Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932325AbbLNS6i (ORCPT <rfc822;w@1wt.eu>);
	Mon, 14 Dec 2015 13:58:38 -0500
Received: from mx2.parallels.com ([199.115.105.18]:59685 "EHLO
	mx2.parallels.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932199AbbLNS5u (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 14 Dec 2015 13:57:50 -0500
Date: Mon, 14 Dec 2015 21:57:39 +0300
From: Vladimir Davydov <vdavydov@virtuozzo.com>
To: Johannes Weiner <hannes@cmpxchg.org>
CC: Andrew Morton <akpm@linux-foundation.org>,
        Michal Hocko <mhocko@kernel.org>, <stable@vger.kernel.org>,
        <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: memcontrol: fix possible memcg leak due to
 interrupted reclaim
Message-ID: <20151214185739.GG28521@esperanza>
References: <1449927242-9608-1-git-send-email-vdavydov@virtuozzo.com>
 <20151212164540.GA7107@cmpxchg.org>
 <20151212191855.GE28521@esperanza>
 <20151214151901.GA13289@cmpxchg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20151214151901.GA13289@cmpxchg.org>
X-ClientProxiedBy: US-EXCH2.sw.swsoft.com (10.255.249.46) To
 US-EXCH.sw.swsoft.com (10.255.249.47)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1966
Lines: 57

On Mon, Dec 14, 2015 at 10:19:01AM -0500, Johannes Weiner wrote:
...
> > @@ -859,14 +859,12 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
> >  		if (prev && reclaim->generation != iter->generation)
> >  			goto out_unlock;
> >  
> > -		do {
> > +		while (1) {
> >  			pos = READ_ONCE(iter->position);
> > -			/*
> > -			 * A racing update may change the position and
> > -			 * put the last reference, hence css_tryget(),
> > -			 * or retry to see the updated position.
> > -			 */
> > -		} while (pos && !css_tryget(&pos->css));
> > +			if (!pos || css_tryget(&pos->css))
> > +				break;
> > +			cmpxchg(&iter->position, pos, NULL);
> > +		}
> 
> This cmpxchg() looks a little strange. Once tryget fails, the iterator
> should be clear soon enough, no? If not, a comment would be good here.

If we are running on an unpreemptible UP system, busy-waiting might
block the ->css_free work, which is supposed to clear iter->position,
resulting in a dead lock. I guess it might happen on SMP if RT scheduler
is used. Will add a comment here.

> 
> > @@ -912,12 +910,7 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
> >  	}
> >  
> >  	if (reclaim) {
> > -		if (cmpxchg(&iter->position, pos, memcg) == pos) {
> > -			if (memcg)
> > -				css_get(&memcg->css);
> > -			if (pos)
> > -				css_put(&pos->css);
> > -		}
> > +		cmpxchg(&iter->position, pos, memcg);
> 
> This looks correct. The next iteration or break will put the memcg,
> potentially free it, which will clear it from the iterator and then
> rcu-free the css. Anybody who sees a pointer set under the RCU lock
> can safely run css_tryget() against it. Awesome!
> 
> Care to resend this with changelog?

Will do.

Thanks,
Vladimir
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/