Received: by 10.223.176.5 with SMTP id f5csp3249608wra; Thu, 1 Feb 2018 13:18:48 -0800 (PST) X-Google-Smtp-Source: AH8x226YDEeXwQprmZfRi2E2kDbpohQAlb7rs7qwLZbSEXxyaGEo0tcMNUuoQZIU3sf3LmguBT+f X-Received: by 10.101.78.12 with SMTP id r12mr30194885pgt.33.1517519927973; Thu, 01 Feb 2018 13:18:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517519927; cv=none; d=google.com; s=arc-20160816; b=G0upNYHyQwFvywBt+ghZSSNBXAMLObnisDEVFl+zNVUAtrT5GHWGl3FmNR15YiYA7+ QHiVfKO03jSP0fc0m8decqav2hBfSh7cVZ+eMUJ3kseFeJgwl5sSx8vZFkgVC/erWFGx 9B3JxXUy3zqRVKVeNNglbgoD6GOruq5ZlPD7qHoXT/XSaH7MWytYBrEmfCzzR7FjPaxt A289BhFYVN7cCaBKOpsWUNE7bA/dgaqBkTtMjfhKsgFCxjTpszoSryim76m0Hns9/LUA i9pKxsy0uUuycBirbEwU+WHRSuMLlfP7wuFoZ5qBPf+2SVasynUVRSzCwJEJmJ63zQIG ek+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=jfX2hPTFeUC5g0G3LYUFKtoYMKnhGY+a+wVy82+ga50=; b=pCiBW9LPw3PHGwEHQqAxH/4UNpKMQHv7iPNRkfM5uXHIjjB1FM19GIsB4cJp+0ymPc nOb67I74ER//D25T+omJ57EGOOPW+lmSm7zNKBVs2WtC+xDtduqMCVgTXpT3fxWO81Jn a2CK2mwWYc/hU4xLkWTYMYDO6WcKohnHnrbSxSRZ/pCXwh6+etgg3Ej8EtziEU98lfO9 vLQNq/a/KH1xYh7F8OdGMHkXtHOQEo8vo4MMrqD/ig+bRSOs2KGDm6XpiiqEWxlWIHx2 cmyTy60jBgZzUkKsWbtibQNcl0kTPIQM5E59DmWh36vke7PGuOxIa1mZ9bjLBMbaYFSZ Yq0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=JaidDhxk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c20si355018pfk.415.2018.02.01.13.18.33; Thu, 01 Feb 2018 13:18:47 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=JaidDhxk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751949AbeBAVSF (ORCPT + 99 others); Thu, 1 Feb 2018 16:18:05 -0500 Received: from mail-wm0-f66.google.com ([74.125.82.66]:34698 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751701AbeBAVR7 (ORCPT ); Thu, 1 Feb 2018 16:17:59 -0500 Received: by mail-wm0-f66.google.com with SMTP id j21-v6so1869322wmh.1 for ; Thu, 01 Feb 2018 13:17:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jfX2hPTFeUC5g0G3LYUFKtoYMKnhGY+a+wVy82+ga50=; b=JaidDhxkei0omKSaqQ/WFL9mfMLaCKUS0QyUNHDAMyEZNRH9xyysmy2lPGhJ0xlVng E0m2k9IOCHKduo8gyLhsvo51LuHXiSTKJ3PprecLZGYPFiUyy2bkXd4/YsC0WV/v7Ym9 RBVAGFf8YCUdgoanYRPQ0pu3EGg/omFXwXYULYoViDyvJAUhR4OGKsMhFtMFN1eDW/Ym GWvpy9ROb+tLFkZ91EM6DWsjkWsjrF5lMRsZBOow7Ij2mbD4pDfzSB9x7mBBvNahVine +4Y5KLPwgdSpZxIBE2yd8MFzgdls0yunFjvpsE4aHRPpBU9pLcH/ALKDTGfjmAYw1O/s ljWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jfX2hPTFeUC5g0G3LYUFKtoYMKnhGY+a+wVy82+ga50=; b=Wf7U8P3XTDlDcwrAYL3e8NSgAUcA2Tu0m3UEEG0FFTtROb+BMa8Qq70U9lUJ1Topl0 89IIhyPObyrIT+Itqq138bt43aSWBtT20OitE7hkaUYvpYMM5S0FNcobiUJlbaDfiNHy qBLUkE2fDOEdRJckWHN/BsAu4AvCPYWKsjVk3p1v2uq5NvAjbRSwZ4n9/9K6W+G3abEh YY4b6o/twlysbFQ987UcrpWOhpY3lAUeVbKS/mr3jpSaqTMr0EQQc682UmAu7ah6xatB LZ1KXS2JFLopw8FiH5bnj6Zly5i8lxPCNjhAXdBr4XZBNHjNaapiaGWDxsKHfTmRSkMG