Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp285578ybg; Sun, 26 Jul 2020 04:35:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw+MX6LKmWDg815eJY+teKMRM+mdD/DZ+TU7SzCd7FJphO+iyXDv1d4LxsYDaIb4lVwk3Lr X-Received: by 2002:a05:6402:1d0a:: with SMTP id dg10mr16168346edb.110.1595763319235; Sun, 26 Jul 2020 04:35:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595763319; cv=none; d=google.com; s=arc-20160816; b=tdeHmO1Q3PGTuhLbRLoVjvp4mxbH/HD6sj/I3uRIHPKCsi8LE1nH5qsDMAUthtcCiU uUs+0ekW4/Og9ErYZSD3/CpMx/z/we9QPX2DSXON6HD+12DXMemjEokvZ1k96RkQaBt7 Dm6IFnEoIWGBRRYfRf1BjdOstKOTssZupydDN8mdImKZofQ9FLUKANupona08E1uU0ln /A9BZ9Z+lojHxOL1s6dUGH+fdPIw3qzNZ7pY5ylaoVN7n1WN7gvgTIlP4Z30bFEwgiEH Y4bt1+TRWZUvhvP5fjWjVoDg3i5Bv3PrzOcCmyd1rqlAgaNA4G9dZtG6NplMdMrDz/gs hvFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:message-id :user-agent:references:in-reply-to:subject:cc:to:from:date :mime-version:dkim-signature; bh=Qb2TCMYxY7BR4BMmQM5x3ulbNhE6P2tR4EJMVyVxQBA=; b=nh5GwwFlvVqmI9SbYSN7TyzFCKQGVHzcOjXa5eewRDM96CqXhgLzIaRmmZ1Jgy943T aSalIG+VYYfnVh0BCJS3W9nUeNjvn7cg1yIBCoI7ilPTuJ8W7uwhhHS4L42b7p+nFcJH mZKJ5aQAJGWfz1A1xGxOmoLn5Cnc37V5ARZm9vWlA0WxADVywirk6aobZY13VGqu8Gq4 3XTKau1XM/QHpCyeWXe1Xd895sJEkMk5Iljn5B1VcaYiGY5d8KW1Gr/R05D20HdylgS0 YgfAfPNKrPZnilvGHHbgYOatU0WW+m/krPNd/W6YYznNh0gm6u/OHaVNk+qimfO8sTLh A1lQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@natalenko.name header.s=dkim-20170712 header.b="u+fD/NYy"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=natalenko.name Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z5si3620081eje.126.2020.07.26.04.34.56; Sun, 26 Jul 2020 04:35:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@natalenko.name header.s=dkim-20170712 header.b="u+fD/NYy"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=natalenko.name Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726839AbgGZLbr (ORCPT + 99 others); Sun, 26 Jul 2020 07:31:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725794AbgGZLbr (ORCPT ); Sun, 26 Jul 2020 07:31:47 -0400 Received: from vulcan.natalenko.name (vulcan.natalenko.name [IPv6:2001:19f0:6c00:8846:5400:ff:fe0c:dfa0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9BDBC0619D2 for ; Sun, 26 Jul 2020 04:31:46 -0700 (PDT) Received: from mail.natalenko.name (vulcan.natalenko.name [IPv6:fe80::5400:ff:fe0c:dfa0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by vulcan.natalenko.name (Postfix) with ESMTPSA id 9B4847D9EF6; Sun, 26 Jul 2020 13:31:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=natalenko.name; s=dkim-20170712; t=1595763097; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Qb2TCMYxY7BR4BMmQM5x3ulbNhE6P2tR4EJMVyVxQBA=; b=u+fD/NYy+SDz2yG8qW86qEqb2wXH18wrztBRd5H+UuYTN5leLNkxRC8MW392wWohJXewJD FviVzx8MQIeWFeW5o9143NcbCvrbFbMIshj8C6WKM7UtDk6QD9cqFKOhJWRxHU4xyZlymI wjCRW7Hxcq7kHDiNHi+gSFGC2Pu+COQ= MIME-Version: 1.0 Date: Sun, 26 Jul 2020 13:31:37 +0200 From: Oleksandr Natalenko To: Dmitry Monakhov Cc: linux-kernel@vger.kernel.org, linux-block@vger.kernel.org, axboe@kernel.dk, paolo.valente@linaro.org Subject: Re: [PATCH] block: bfq fix blkio cgroup leakage v2 In-Reply-To: <20200720170411.21250-1-dmtrmonakhov@yandex-team.ru> References: <20200720170411.21250-1-dmtrmonakhov@yandex-team.ru> User-Agent: Roundcube Webmail/1.4.7 Message-ID: <6422992afade0015d817a65c124e0c75@natalenko.name> X-Sender: oleksandr@natalenko.name Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello. On 20.07.2020 19:04, Dmitry Monakhov wrote: > commit db37a34c563b ("block, bfq: get a ref to a group when adding it > to a service tree") > introduce leak forbfq_group and blkcg_gq objects because of get/put > imbalance. See trace balow: > -> blkg_alloc > -> bfq_pq_alloc > -> bfqg_get (+1) > ->bfq_activate_bfqq > ->bfq_activate_requeue_entity > -> __bfq_activate_entity > ->bfq_get_entity > ->bfqg_and_blkg_get (+1) <==== : Note1 > ->bfq_del_bfqq_busy > ->bfq_deactivate_entity+0x53/0xc0 [bfq] > ->__bfq_deactivate_entity+0x1b8/0x210 [bfq] > -> bfq_forget_entity(is_in_service = true) > entity->on_st_or_in_serv = false <=== :Note2 > if (is_in_service) > return; ==> do not touch reference > -> blkcg_css_offline > -> blkcg_destroy_blkgs > -> blkg_destroy > -> bfq_pd_offline > -> __bfq_deactivate_entity > if (!entity->on_st_or_in_serv) /* true, because (Note2) > return false; > -> bfq_pd_free > -> bfqg_put() (-1, byt bfqg->ref == 2) because of (Note2) > So bfq_group and blkcg_gq will leak forever, see test-case below. > > We should drop group reference once it finaly removed from service > inside __bfq_bfqd_reset_in_service, as we do with queue entities. > > ##TESTCASE_BEGIN: > #!/bin/bash > > max_iters=${1:-100} > #prep cgroup mounts > mount -t tmpfs cgroup_root /sys/fs/cgroup > mkdir /sys/fs/cgroup/blkio > mount -t cgroup -o blkio none /sys/fs/cgroup/blkio > > # Prepare blkdev > grep blkio /proc/cgroups > truncate -s 1M img > losetup /dev/loop0 img > echo bfq > /sys/block/loop0/queue/scheduler > > grep blkio /proc/cgroups > for ((i=0;i do > mkdir -p /sys/fs/cgroup/blkio/a > echo 0 > /sys/fs/cgroup/blkio/a/cgroup.procs > dd if=/dev/loop0 bs=4k count=1 of=/dev/null iflag=direct 2> > /dev/null > echo 0 > /sys/fs/cgroup/blkio/cgroup.procs > rmdir /sys/fs/cgroup/blkio/a > grep blkio /proc/cgroups > done > ##TESTCASE_END: > > Signed-off-by: Dmitry Monakhov > --- > block/bfq-wf2q.c | 23 +++++++++++++---------- > 1 file changed, 13 insertions(+), 10 deletions(-) > > diff --git a/block/bfq-wf2q.c b/block/bfq-wf2q.c > index 8113138..93b236c 100644 > --- a/block/bfq-wf2q.c > +++ b/block/bfq-wf2q.c > @@ -635,14 +635,10 @@ static void bfq_idle_insert(struct > bfq_service_tree *st, > * @entity: the entity being removed. > * @is_in_service: true if entity is currently the in-service entity. > * > - * Forget everything about @entity. In addition, if entity represents > - * a queue, and the latter is not in service, then release the service > - * reference to the queue (the one taken through bfq_get_entity). In > - * fact, in this case, there is really no more service reference to > - * the queue, as the latter is also outside any service tree. If, > - * instead, the queue is in service, then __bfq_bfqd_reset_in_service > - * will take care of putting the reference when the queue finally > - * stops being served. > + * Forget everything about @entity. If entity is not in service, then > release > + * the service reference to the entity (the one taken through > bfq_get_entity). > + * If the entity is in service, then __bfq_bfqd_reset_in_service will > take care > + * of putting the reference when the entity finally stops being > served. > */ > static void bfq_forget_entity(struct bfq_service_tree *st, > struct bfq_entity *entity, > @@ -1626,9 +1622,16 @@ bool __bfq_bfqd_reset_in_service(struct bfq_data > *bfqd) > * execute the final step: reset in_service_entity along the > * path from entity to the root. > */ > - for_each_entity(entity) > + for_each_entity(entity) { > entity->sched_data->in_service_entity = NULL; > - > + /* > + * Release bfq_groups reference if it was not released in > + * bfq_forget_entity, which was taken in bfq_get_entity. > + */ > + if (!bfq_entity_to_bfqq(entity) && !entity->on_st_or_in_serv) > + bfqg_and_blkg_put(container_of(entity, struct bfq_group, > + entity)); > + } > /* > * in_serv_entity is no longer in service, so, if it is in no > * service tree either, then release the service reference to As reported by one of my customers, this patch causes the following crash: [1] [1] http://pix.academ.info/images/img/2020/07/26/52d097c02b6061657443bba92de75e8a.jpg -- Oleksandr Natalenko (post-factum)