454c46@gmail.com>
Subject: Re: [PATCHv3] mm/slab: fix race with dereferencing NULL ptr in
 alloc_calls_show
Message-ID: <20160203094420.GH21016@esperanza>
References: <1454485933-762-1-git-send-email-dsafonov@virtuozzo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1454485933-762-1-git-send-email-dsafonov@virtuozzo.com>
X-ClientProxiedBy: US-EXCH2.sw.swsoft.com (10.255.249.46) To
 US-EXCH.sw.swsoft.com (10.255.249.47)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Feb 03, 2016 at 10:52:13AM +0300, Dmitry Safonov wrote:
...
> diff --git a/mm/slab_common.c b/mm/slab_common.c
> index b50aef0..2bfc0b1 100644
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -451,6 +451,8 @@ EXPORT_SYMBOL(kmem_cache_create);
>  static int shutdown_cache(struct kmem_cache *s,
>  		struct list_head *release, bool *need_rcu_barrier)
>  {
> +	sysfs_slab_remove(s);
> +

shutdown_cache is called with slab_mutex held. slab_attr_store may take
the mutex. So placing sysfs_slab_remove here introduces a potential
deadlock.

>  	if (__kmem_cache_shutdown(s) != 0)
>  		return -EBUSY;
>  
> @@ -468,13 +470,8 @@ static void release_caches(struct list_head *release, bool need_rcu_barrier)
>  	if (need_rcu_barrier)
>  		rcu_barrier();
>  
> -	list_for_each_entry_safe(s, s2, release, list) {
> -#ifdef SLAB_SUPPORTS_SYSFS
> -		sysfs_slab_remove(s);
> -#else
> +	list_for_each_entry_safe(s, s2, release, list)
>  		slab_kmem_cache_release(s);
> -#endif
> -	}
>  }
>  
>  #if defined(CONFIG_MEMCG) && !defined(CONFIG_SLOB)
> @@ -614,6 +611,7 @@ void memcg_destroy_kmem_caches(struct mem_cgroup *memcg)
>  	list_for_each_entry_safe(s, s2, &slab_caches, list) {
>  		if (is_root_cache(s) || s->memcg_params.memcg != memcg)
>  			continue;
> +

Please remove this hunk.

>  		/*
>  		 * The cgroup is about to be freed and therefore has no charges
>  		 * left. Hence, all its caches must be empty by now.
> diff --git a/mm/slub.c b/mm/slub.c
> index 2e1355a..b6a68b7 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -5296,11 +5296,6 @@ static void memcg_propagate_slab_attrs(struct kmem_cache *s)
>  #endif
>  }
>  
> -static void kmem_cache_release(struct kobject *k)
> -{
> -	slab_kmem_cache_release(to_slab(k));
> -}
> -
>  static const struct sysfs_ops slab_sysfs_ops = {
>  	.show = slab_attr_show,
>  	.store = slab_attr_store,
> @@ -5308,7 +5303,6 @@ static const struct sysfs_ops slab_sysfs_ops = {
>  
>  static struct kobj_type slab_ktype = {
>  	.sysfs_ops = &slab_sysfs_ops,
> -	.release = kmem_cache_release,

I surmise this will resurrect the bug that was fixed by 41a212859a4dd
("slub: use sysfs'es release mechanism for kmem_cache").

Thanks,
Vladimir