mQ3A== X-Gm-Message-State: AKwxytfz/BKzc6v5r6+R8pcrNlcekek4g25EODrn5C71GmOrJ6+kKrFu M+oK+aiC956sGvcSyXX/oZZCM9O18sNhhHgBEsNrxg== X-Received: by 10.28.182.86 with SMTP id g83mr27282353wmf.75.1517519877634; Thu, 01 Feb 2018 13:17:57 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.147.15 with HTTP; Thu, 1 Feb 2018 13:17:56 -0800 (PST) In-Reply-To: <20180201202158.GA11477@castle.DHCP.thefacebook.com> References: <20180125001911.15597-1-guro@fb.com> <20180125.120302.1117695034222616751.davem@davemloft.net> <20180131215401.GA8956@castle> <20180201.101655.1316424669256047119.davem@davemloft.net> <20180201202158.GA11477@castle.DHCP.thefacebook.com> From: Eric Dumazet Date: Thu, 1 Feb 2018 13:17:56 -0800 Message-ID: Subject: Re: [PATCH net] net: memcontrol: charge allocated memory after mem_cgroup_sk_alloc() To: Roman Gushchin Cc: "David S. Miller" , netdev , LKML , kernel-team , Johannes Weiner , Tejun Heo Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 1, 2018 at 12:22 PM, Roman Gushchin wrote: > On Thu, Feb 01, 2018 at 10:16:55AM -0500, David Miller wrote: >> From: Roman Gushchin >> Date: Wed, 31 Jan 2018 21:54:08 +0000 >> >> > So I really start thinking that reverting 9f1c2674b328 >> > ("net: memcontrol: defer call to mem_cgroup_sk_alloc()") >> > and fixing the original issue differently might be easier >> > and a proper way to go. Does it makes sense? >> >> You'll need to work that out with Eric Dumazet who added the >> change in question which you think we should revert. > > Eric, > > can you, please, provide some details about the use-after-free problem > that you've fixed with commit 9f1c2674b328 ("net: memcontrol: defer call > to mem_cgroup_sk_alloc()" ? Do you know how to reproduce it? > > Deferring mem_cgroup_sk_alloc() breaks socket memory accounting > and makes it much more fragile in general. So, I wonder, if there are > solutions for the use-after-free problem. > > Thank you! > > Roman Unfortunately bug is not public (Google-Bug-Id 67556600 for Googlers following this thread ) Our kernel has a debug feature on percpu_ref_get_many() which detects the typical use-after-free problem of doing atomic_long_add(nr, &ref->count); while ref->count is 0, or memory already freed. Bug was serious because css_put() will release the css a second time. Stack trace looked like : Oct 8 00:23:14 lphh23 kernel: [27239.568098] [] dump_stack+0x4d/0x6c Oct 8 00:23:14 lphh23 kernel: [27239.568108] [] ? cgroup_get+0x43/0x50 Oct 8 00:23:14 lphh23 kernel: [27239.568114] [] warn_slowpath_common+0xac/0xc8 Oct 8 00:23:14 lphh23 kernel: [27239.568117] [] warn_slowpath_null+0x1a/0x1c Oct 8 00:23:14 lphh23 kernel: [27239.568120] [] cgroup_get+0x43/0x50 Oct 8 00:23:14 lphh23 kernel: [27239.568123] [] cgroup_sk_alloc+0x64/0x90 Oct 8 00:23:14 lphh23 kernel: [27239.568128] [] sk_clone_lock+0x2d1/0x400 Oct 8 00:23:14 lphh23 kernel: [27239.568134] [] inet_csk_clone_lock+0x16/0x100 Oct 8 00:23:14 lphh23 kernel: [27239.568138] [] tcp_create_openreq_child+0x23/0x600 Oct 8 00:23:14 lphh23 kernel: [27239.568143] [] tcp_v6_syn_recv_sock+0x26a/0x8f0 Oct 8 00:23:14 lphh23 kernel: [27239.568146] [] tcp_check_req+0x1ce/0x440 Oct 8 00:23:14 lphh23 kernel: [27239.568152] [] tcp_v6_rcv+0x9cc/0x22a0 Oct 8 00:23:14 lphh23 kernel: [27239.568155] [] ? ip6table_mangle_hook+0x42/0x190 Oct 8 00:23:14 lphh23 kernel: [27239.568158] [] ip6_input+0x1ab/0x400 Oct 8 00:23:14 lphh23 kernel: [27239.568162] [] ? ip6_rcv_finish+0x93/0x93 Oct 8 00:23:14 lphh23 kernel: [27239.568165] [] ipv6_rcv+0x32d/0x5b0 Oct 8 00:23:14 lphh23 kernel: [27239.568167] [] ? ip6_fragment+0x965/0x965 Oct 8 00:23:14 lphh23 kernel: [27239.568171] [] process_backlog+0x39c/0xc50 Oct 8 00:23:14 lphh23 kernel: [27239.568177] [] ? ktime_get+0x35/0xa0 Oct 8 00:23:14 lphh23 kernel: [27239.568180] [] ? clockevents_program_event+0x81/0x1c0 Oct 8 00:23:14 lphh23 kernel: [27239.568183] [] net_rx_action+0x10e/0x360 Oct 8 00:23:14 lphh23 kernel: [27239.568190] [] __do_softirq+0x151/0x2f5 Oct 8 00:23:14 lphh23 kernel: [27239.568196] [] do_softirq_own_stack+0x1c/0x30 Oct 8 00:23:14 lphh23 kernel: [27239.568197] [] __local_bh_enable_ip+0x6b/0xa0 Oct 8 00:23:14 lphh23 kernel: [27239.568203] [] ip6_output+0x326/0x1060 Oct 8 00:23:14 lphh23 kernel: [27239.568206] [] ? ip6table_mangle_hook+0xbd/0x190 Oct 8 00:23:14 lphh23 kernel: [27239.568209] [] ? inet6_getname+0x130/0x130 Oct 8 00:23:14 lphh23 kernel: [27239.568212] [] ? ip6_finish_output+0xf20/0xf20 Oct 8 00:23:14 lphh23 kernel: [27239.568215] [] ip6_xmit+0x52d/0x5b6 Oct 8 00:23:14 lphh23 kernel: [27239.568217] [] ? ip6_call_ra_chain+0xc9/0xc9 Oct 8 00:23:14 lphh23 kernel: [27239.568220] [] ? tcp_ack+0x60d/0x3290 Oct 8 00:23:14 lphh23 kernel: [27239.568223] [] inet6_csk_xmit+0x181/0x2b0 Oct 8 00:23:14 lphh23 kernel: [27239.568225] [] tcp_send_ack+0x6f5/0xdf0 Oct 8 00:23:14 lphh23 kernel: [27239.568229] [] tcp_rcv_state_process+0x8a1/0x2630 Oct 8 00:23:14 lphh23 kernel: [27239.568231] [] tcp_v6_do_rcv+0x13b/0x340 Oct 8 00:23:14 lphh23 kernel: [27239.568234] [] release_sock+0xec/0x180 Oct 8 00:23:14 lphh23 kernel: [27239.568237] [] __inet_stream_connect+0x1ef/0x2f0 Oct 8 00:23:14 lphh23 kernel: [27239.568240] [] ? __wake_up_locked_key+0x70/0x70 Oct 8 00:23:14 lphh23 kernel: [27239.568243] [] inet_stream_connect+0x3b/0x60 Oct 8 00:23:14 lphh23 kernel: [27239.568249] [] SYSC_connect+0x84/0xc0