Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp4090614pxf;
        Tue, 23 Mar 2021 02:20:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwWQT+ODqWjXOzMYZDdXmHZaQ9vAUJMdSEMwK39502pkzFWw7az6jT7+9eHgTTQWfRMtoUk
X-Received: by 2002:a17:907:76a3:: with SMTP id jw3mr4028212ejc.353.1616491256808;
        Tue, 23 Mar 2021 02:20:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616491256; cv=none;
        d=google.com; s=arc-20160816;
        b=uSlgsI7ZDxR0/coKhIkEpOm5GEubfxq3szw/tTPsQWLEd880y7in/Y92An+QZveQkc
         L7/lEcX2dtRX/HLEx+sFFGtUjsynYqX0r/0xZvhrEVliAIIBd+bTNO92YI5Zx5ynxVad
         DMtJX7wG6iZP39bJ6eiVO/MTZBEZ1fMFKdIzCj7OfoIG1gfcPPWrDZnhVTukdohy6T0a
         tnjGifVbWNg/fPVB/0+4ULm8ZSZ5xfP6m05kN3+nZkOmHz9hJ/r5bAVDkH+9ZLoL3TtD
         d+bnMHj8DIIfcHVdulizCZcRzbXd84fqymIpS9KehXEjh/x0yYISBfo2FiZ31qMw99Sh
         v3LQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=xDCwCUUxzBpfzU2QfVzbi3ez4QiU5v+G+EIOhfhoUmI=;
        b=oWyMaIJz0tZiNebLx8HT0cKDE6fqrsK2HQODK4j4Xvc0PbCASWTQkmssF1RyV3HYgY
         6bUQLZ/+KCiA49+S0yts5t4NqAFw/dKgI/MVn0cdWtmqMIOrduyi3TcwO7Tgy9f1s2sn
         wgrcoYVEFrCt26HTopOkD6ma/P7PJ7oUope9EF6Si2uRu0B4qCqUFLL4XhXGqZtT3pTn
         l5jcOqtkzaBuwaetCYPuOjcecT6673RpqZaSSMtr6hsNegCHQNMfwJAhV8vp/wSxmFsd
         RphhyvgWCV5V2GWU2nCB4/ReIzp8zwakYYP5DQLxA2I1DjXhC5ZRJaK1JYMLm54lEpKl
         9hTw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=x0SCR2mT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id p10si13136628edw.62.2021.03.23.02.20.33;
        Tue, 23 Mar 2021 02:20:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=x0SCR2mT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229760AbhCWJS6 (ORCPT <rfc822;mafatlaija@gmail.com> + 99 others);
        Tue, 23 Mar 2021 05:18:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37954 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229893AbhCWJSp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Mar 2021 05:18:45 -0400
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5259DC061574
        for <linux-kernel@vger.kernel.org>; Tue, 23 Mar 2021 02:18:45 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id g15so13670662pfq.3
        for <linux-kernel@vger.kernel.org>; Tue, 23 Mar 2021 02:18:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=xDCwCUUxzBpfzU2QfVzbi3ez4QiU5v+G+EIOhfhoUmI=;
        b=x0SCR2mTDOG7KxFGyZOvpO8NlmPNBhPRfAiaBhGPX/wvNn/wFDSj2R/9a55hK5WehX
         7wmvuzm74DMiFhnlgirKZ6dVUdFkht/wK6ACSdjyaFOgmGer2bO78MDbpVYDdF8Pvcd4
         HEEA17zTSTgc9y/ePJnbYOzKrKwXHpJSmNC4tlS1ZGOhl2F32uSJNebMwb6EVN0pVcDR
         vHamBU3so8bCKHRbCpabTo1taoFgbEAemwbXQpdVy+LBOvXhjW/p25RADJ74RvPqs5PP
         WjpHhp7DUtBU5rDqXbEHE1FV0XFopcbZUZXSsI8rgxK8AJ5HfpizmuyHx5UfHf3HqVBZ
         /GPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=xDCwCUUxzBpfzU2QfVzbi3ez4QiU5v+G+EIOhfhoUmI=;
        b=QzW/EzHln544owSsVnlLkVdwow9y+36+0RddXiz+y1JeR/lBit5L+X1Rf0+vODgX4n
