Re: [PATCH] mm: memcontrol: fix possible memcg leak due to interrupted reclaim
From: Vladimir Davydov
Date: Mon Dec 14 2015 - 13:58:48 EST
On Mon, Dec 14, 2015 at 10:19:01AM -0500, Johannes Weiner wrote:
...
> > @@ -859,14 +859,12 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
> > if (prev && reclaim->generation != iter->generation)
> > goto out_unlock;
> >
> > - do {
> > + while (1) {
> > pos = READ_ONCE(iter->position);
> > - /*
> > - * A racing update may change the position and
> > - * put the last reference, hence css_tryget(),
> > - * or retry to see the updated position.
> > - */
> > - } while (pos && !css_tryget(&pos->css));
> > + if (!pos || css_tryget(&pos->css))
> > + break;
> > + cmpxchg(&iter->position, pos, NULL);
> > + }
>
> This cmpxchg() looks a little strange. Once tryget fails, the iterator
> should be clear soon enough, no? If not, a comment would be good here.
If we are running on an unpreemptible UP system, busy-waiting might
block the ->css_free work, which is supposed to clear iter->position,
resulting in a dead lock. I guess it might happen on SMP if RT scheduler
is used. Will add a comment here.
>
> > @@ -912,12 +910,7 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
> > }
> >
> > if (reclaim) {
> > - if (cmpxchg(&iter->position, pos, memcg) == pos) {
> > - if (memcg)
> > - css_get(&memcg->css);
> > - if (pos)
> > - css_put(&pos->css);
> > - }
> > + cmpxchg(&iter->position, pos, memcg);
>
> This looks correct. The next iteration or break will put the memcg,
> potentially free it, which will clear it from the iterator and then
> rcu-free the css. Anybody who sees a pointer set under the RCU lock
> can safely run css_tryget() against it. Awesome!
>
> Care to resend this with changelog?
Will do.
Thanks,
Vladimir
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/