         3DxOvtrYzgaQssMIW7zFrXLzqkmh8okIGEGuqhY/tXWTr4i9Gfgrr/4+bHJRyJoVRy11
         9emlvhmM7dM+wq80N6X5YB0vvGwIrpFc9fiUo2WFKAfV+5johfaLcSoiDgA1LiXtL2xJ
         TqbTb6cvhdmtOnl5eu7FnqDFbmTC747StiwmQTNWSun2zco7LZ5D2xQRM9WuEL6IwMVV
         WLIRkWFu0Xcn1JrHI9tnqRYVJH87QiXaGSlL+AhGX+3lgm9BaEPxOIxltmRVZi2RBZLD
         NM6g==
X-Gm-Message-State: AOAM531F6+shp8TG6ZU37oxMFmAM0ARxEhrXMTUDxgCzCpEZyXNRdbPE
        PRR5UaU3jwOfsDSbNyUvrRt0/3TCxotwGqYrfHQ4Zw==
X-Received: by 2002:a65:6645:: with SMTP id z5mr3129824pgv.273.1616491124932;
 Tue, 23 Mar 2021 02:18:44 -0700 (PDT)
MIME-Version: 1.0
References: <20210319163821.20704-1-songmuchun@bytedance.com>
 <20210319163821.20704-2-songmuchun@bytedance.com> <YFitwmmLFA24cofE@cmpxchg.org>
In-Reply-To: <YFitwmmLFA24cofE@cmpxchg.org>
From:   Muchun Song <songmuchun@bytedance.com>
Date:   Tue, 23 Mar 2021 17:18:08 +0800
Message-ID: <CAMZfGtVQPonuhQOWq2D_tZyLGuBQ2auY=SF3vPJXN=iTnp8_1Q@mail.gmail.com>
Subject: Re: [External] Re: [PATCH v5 1/7] mm: memcontrol: slab: fix obtain a
 reference to a freeing memcg
To:     Johannes Weiner <hannes@cmpxchg.org>
Cc:     Roman Gushchin <guro@fb.com>, Michal Hocko <mhocko@kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Shakeel Butt <shakeelb@google.com>,
        Vladimir Davydov <vdavydov.dev@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux Memory Management List <linux-mm@kvack.org>,
        Xiongchun duan <duanxiongchun@bytedance.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 22, 2021 at 10:46 PM Johannes Weiner <hannes@cmpxchg.org> wrote:
>
> On Sat, Mar 20, 2021 at 12:38:14AM +0800, Muchun Song wrote:
> > The rcu_read_lock/unlock only can guarantee that the memcg will not be
> > freed, but it cannot guarantee the success of css_get (which is in the
> > refill_stock when cached memcg changed) to memcg.
> >
> >   rcu_read_lock()
> >   memcg = obj_cgroup_memcg(old)
> >   __memcg_kmem_uncharge(memcg)
> >       refill_stock(memcg)
> >           if (stock->cached != memcg)
> >               // css_get can change the ref counter from 0 back to 1.
> >               css_get(&memcg->css)
> >   rcu_read_unlock()
> >
> > This fix is very like the commit:
> >
> >   eefbfa7fd678 ("mm: memcg/slab: fix use after free in obj_cgroup_charge")
> >
> > Fix this by holding a reference to the memcg which is passed to the
> > __memcg_kmem_uncharge() before calling __memcg_kmem_uncharge().
> >
> > Fixes: 3de7d4f25a74 ("mm: memcg/slab: optimize objcg stock draining")
> > Signed-off-by: Muchun Song <songmuchun@bytedance.com>
>
> Acked-by: Johannes Weiner <hannes@cmpxchg.org>
>
> Good catch! Did you trigger the WARN_ON() in
> percpu_ref_kill_and_confirm() during testing?

No. The race window is very small, it should be difficult to trigger.
When I reviewed the code here, I suddenly realized that there
might be a problem here. Very coincidental.

Thanks.